What is single sign-on (SSO)?

Single sign-on (SSO) is an identification system that allows websites to use other, trusted sites to verify users. This frees businesses from the need to hold passwords in their databases, cuts down on login troubleshooting, and decreases the damage a hack can cause.

SSO systems work as an identity provider—sort of like an ID card. For example, if you get pulled over for speeding, the police officer doesn’t have to know you personally; they can just look at your license and see that your state vouches for your identity.
 

How does single sign-on work?

Single sign-on validates a user with a certificate exchanged between the service provider and the identity provider. The information sent from the identity provider to the service provider is signed on this certificate to ensure that the details are passed on from a trusted resource. 

In the SSO method, the identity information is forwarded in the form of authentication tokens containing information about the user like email address, username, and more.

 

The login flow usually looks like this:

1. A user browses to the application or website they want access to, aka, the Service Provider.
2. The Service Provider sends a token that contains some information about the user, like their email address, to the SSO system, aka, the Identity Provider, as part of a request to authenticate the user.
3. The Identity Provider first checks to see whether the user has already been authenticated, in which case it will grant the user access to the Service Provider application and skip to step 5.
4. If the user hasn’t logged in, they will be prompted to do so by providing the credentials required by the Identity Provider. This could simply be a username and password or it might include some other form of authentication like a One-Time Password (OTP).
5. Once the Identity Provider validates the credentials provided, it will send a token back to the Service Provider confirming a successful authentication.
6. This token is passed through the user’s browser to the Service Provider.
7. The token that is received by the Service Provider is validated according to the trust relationship that was set up between the Service Provider and the Identity Provider during the initial configuration.
8. The user is granted access to the Service Provider.

 

Different types of SSO?

There are a lot of terms that are used when we talk about Single Sign-On (SSO).

• Federated Identity Management (FIM)
• OAuth (specifically OAuth 2.0 nowadays)
• OpenID Connect (OIDC)
• Security Access Markup Language (SAML)
• Same Sign On (SSO)

 

There are also some specific systems that commonly come up when we are discussing Single Sign-on:

Active Directory, Active Directory Federation Services (ADFS) and Lightweight Directory Access Protocol (LDAP).

Active Directory, which nowadays is specifically referred to as Active Directory Services (ADDS), is Microsoft’s centralized directory service. Users and resources are added to the directory service for central management and ADDS works with authentication protocols like NTLM and Kerberos.

Thus, users that belong to ADDS can authenticate from their machines and get access to others systems that integrate with ADDS. This is a form of Single Sign-on.

Active Directory Federation Services (ADFS) is a type of Federated Identity Management system that also provides Single Sign-on capabilities. It supports both SAML and OIDC. ADFS is primarily used to set up trust between ADS and other systems such as Azure AD or other ADDS forests.

 

The benefits for your business

That’s great news for your users, but what’s in it for you, the website owner?

• More user sign-ups. SSO provides a lower barrier to entry, so new customers can sign up easily and securely, by relying on a known brand. Facebook is managing the process, so they don’t worry about your unknown system and brand. Trust is increased, which increases conversions.

• Less work on the back end. Meaning, you won’t have to futz around with passwords. While reducing your hack risk is important, even more important is not having to reset people’s passwords every five minutes. All the authentication and password heavy-lifting is managed by the trusted authenticator.

• Data collection. You can also tap into more of the information as Google or Facebook or whoever makes it available. It’s all the benefits of data collection without all the hassle associated with it.

• Reduced risk. Finally, you’re removing that tempting pie from the windowsill. Hackers have less incentive to hit your site if you don’t host a ton of login details. You’re also less likely to have a bunch of users with horribly weak passwords poking holes in your site’s overall security.

In short, adopting an SSO solution can make life easier for you and for your clients.