1password Single Sign On



What is a password vault?

A single sign-on solution can simplify username and password management for both users and administrators. Users no longer have to keep track of different sets of credentials and can simply remember a single more complex password. SSO often enables users to just get access to their applications much faster. What is single sign-on (SSO)? Single sign-on basics. Single sign-on provides a giant leap forward in how users sign in and use applications. Single sign-on with web applications. Web applications are incredibly popular. Web apps are hosted by various companies. Cloud versus on-premises.

A password vault, also called a password manager, is a program that stores usernames and passwords for multiple applications in a secure location and in an encrypted format. Users can access the password vault via a single username and password. The password vault then provides them the password for the website they are trying to access.

Consumers often use the password manager built into Chrome or Safari, for example. In those cases, Google or Apple stores your password information. Businesses may buy a password management tool. (Note that some password managers will also generate more secure, random passwords, called one-time passwords [OTPs], for the user for each site.)

What is single sign-on?

Single

Single sign-on (SSO) is a secure solution that provides employees access to company apps and websites by asking them to sign in just once a day, using one username and password. When you sign in to a website through Facebook or Google, you’re using a type of SSO. In a business setting, employees usually have access to their company’s apps through SSO as an identity and access management (IAM) solution that uses the company’s directory, such as Microsoft Active Directory, Azure Active Directory, or a directory provided by the SSO solution.

Which is better, SSO or password vaults?

In general, SSO is considered more secure and easier to use than password vaults. As part of an IAM solution, SSO eliminates the need for employees to maintain multiple passwords, easing the burden on users. It also reduces the frequency of logins and the number of credentials stored, reducing the attack surface for cybercriminals.

When businesses begin to implement stricter password requirements, they often start with password managers. For example, an organization might require that passwords are changed frequently, use random characters, or be longer. Since these more complex passwords are harder to remember, the organization may buy a password manager that employees can use to store them in an encrypted, relatively secure environment.

But most organizations quickly outgrow password managers. For one thing, password managers introduce a new problem: employees must add password management to their list of tasks. Password vaults also don’t solve the problem of app proliferation, and they still require users to waste time logging into each app. Since 68% of users report having to switch between 10 different apps every hour, that’s a lot of wasted time.

Single sign-on systems let users log in just once, with one set of credentials, to access all apps. SSO systems often use the business’s identity provider, such as Active Directory, for added security. And they use standard, widely accepted protocols, such as SAML or OAuth, and technologies like digital certificates to provide enterprise-level security.

SSO is more secure because passwords aren’t being passed around. Instead, after users log in, the SSO system passes tokens to the app or website requesting authentication. Many SSO solutions also work across both on-prem and cloud apps and websites, providing seamless and secure access across corporate systems.

What is single sign-on?

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.

How does SSO work?

1password Single Sign On

SSO works based upon a trust relationship set up between an application, known as the service provider, and an identity provider, like OneLogin. This trust relationship is often based upon a certificate that is exchanged between the identity provider and the service provider. This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source. In SSO, this identity data takes the form of tokens which contain identifying bits of information about the user like a user’s email address or a username.

The login flow usually looks like this:

  1. A user browses to the application or website they want access to, aka, the Service Provider.
  2. The Service Provider sends a token that contains some information about the user, like their email address, to the SSO system, aka, the Identity Provider, as part of a request to authenticate the user.
  3. The Identity Provider first checks to see whether the user has already been authenticated, in which case it will grant the user access to the Service Provider application and skip to step 5.
  4. If the user hasn’t logged in, they will be prompted to do so by providing the credentials required by the Identity Provider. This could simply be a username and password or it might include some other form of authentication like a One-Time Password (OTP).
  5. Once the Identity Provider validates the credentials provided, it will send a token back to the Service Provider confirming a successful authentication.
  6. This token is passed through the user’s browser to the Service Provider.
  7. The token that is received by the Service Provider is validated according to the trust relationship that was set up between the Service Provider and the Identity Provider during the initial configuration.
  8. The user is granted access to the Service Provider.


When the user tries to access a different website, the new website would have to have a similar trust relationship configured with the SSO solution and the authentication flow would follow the same steps.

What is an SSO token?

1password

An SSO token is a collection of data or information that is passed from one system to another during the SSO process. The data can simply be a user’s email address and information about which system is sending the token. Tokens must be digitally signed for the token receiver to verify that the token is coming from a trusted source. The certificate that is used for this digital signature is exchanged during the initial configuration process.

Is SSO secure?

The answer to this question is “It depends.”

1password Single Sign On Account

There are many reasons why SSO can improve security. A single sign-on solution can simplify username and password management for both users and administrators. Users no longer have to keep track of different sets of credentials and can simply remember a single more complex password. SSO often enables users to just get access to their applications much faster.

SSO can also cut down on the amount of time the help desk has to spend on assisting users with lost passwords. Administrators can centrally control requirements like password complexity and multi-factor authentication (MFA). Administrators can also more quickly relinquish login privileges across the board when a user leaves the organization.

Single Sign-On does have some drawbacks. For example, you might have applications that you want to have locked down a bit more. For this reason, it would be important to choose an SSO solution that gives you the ability to, say, require an additional authentication factor before a user logs into a particular application or that prevents users from accessing certain applications unless they are connected to a secure network.

How is SSO implemented?

The specifics on how an SSO solution is implemented will differ depending on what exact SSO solution you are working with. But no matter what the specific steps are, you need to make sure you have set clear objectives and goals for your implementation. Make sure you answer the following questions:

  • What different types of users are you serving and what are their different requirements?
  • Are you looking for an On Prem solution or a Cloud Based solution?
  • Will this solution be able to grow with your company and your needs?
  • What features are you looking for to ensure only trusted users are logging in? MFA, Adaptive Authentication, Device Trust, IP Address Whitelisting, etc.?
  • What systems do you need to integrate with?
  • Do you need API access?

What makes a true SSO system?

It’s important to understand the difference between single sign-on and password vaulting or password managers, which are sometimes referred to as SSO which can mean Same Sign-on not Single Sign-on. With password vaulting, you may have the same username and password, but they need to be entered each time you move to a different application or website. The password vaulting system is simply storing your credentials for all the different applications and inserting them when necessary. There is no trust relationship set up between the applications and the password vaulting system.

With SSO, meaning Single Sign-On, after you’re logged in via the SSO solution, you can access all company-approved applications and websites without having to log in again. That includes cloud applications as well as on-prem applications, often available through an SSO portal (also called a login portal).

My 1password

What is an SSO software vs an SSO solution

When researching SSO options that are available, you might see them sometimes referred to as SSO software vs an SSO solution vs an SSO provider. In many cases, the difference might simply be in the way the companies have categorized themselves. A piece of software suggests something that is installed on-premise. It is usually designed to do a specific set of tasks and nothing else. A solution suggests that there is the ability to expand or customize the capabilities of the core product. A provider would be a way to refer to the company that is producing or hosting the solution. For example, OneLogin is known as an SSO solution provider.

Are there different types of SSO?

There are a lot of terms that are used when we talk about Single Sign-On (SSO).

  • Federated Identity Management (FIM)
  • OAuth (specifically OAuth 2.0 nowadays)
  • OpenID Connect (OIDC)
  • Security Access Markup Language (SAML)
  • Same Sign On (SSO)

SSO is actually a part of a larger concept called Federated Identity Management, thus sometimes SSO is referred to as federated SSO. FIM just refers to a trust relationship that is created between two or more domains or identity management systems. Single Sign-on is often a feature that is available within a FIM architecture.

OAuth 2.0 is a specific framework that could also be considered part of a FIM architecture. OAuth focuses on that trusted relationship allowing user identity information to be shared across the domains.

OpenID Connect (OIDC) is an authentication layer that was built on top of OAuth 2.0 to provide Single Sign-on functionality.

Security Access Markup Language (SAML) is an open standard that is also designed to provide Single Sign-on functionality.

Same Sign On which is also often referred to as SSO is actually not the same as Single Sign-on because it doesn’t involve any trust relationship between the entities that are doing the authentication. It is more dependent on credentials being duplicated between systems and simply passing in those credentials when necessary. It is not as secure as any of the Single Sign-on solutions.

There are also some specific systems that commonly come up when we are discussing Single Sign-on: Active Directory, Active Directory Federation Services (ADFS) and Lightweight Directory Access Protocol (LDAP).

Active Directory, which nowadays is specifically referred to as Active Directory Directory Services (ADDS), is Microsoft’s centralized directory service. Users and resources are added to the directory service for central management and ADDS works with authentication protocols like NTLM and Kerberos. Thus, users that belong to ADDS can authenticate from their machines and get access to others systems that integrate with ADDS. This is a form of Single Sign-on.

Active Directory Federation Services (ADFS) is a type of Federated Identity Management system that also provides Single Sign-on capabilities. It supports both SAML and OIDC. ADFS is primarily used to set up trust between ADDS and other systems such as Azure AD or other ADDS forests.

Lightweight Directory Access Protocol (LDAP) is simply an industry standard that defines a way to organize and query directory information. LDAP allows you to centrally manage resources like users and systems. LDAP, however, does not define how you log into those systems, meaning it does not define the actual protocols that are used in authentication. It is, however, often used as part of the authentication process and access control processes. For example, before a user can access a particular resource, LDAP might be used to query for that user and any groups that they belong to in order to see if the user has access to that resource. LDAP solutions like OpenLDAP do provide authentication through their support of authentication protocols like Simple Authentication and Security Layer (SASL)

What is SSO software as a service?

Just as many other applications have moved to run within the Internet, so has SSO functionality. Platforms like OneLogin that run in the cloud can then be categorized as a Software as a Service (SaaS) SSO solution.

What is App-to-App SSO?

1password Reviews

Lastly, you might have heard of App-to-App or Application-to-Application SSO. This is not quite an industry standard yet. It is more of a term that has been used by SAPCloud to describe the process of passing a user identity from one application to another within their ecosystem. It is somewhat similar to OAuth 2.0 but again it is not a standard protocol or method and is currently specific to SAPCloud.





Comments are closed.