What is Single Sign On?
Single sign on is a system property or an authentication service that enables use of the same username and password across several applications. Once you input your login credentials with the central service provider, you have been authenticated, and got access to all applications running in the same session. As long as you remain signed in the central software, you won’t be receiving any more prompts to enter your credentials into the connected applications again.
An average user logs into 10 apps a day and almost 30 apps a month on a mobile phone only. Add to that countless web-based services, and the number gets even higher; not to mention services you need to use if you work with computer networks as a system admin, as a developer, or if you need to manage multiple client accounts. SSO makes this work simple as it saves the time needed to re-enter credentials while you navigate between applications. An ideal SSO would let the user get to any machine and get access to all applications he uses and are linked to the system, from anywhere in the world.
One very popular single sign on is a Google account. When you are logged into a Google account, you get automatic access to other Google products connected to that account. The central account service will give you access to YouTube, Analytics, Drive, Maps and the rest of the products that are Google-serviced. Even if you only signed up for Gmail, the account will store the cookies and use them for further validation with the rest of the services. Google SSO is a safe way to grant access to all platforms, as the authentication process is valid for an Android phone and for web tools.
The technology behind SSO can vary. A single sign on can be executed via several protocols. The most common protocols are:
- LDAP (Lightweight Directory Access Protocol), used to locate files and devices on the Internet.
- Kerberos, based on a ticket-granting ticket (TGT) service.
- SAML (Security Assertion Markup Language) an XML standard for secure exchange of user authentication and authorization data across domains
It is important to make a difference between single sign on and single credentials or Direct Server Authentication (DSO). SSO provides access to a number of applications by seamlessly passing the authentication token. In DSO, the system asks for authentication for each application but uses the same credentials from a directory server.
How does it work?
Single sign on is the part of a federated identity system. It is the element associated with authentication. SSO establishes that the user claiming access is who he says he is, consequently sharing the information provided to each connected software in need of the user data for authentication purposes.
SSO functions like a key to a cookie bank for the authenticated domains. It circumvents the “same origin policy” for sharing cookie information, enabling sharing session information across domains. In this way, all users of the same SSO-authenticated software get automatic access to the domains.
Here is how the typical step-by-step SSO process looks like on a centralized authentication server, which can be either a corporate or a third-party solution.
- User logs into the application that uses SSO for the first time and requests access
- Authentication server looks for an existing session
- Since it won't find one (user didn't log into the server before) the server returns a request for user credentials
- User enters and sends credentials (it can be multifunction authentication or just a single password)
- Central server makes a record of that session
- Send back the access token to the user
The next time the user logs into SSO supported applications, the centralized authentication server will find the previous session and immediately share the access token without searching for credentials for each separate application.
What are the opportunities of expanding SSO to physical space such as door security?
Although some users consider the single sign on authentication risky, there are improved methods for sharing access information that make SSO applicable to access control, making the best of its benefits. For example, the shared secret method has better security attributes than its predecessors, which enhanced by the SHA1 digest of a shared secret.
Single sign on limits risks from storing external passwords, creates a user-friendly password system, and is a timesaver for both IT support and staff.
The initial sign on prompts can be stored on a smart card, that can be later used to grant access to multiple applications. Smart cards are widely used in electronic access control systems as a popular alternative for large companies with a numerous workforce.
Modern encryption methods enable the use of SSO authentication schemes on mobile devices. The mobile can then be used as an authenticator for electronic access control in buildings, as well as for computer access. Each user can rely on the smartphone as a single authentication device for multiple applications, letting him pass unimpeded through physical security impediments and computer security requirements.
A smartphone can be the main “key” to get safely into any secluded storage space you use for valuable objects, data or information.