{"id":3905,"date":"2021-08-20T08:00:00","date_gmt":"2021-08-20T12:00:00","guid":{"rendered":"http:\/\/www.jumpcloud.com\/blog\/?p=3905"},"modified":"2024-11-14T17:33:34","modified_gmt":"2024-11-14T22:33:34","slug":"what-is-single-sign-on-sso","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/what-is-single-sign-on-sso","title":{"rendered":"What is Single Sign-On (SSO)?"},"content":{"rendered":"\n

Single sign-on (SSO) solutions have been gaining traction in the market since the early 2000s when web-based applications started to populate the workspace and users needed an efficient, secure way to authenticate to them. <\/p>\n\n\n\n

Fast forward past the COVID-19 pandemic, to the subsequent rise in the necessity (and eventual popularity) of remote and hybrid work environments, which created an even faster adoption of web-based applications and pushed the adoption of SSO even further, as some of the main benefits that SSO provides are improved security, compliance, and productivity for in-office and remote users alike. <\/p>\n\n\n\n

To understand the full story of how SSO solutions benefit organizations of all types and sizes and why it\u2019s necessary to implement SSO<\/a> within your tech ecosystem, it\u2019s essential to first understand what single sign-on is and how it has evolved over time.<\/p>\n\n\n\n

What is SSO?<\/h2>\n\n\n\n

Single sign-on is the idea that a user only has to log in once to access all of their IT resources; they don\u2019t have to type their username and password in over and over, or use multiple, distinct username and password pairs, to get access to everything they need to be successful at work. <\/p>\n\n\n\n

Traditional SSO solutions as we generally know them today were meant to bridge the gap between users and web applications back when Microsoft Active Directory (or a similar corollary like OpenLDAP, Red Hat\u2019s Directory 389 or others) was the most common central identity provider (IdP) out there, and physical domain controllers were found in every office to support it. <\/p>\n\n\n\n

However, these LDAP-based directories provided the first real method to deliver a \u201csingle sign of experience.\u201d In the case of Active Directory (AD), by far the most popular, a user could log in to their Windows device while it was connected to the network, and those credentials would be authenticated via the domain controller. A successful login would result in the user being able to move between Windows resources within the domain without having to log in multiple times as determined by the permissions granted to that user. This eliminated the need for users to remember a variety of passwords in order to access multiple on-prem, Windows-based resources.<\/p>\n\n\n\n

However, given that AD was hosted on-prem, within the confines of an organization\u2019s network, it could not facilitate authorization to resources that lived outside of the domain. As such, the growing number of web-based applications that grew in popularity throughout the 2000\u2019s posed challenges to IT admins trying to control and deliver access to them in a similar, secure fashion. So the definition of SSO changed over time as AD and on-prem infrastructure failed to support access to web applications and other non-Windows-based resources that many users needed quick and secure access to. <\/p>\n\n\n\n

Now, as the cloud grows even more pervasive, powerful and secure, SSO is often implemented as part of a larger identity access management (IAM) solution, such as a directory service, rather than as a separate add-on, which gives IT admins more control and visibility into what users have access to. SSO solutions that fit into this mold provide users with access to virtually all of their IT resources (networks, devices, apps, file servers, and more) through a single login.<\/p>\n\n\n\n

How Single Sign-On Evolved: The Full Story<\/h2>\n\n\n\n

SSOs Past<\/strong><\/h3>\n\n\n\n
\n

Users have one set of credentials that they can use to login to their Microsoft device and Windows-based resources.<\/p>\nOld definition of SSO<\/cite><\/blockquote>\n\n\n\n

While it wasn\u2019t called SSO in the early days, Microsoft created AD which allowed users to simply log in to their Windows devices and subsequently be able to access anything on their network that was Windows-based. However, as web applications emerged in the early 2000s, another generation of SSO solutions emerged to help users authenticate to non-Windows-based resources \u2014 these solutions are often referred to as IDaaS or Identity-as-a-Service. <\/p>\n\n\n\n

This happened because AD and on-prem domain controllers working behind the scenes weren\u2019t built to handle web applications and anything unrelated to Windows \u2014 so organizations utilizing AD had to adopt an external single sign-on provider to close this gap. However, this approach had a few shortcomings. One flaw was that it was still an on-prem solution. In order to work effectively, this version of SSO still required an identity provider like AD. A second flaw to this single sign-on approach was that it only simplified access to web-based apps. Users still needed a separate identity to access their system, networks, and data.<\/p>\n\n\n\n

Plus, homogenous Microsoft IT environments became less common, and AD was no longer the single source of truth when it came to employee accounts. With Apple\u2019s resurgence, AWS\u2019s outsourced data center infrastructure, and the utter dominance of Google apps, an IT organization\u2019s simplistic Microsoft network is becoming a relic of the past. <\/p>\n\n\n\n

The need for single sign-on deepened as users started accumulating different credentials to sign into resources such as their Mac device, Linux servers hosted at AWS, WiFi networks, cloud applications, and legacy on-prem applications. Manual user management for web-based applications was an option at this point, but users got bogged down with hundreds of credentials. Meanwhile, IT admins had to find ways to face this control and security nightmare.<\/p>\n\n\n\n

The old definition of SSO could not handle what was happening in the tech world, and amidst all of these changes, traditional SSO was rendered meaningless \u2014 something needed to change drastically. The bottom line: SSO shouldn\u2019t mean a complicated set of group management tools that provide \u201cunified\u201d access to siloed groups of IT resources. Unless you have a single set of credentials used to log in once in order to access your systems, files, networks, and apps, then it\u2019s not truly SSO.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The Future<\/strong> of Single Sign On<\/h3>\n\n\n\n
\n

Users have one set of credentials that they use to log in to a combined directory and SSO interface which then utilizes different built-in protocols to automatically log them into virtually all of their IT resources including Mac, Linux, and Windows devices.<\/p>\nNew definition of SSO<\/cite><\/blockquote>\n\n\n\n

As modern technology continues to shift and new ideas and processes surface, it\u2019s important that we understand the full breadth of these changes. This means redefining SSO<\/a> in a way that suits modern IT environments and admins alike. Now that there are all-encompassing cloud directory solutions out there, rather than just traditional on-prem directory services like AD, and users need to securely connect to more resources than just web applications, SSO has morphed over time to keep up with this changing landscape. <\/p>\n\n\n\n

The only on-prem equipment left in many offices today are WiFi access points (WAP) and end-user devices. For the most part, servers and applications have shifted to the cloud, and corporate data centers are no longer the norm as Infrastructure-as-a-Service providers such as AWS and Google Compute Engine are the dominant solutions. Web applications are the new norm with just about every function within an organization being supported through cloud-based SaaS platforms.<\/p>\n\n\n\n

\n
\n \"探花大神\"\n <\/div>\n
\n

\n <\/p>\n

\n Securely connect to any resource using Google Workspace and 探花大神. <\/p>\n <\/div>\n

\n Learn More<\/a>\n <\/div>\n<\/div>\n\n\n\n\n

In short, modern SSO has been redefined in a way that supports connections to a myriad of legacy and cloud apps (a few common examples include OpenVPN, MySQL, GitHub<\/a>, Slack<\/a>, and Salesforce<\/a>), a variety of device types (Mac, Windows, and Linux), WiFi and VPN networks, physical and virtual file servers (Samba, NAS, Google Drive, and Box), and any other relevant resources \u2014 all from anywhere in the world.\u00a0<\/p>\n\n\n\n

Traditional SSO is not enough anymore, and many organizations have moved on from the idea of an on-prem directory service combined with web SSO to a modern cloud-based directory service that does all of this and more. In a complete access management system such as this, the cloud directory service provides a central user database that\u2019s focused on providing secure access to a wide variety of IT resources by supporting all of the major authentication protocols including LDAP, SAML, SSH, RADIUS, and REST. <\/p>\n\n\n\n

As a result, a user identity can be converted into the proper format for a particular resource, no matter what operating system is being used. We refer to this modern solution as True SSO<\/a> that goes back to the roots of single sign-on \u2013 allowing users to provide one set of credentials to securely log in to whatever IT resources they need (not just web applications!).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

How Does SSO Work?<\/h2>\n\n\n\n

An SSO solution must be integrated into your existing directory service infrastructure \u2014 usually using the LDAP protocol. Then, it typically uses a standard protocol like SAML to exchange authentication and authorization information between the IdP and web-based applications (or service provider (SP) in SAML parlance). <\/p>\n\n\n\n

Other protocols like OIDC are also becoming more widely used as well. In short, the process results in SSO authentication<\/a> of a user to all of their IT resources through a single login. <\/p>\n\n\n\n

SAML and Single Sign-On<\/h3>\n\n\n\n

The Security Assertion Markup Language (SAML)<\/a> protocol is the go-to approach for many web application SSO providers<\/a>, especially for those focused on web applications. SAML utilizes Extensible Markup Language (XML) certificates to assert user authentications between an IdP and an SP or web application. A benefit of this is that end-users do not need to remember different passwords for each web application they use.<\/p>\n\n\n\n

This means that users only need a single set of credentials to access their applications \u2013 the same core credentials used by their IdP. With a single sign-on system in place, users can create a single, strong password to secure their IdP credentials and access a multitude of IT resources. This solution results in a better experience for IT admins because there\u2019s a reduction in password-related help desk tickets and there\u2019s less worry around the thought of one of a user\u2019s many passwords being compromised. <\/p>\n\n\n\n

Most modern SSO providers<\/a> have a web portal that users log into where they can then quickly access connected applications from one centralized interface, all due to the use of SAML. This leads to an improved end-user experience all while making IT administrators\u2019 lives easier.<\/p>\n\n\n\n

On top of that, for web applications that leverage SAML as the authentication protocol, there is a good chance that their security has been stepped up. In general, SAML integration works on assertion rather than a username and password concept. That assertion is being made by the IdP to the SP (in this case the web application). The IdP ensures that the user is who they say they are, and the SP relies on that. The stronger that an IdP can make the authentication process, the better it is. For example, adding multi-factor authentication adds a layer of security to the authentication process and protects resources from bad actors.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Though SAML itself is not a single sign-on solution, it does play an important role within a larger SSO solution. Modern SSO solutions use an array of other protocols and authentication methods to extend one set of user credentials to virtually all resources \u2014 one of which is LDAP.<\/p>\n\n\n\n

SSO and LDAP<\/h3>\n\n\n\n

The Lightweight Directory Access Protocol (LDAP) is one of the oldest user authentication protocols in use today for computer systems. It was created in 1993 by Tim Howes and his colleagues at the University of Michigan and was designed to connect users to systems throughout the university back in the early days of the internet. LDAP ended up working so well that it inspired two directory services: AD and OpenLDAP. The main use of LDAP today is to authenticate the users stored in an IdP to on-prem applications. <\/p>\n\n\n\n

Now, cloud-hosted LDAP is popular because it provides organizations with all of the capabilities and benefits of the LDAP protocol with none of the traditional setup, maintenance, or failover requirements. Its flexible schema makes LDAP perfect for storing a wide variety of user attributes and permissions, which is basically the core of IAM. Now, modern SSO solutions utilize a variety of authentication protocols, and Cloud LDAP is still one of the most widely used.<\/p>\n\n\n\n

\n

You look at the world moving more and more to the cloud, but there’s still a world left behind in your local environment – you’ve got devices, you’ve got printers, you’ve got everything. People also need to be authenticated in these different contexts.<\/p>\n<\/blockquote>\n\n\n\n

Click here to read more about the differences between SSO and LDAP<\/a>.<\/p>\n\n\n\n

SSO as Part of a Bigger Solution<\/h2>\n\n\n\n

If you are solely using web-based applications in your environment, you might be able to get by with just using a standalone web app SSO solution. However, the majority of organizations out there also need access to infrastructure (whether cloud-hosted or on-prem), file storage, and internal, protected networks to accomplish their daily work. <\/p>\n\n\n\n

Since a single sign-on platform focuses centrally on web-based applications, you need a directory service if you hope to centralize user access to the rest of your IT network. Rather than utilizing an on-prem directory service and adding an SSO solution on top of it, it\u2019s far more cost-effective and easier to manage an IAM solution that includes SSO capabilities all within one platform.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Why Use SSO?<\/h2>\n\n\n\n

So, now the main question is, \u2018why should my organization use SSO?\u2019. The main benefit organizations experience is providing end-users with one set of credentials to access all of their IT resources. We mentioned earlier that SSO dramatically improves productivity, security, compliance, and user experience \u2014 but how?<\/p>\n\n\n\n

With modern SSO, end-users don\u2019t have to waste half an hour each month<\/a> just getting access to their online tools, and IT admins only have to spend minutes each week on managing user access to IT resources instead of hours. <\/p>\n\n\n\n

When it comes to security and compliance, in a full IAM solution that includes SSO, IT admins can centrally enforce password requirements, multi-factor authentication and conditional access across all of the IT resources used in their organization, and they can know for certain that only the right people have access to critical company resources. The ability to easily manage least privilege access across an organization is a huge win in the security and compliance realms.<\/p>\n\n\n\n

Implementing an SSO solution comes with a wide variety of benefits, especially as part of a bigger cloud-based directory service, which is why so many organizations are adopting it. <\/p>\n\n\n\n

The Pros and Cons of SSO<\/h3>\n\n\n\n

Depending on your organization\u2019s needs and the type of SSO solution you choose (directory integrated or add-on), you will realize some advantages and disadvantages to single sign-on<\/a>. Though the benefits vastly outweigh any potential drawbacks, it\u2019s important to keep all of the information in mind when making a decision.<\/p>\n\n\n\n

Pros of SSO:<\/h4>\n\n\n\n