single sign-on for controlled user experiences
Single Sign-On (SSO) is a form of authentication that enables users to access multiple applications using a single login. This makes SSO a vital product feature for any Customer Identity and Access Management (CIAM) solution.
What is Single Sign-On?
SSO lets you protect your resources with a set of strong access controls. It makes it easier to monitor who enters your systems—or tries to enter them illegally. It also lets you apply authentication and authorisation policies centrally. Because it enables you to decouple application data from user data, SSO allows you to apply a fundamental form of risk sharing.
Although it is highly beneficial in many use cases, logging in automatically with the same access controls isn’t always the best approach. For example, some use cases require enforcing more stringent authentication policies than others. This can be due to different user preferences, application requirements or identity provider access policies.
But one thing is certain: users, applications and identity management providers all have the ability to make Single Sign-On more secure.
The user is always in control
User behaviour directly impacts the security of any system. Specifically for Single Sign-On, a user can prevent automatic login from happening simply by not accepting cookies, or by clearing them after closing their web browsers. Users can also simply log out after finishing their tasks. On a private and properly secured computer, this usually isn’t necessary. But it becomes a highly relevant security concern when the user wants to log in using a shared or public computer. Some login environments allow users to protect their accounts with more secure forms of authentication. Examples include biometric (such as fingerprint or face recognition) and Multi-Factor Authentication (MFA).
In short, SSO offers some major benefits: It makes logging in much more convenient for everyone, and it gives privacy-conscious users the power to stay in control of their authentication journey.
Application-level authentication management
Of course, it’s always up to the individual applications to decide whether a user is granted or denied access. In its simplest form, this means granting access to authenticated users and denying access to anonymous users.
Depending on the application, special authentication requirements may apply. Some applications require Multi-Factor Authentication (MFA) for certain functions. With step-up authentication features, organisations can decide to apply MFA only once, while starting with basic authentication. In other cases, an application might enforce re-authentication. For example, if the last login was more than a certain amount of time ago.
Without SSO, each individual application needs to manage authentication and keep track of logged in users. Cookies can be used for this purpose. In many cases, applications continue to operate in the same way, even after SSO is implemented. This is both unnecessary and unfortunate. Unnecessary, because the user can easily log in to the application again, due to the centrally managed session. Unfortunate, because this way of operating fails to take full advantage of the SSO capabilities provided by a CIAM solution.
The identity provider as single source of truth
The identity provider has the central role in the authentication process. That makes them the most knowledgeable and reliable actor in the infrastructure ecosystem. The identity provider knows which users are allowed access to which applications. This opens up a lot of powerful capabilities.
In its most basic form, the identity provider can control the process of automatically logging in users first by simply asking the user, ‘Do you want to stay signed in?’.
After login, a session with a specific lifetime is set. With an active session, login happens automatically. When the session expires, the user must sign in again. A logout ends the session immediately and, depending on the setup, logs the user out of all connected applications.
Context-aware authentication takes full advantage of the power of the identity provider. This form of authentication establishes its level of confidence in the user’s identity based on a wide range of contextual factors (such as the device used to log in, the geographical location or the time of the day).
In conclusion, Single Sign-On is all about preventing unneeded user interaction while keeping security to the highest level necessary. There doesn’t have to be a trade-off between security and usability: If done properly, SSO improves both.
Discover your opportunities
Want to take advantage of the opportunities offered by Single Sign-On? We’re always happy to discuss your options and explore how you can benefit. Get in touch today to find out more.