SSO: A Scope of Solutions
By David Olukoju
November 19, 2021
Single Sign-On (SSO) is an authentication service that permits a user to use one set of login credentials instead of using multiple certificates. Multiple credentials, such as passwords, can be cumbersome to login to various accounts. Other features of logins such as anonymous logins or alternative logins act as safeguards for when these passwords become forgotten, but SSO resolves the conflicting nature of multiple login implementations while being bot-resistant. Within single sign-on, there are many different solutions that rely on varying methods to provide modern standards of privacy.
Common Configurations for SSO
This device allows users to input information such as a username and password from a physical card, which gives the user access to a host of applications. Smart cards can include printed information such as the username mentioned above/password, but they can also use certificates and chips and the required software.
After inputting the user’s credentials, applications generate ticket-granting tickets (TGTs). The TGT provides tickets to applications that request them so the users are granted access without having to re-enter their credentials.
Either a user password/PIN can be sent to the provided phone number via SMS, or the phone itself can act as a unique identifier, which would allow the user to log on to multiple accounts automatically.
Okta relies on a network of pre-built integrations to provide SSO to cloud applications. These integrations consist of passing authorization credentials, password vaulting, client-server protocols that depend on the user to provide the correct information, and more. The stored identities can be connected to/synced to Okta’s SSO, which, along with Okta’s security policies, block malicious login attempts on networks.
OneLogin uses a security policy requiring users to provide their username, password, and an additional form of authentication. Once the user provides the correct information, they gain access to all the applications designated by an administrator. The administrators have the authority to establish access to certain applications for users depending on variables such as their department or their location.
Auth0 authenticates users through usernames and passwords, and the software deals with issues such as duplicate accounts through account linking. It uses a database and set of services to connect users with network resources upon entering the correct usernames/passwords; a protocol called Active Directory Federation Services (ADFS) does this. A key facet of this process is communication between applications, servers, and databases to ensure a seamless user experience.
Keycloak uses the Kerberos mentioned above configuration for its SSO solution. Communication between user databases, such as the Keycloak authenticator and a workstation, forwards the tickets from the TGT. An Administrator console is also a crucial part of Keycloak’s solution since the granting of access to users can be adjusted depending on a set of criteria the administrator would prefer (i.e., access to a specific app depends on an employee’s role or an employee’s current project).
After authentication through JumpCloud’s User Portal, apps within JumpCloud’s SSO relay this information to any applications that require it, giving the user access to whichever apps are designated for said user. JumpCloud operates under the premise of each user having a single identity to access their resources. The software also uses multi-factor authentication (MFA) as a means of providing built-in security.
humanID‘s SSO works when the user enters their phone number. This information, paired with a valid sim card is used to authenticate the user. Upon authentication, this information is deleted, and each user is assigned a unique online identity known as a hashed identifier. In terms of what a user would see, they would input their phone number, and receive a code through SMS; upon entry, the user is granted access to a service.
Single sign-on is a developing means of improving the user experience by simplifying how users access multiple accounts. The furthering of methods such as mobile device authentication will continue this trend of growth and advancement within SSOs, and by extension, the internet. SSOs must also tackle security challenges due to how they internally store the user’s credentials for the initial authentication, so at least 2-3 pieces of information (username, password, fingerprint, etc.) is recommended. There are many options regarding SSO methods, so you should research copiously and make a well-informed decision depending on your needs and your convenience.