Single Sign-On (SSO) creates a single point of authentication that can be instrumental in reducing the complexity of securing and maintain access credentials for multiple platforms. One of the key benefits of this approach is that SSO can be used across numerous applications, platforms or technologies.
Single Sign-On users typically sign in once to an account that can access domain-connected devices or operated platforms and applications.
Once signed in, enterprise users can access all approved technologies without having to continually re-enter their password credentials.
Operating in this manner helps to centralise user account management in a world of increased use of cloud applications and bring-your-own-device (BYOD), making it easier for system administrators to add or remove access to particular applications as employee clearances evolve.
Okta, Ping Identity and Microsoft are among the sector’s leaders.
As Microsoft notes in one blog: “Without Single Sign-On, users must remember application-specific passwords and sign in to each application.
“IT staff needs to create and update user accounts for each application such as Office 365, Box, and Salesforce. Users need to remember their passwords, plus spend the time to sign in to each application.”
While an SSO approach can be seen by those unfamiliar with the approach as a weakening of security due to the fact that employees now only have one access credential, it can actually have the opposite affect: employees that have to remember an array of passwords or constantly have to change them will tend to favour simplified easy to recall credentials.
If they only have to create and remember one access code then they are more likely to select a complicated and harder to break password. This also increases productivity as employees no longer have to take time to login into different platforms or request IT support because they have forgotten password number three. SSO can also make it easier for IT teams to monitor what applications users are engaging with as they move through the companies’ infrastructure with one login.
Single Sign-On Tokens
Obviously having just one login credential for a host of applications creates the viable risk that a threat actor can simply get the SSO details and gain access to all of the companies systems. Bad actors have targeted SSO in the past to move vertically through a system to access user accounts.
In some cases the SSO mechanism creates a unique SSO token to authenticate a user’s password or access credentials when they want to sign into a platform such as Facebook or an enterprise’s staff facing systems. This token is part of a trust handshake that is created when a user, for example, uses their Facebook account to login into other web applications.
Recently the popular online game Fortnite was targeted by hackers who abused the game publisher Epic’s SSO mechanism via a malicious JavaScript payload; hackers where able to force a request to a SSO provider that could then be used to access accounts of Fortnite players.
Cybersecurity firm Checkpoint detail how a hacker can send: “A request to the SSO providers contains a “state” parameter which is used later on by the “accounts.epicgames.com” in order to complete the authentication process. The JavaScript payload contains a crafted “state” parameter. The “state” parameter value contained a Base64 encoded JSON and the JSON contained three keys, “redirectUrl”, “client_id” and “prodectName”. The “redirectedUrl” parameter is used for redirection as the SSO login completes.”
Yet a well managed SSO approach can create a centralised security environment where IT has complete oversight of who is accessing what, when and in many case from where. Increasingly, organisations without regulatory requirements for on-premises IAM software are deciding to outsource their SSO capabilities. Gartner predicts that, by 2022, IDaaS (Identity-as-a-Service) will be the chosen delivery model for more than 80 percent of new access management purchases globally, up from 50 percent in 2018.