Single Sign-On – SSO
Log on once and use everything
With a Single Sign-On (SSO), employees only have to log on once (primary authentication) and the SSO takes over the login procedure for integrated applications according to stored rules. This saves users not only typing, but also the tedious search for passwords. In addition, security can be increased by tightening the password rules and the login can be combined with a smartcard or a biometric procedure or similar.
With the complete logout “Single Log-Out” (SLO) the user can log out of all used services and applications at once. Thus, no one can abuse the account if the user leaves his workstation, for example. With additions such as password synchronization, Web-SSO or Enterprise-SSO, the simplified and secure login procedure can be extended to all applications.
The “Simplified Sign-On”, on the other hand, is a less convenient and not particularly secure procedure. It simplifies the login to several systems with the same login information by synchronizing the systems (synchronization of login name and password).
Benefits of SSO
- Access to all connected services and applications without logging in again.
- Time saving by omission of log-in’s (possibly combined with password search).
- Fewer helpdesk calls due to forgotten passwords, as the user has to remember fewer passwords. And fewer calls mean less effort.
- Increased security through the elimination of notes and by enabling stricter password guidelines.
- Better user comfort and therefore higher satisfaction.
Obstacles of SSO
- Not all single sign-on systems support the same range of applications and systems. It must be carefully examined whether all applications (e.g. Unix applications in x-Window, web applications, applications with kerberos support, apps, etc.) are fully supported by all SSO functions. This not only includes the login process but also the automatic password reset and the automatic cyclic exchange of passwords in the background.
- Often the SSO is only implemented for a selection of applications because the technical complexity of the various systems (AD, LINUX, HOST, SAP, mobile devices, web applications, hosted systems) and their multitude are difficult to master.
- Few design the Single Sign-On as a two-factor authentication together with smartcard, biometrics or other methods. However, this is advisable, since the password is extremely potent with SSO (possible complete access!) and spying would have fatal consequences.
- Many overlook the fact that most SSO products do not have a management component (“Who may use Single Sign-On?”, “Which applications may a user use?”, etc.), here an IDM provisioning helps.
- Important aspects of password storage are often overlooked: Is the password memory encrypted? Where is it stored? Is it also available offline? How is it synchronized? Are directories supported as repositories?