A Primer on Single Sign-on
by Jeff, on 28/05/2020 9:59:27 AM
Traditional authentication schemes see users needing to create, and remember, separate login details for each service or system they use. With the average organisation using over 1000 distinct cloud services, the burdening of users to remember countless different passwords raises the security risk through password re-use, or the increasing use of less complex passwords as users become fatigued with their overwhelming number of credentials. Further, these credentials are most often stored in an abstracted, remote datastore that is unique to each application or service; there must be an implicit trust that the service is correctly and securely storing these passwords, and that any compromise is disclosed quickly enough to act.
Single sign-on, as the name suggests, instead allows users to authenticate with external services using a single, common set of credentials such as a domain account. Account credentials can be stored internally in a trusted and known environment that the organisation controls, and users need only remember a single set of credentials.
When to Use SSO
The increasing use of SSO has coincided with the rise in cloud services and applications, and a highly mobile workforce. Organisations are increasingly being faced with challenges in efficiently creating, managing and auditing user accounts, applying permissions and offboarding staff who leave the business. From a security perspective, the sheer number of user credentials and potential for poor password hygiene or re-use represents a significant risk to an organisation, and a valuable target of cybercriminals. Each new login is an opportunity for adversaries to compromise a user’s details, particularly when coupled with BYOD or devices not controlled by the organisation, hampering an organisations ability to audit and protect their assets.
Single sign-on can bring efficiency gains to organisations, simplifying the user management process and roll out of new SaaS products. Support teams also spend less time managing account creation and password reset tickets, giving them time to focus on more valuable efforts.
The Benefits of Using SSO
Increased security through reducing password re-use and fatigue
Users need only remember a single set of credentials, reducing the need to re-use the same password, or simple passwords across several systems. Users are incentivised to hence use a much more complex password, and organisations can enforce this with less friction.
Ability to enforce multi-factor authentication (MFA) for all users
Sporadic implementation and activation of MFA across several services presents a security risk for account compromise. SSO gives organisations the ability to enable MFA at the single authentication service level, enforcing its use across the business.
Rapid provisioning of SaaS applications and onboarding/offboarding staff
Account instantiation, new user authorisations and rollout of cloud-first applications is simpler for both IT teams and staff. SSO enables highly scalable user management.
Maintain granular access controls and policies
A highly mobile workforce means staff are no longer just in the office; SSO gives organisations the flexibility to grant staff access to applications when working on-site, while limiting those when working remotely, improving overall security posture and mitigating potential for compromise.
Maintain audit trail of application usage
Utilising SSO gives organisations visibility into staff login/logout and application usage, and enable analysis and security auditing of ongoing activity through logging.
Implementation Considerations and Pitfalls
Implementing single sign-on at an organisation is often more complex, and can take longer to setup than expected. Before starting, it is key to plan the approach in detail; initial planning should include:
- Identify current authentication schemes in use within the organisation across all departments, and the overall effort and cost to migrate towards an SSO configuration, including the rollout of MFA;
- Taking stock of application support for SSO and configuration requirements. There is potential for a required application to not have SSO support, particularly with legacy applications;
- Identifying the identity source to be used for storing user credentials (e.g. AD) and whether this will be run on-premise, cloud, or a hybrid deployment;
- Determine the users who will need access to which systems, and define appropriate access policies;
- Plan and prioritise the SSO rollout into phases, focusing on core applications that will provide the most security benefit first. Some applications may need to be offline during the SSO configuration so a plan must be in place to deal with any necessary downtime.
It is also important to recognise that SSO has challenges associated with it, and it cannot be considered a silver bullet to enterprise user management. In traditional authentication schemes, users may have different passwords for each service, reducing the attack scope in case of compromise. With SSO however, a compromise of a user’s single account credentials gives cybercriminals access to every system the user is authorised to use. This is mitigated however through enforcing complex passwords and requiring the use of multi-factor authentication for all users.
Single sign-on configurations also represent a single point of failure; several situations may lead to a loss in connectivity to the SSO authentication server where interruptions can cause critical business failures where users are unable to access any external service configured with SSO.
The implementation of authentication protocols utilised by SSO, namely SAML or OAuth are themselves not immune to security vulnerabilities. Previously discovered vulnerabilities have allowed adversaries to manipulate protocol requests without breaking the cryptographic signature, ensuring the request remains valid, and allowing the adversary to login as if they were their target. The level to which these vulnerabilities can be exploited however lies with the quality of implementation. Trusted SSO providers invest significant resources into developing secure and scalable platforms, and a key part of rolling out SSO is in choosing a high quality and trusted provider.