What is Single Sign-On?
As I was preparing for Gartner’s Identity and Access Management conference next week in Las Vegas, I was thinking about some of the typical topics that attendees usually ask us about. There are always the people that want more information about the sexy, cutting edge topics like the Internet of Things, Privileged Identity Management and Adaptive Access Control. I love talking about these subjects as they are new and involve interesting problems. Solving interesting problems is fun and the reason many of us got into the information security field.
Another topic that frequently comes up isn’t quite as sexy or fun but really is a foundation function for a mature IAM system: What is Single Sign-On (SSO)? It seems like SSO is viewed by many as a commoditized feature these days but a surprising number of organizations are still in the early stages of investigating SSO and what it might mean for them.
When explaining SSO to someone, I used to lead off by trying to break the news that they are really never going to have 100% single sign-on but as more and more legacy desktop fat client applications become web-enabled it is much more likely that they might be able to approach a true single sign-on. These days I just get into a quick overview of what SSO means across a variety of different use cases.
- Web-Based Single Sign-On – The most commonly recognized type of SSO is the sharing of credentials and user sessions across a common set of internally managed web applications. These can be things like Oracle e-Business Suite applications, portals and most other non-Software-as-a-Service (SaaS) web applications. A user will be authenticated when the system validates username and password (plus additional factors in some cases). They are given a session token in the form of a browser cookie that is validated and updated as they travel from application to application. Usually the same Access Management system provides some level of authorization into these applications but we’re not going to get into all that entails.
- Federation – Federation is a standards based method of authenticating users into applications hosted by a third party, also called Cloud-based or Saas. Think of SalesForce.com or any of a variety of Oracle’s Cloud applications. There are two sides to a federated agreement: Service Provider controls the actual application, and Identity Provider controls the user IDs and passwords. The session token is typically a SAML assertion that is consumed by both parties and includes all of the relevant user information. These SAML assertions can typically be consumed by the Access Management system that provided SSO for the internal applications, allowing users to seamlessly move from application to application regardless of where that application is hosted. (As an aside, when you hear Identity as a Service (IaaS) tossed around, typically is refers to a federation model when you still control your account information but the IaaS is used to broker application access via federation.)
- Windows Native Authentication – This is the bridge to true SSO by allowing the Access Management system to integrate with a Windows domain to provide a seamless experience. A user will authenticate into their domain as they perform their initial login. Once they are validated, they will received a Kerberos ticket from the domain controller that contains user and session information much like the browser token or SAML assertion. When they launch an application that is protected by the Access Management system, the Kerberos ticket will be consumed, validated and then used as the basis to issue its own session token.
- Enterprise SSO – eSSO, or desktop SSO, is based on agents being installed on each work station to handle the login in process for fat client and legacy applications. We don’t see this nearly as much since more and more applications are moving to the web.
An example to tie it all together – I sit down at my workstation and log in for the morning. A Kerberos ticket is issued. I decide that I need to check the status of a customer lead in Salesforce.com so I launch a browser and go to the site. When I land on the app, it will query its Identity Provider (our Access Management system) who I am. The Access Management system sees that I have a valid Kerberos ticket so it will create a SAML assertion and send me back to Salesforce. This all happens behind the scenes and is usually pretty quick. Once I am done on SalesForce, I need to go to Oracle e-Business to check on the status of an order. I browse to the app. The Access Management system sees that there is an active SSO session (via the SaleForce visit) and creates a new browser cookie to manage the session. I’d be able to go between any integrated app, onsite or in the cloud, and have SSO for the duration of that session.
Obviously, this is a super-simplified version of how SSO works but I find that it gives people who don’t have a working knowledge of IAM concepts a good understanding of the functionality that is typically grouped under the SSO umbrella.
As a note, PathMaker Group typically implements SSO early in the release roadmap as it can be a quick win that shows value and progress to stakeholders. We can get through a typical SSO project from requirements through production deployment in 3-4 months depending on scope and complexity. Reach out to us to see how we can help you get your SSO project underway.