Single sign-on (SSO) is an authentication scheme that enables users to log in to a session once, using a single set of login credentials, and gain secure access to multiple related applications and services during that session without logging in again.
SSO is used commonly to manage authentication in company intranets or extranets, student portals, public cloud services, and other environments where users need to move between multiple applications to get their work done. It’s also used increasingly in customer-facing web sites and apps – such as banking and e-commerce sites – to combine applications from third-party providers into seamless, uninterrupted user experiences.
Single sign-on is based on a digital trust relationship between a group of related, trusted applications, web sites and services, called service providers, and an SSO solution, called an identity provider. The SSO solution is often part of a larger IAM (identity and access management) solution.
In general, SSO authentication works as follows:
The process can vary depending on several factors. For example, a user who has been idle for a specified period may need to log in when they attempt to access another app. Or, if an authenticated user attempts an app or service that deals with particularly sensitive information, the user may be prompted for an additional authentication factor, such as a code sent to the user's mobile phone or email (see 'Adaptive SSO' below).
Obviously, SSO saves users time and trouble. Take corporate users, for example: Instead of logging into multiple applications multiple times per day, with SSO they are often able be able to log into the corporate intranet or extranet just once for all-day access to every application they need.
But by dramatically reducing the number of passwords users need to remember and the number of user accounts administrators need to manage, SSO strengthens an organizations security posture. Specifically, SSO can
The chief risk of SSO is that if a user's credentials are compromised, they can grant an attacker access to all or most of the applications and resources on the network.
Requiring users to create long and complex passwords - and carefully encrypting and protecting them wherever they're stored - goes a long way toward preventing this worst-case scenario. But most security experts recommend implementing SSO with multi-factor authentication, or MFA. MFA requires users to provide at least one authentication factor in addition to a password - e.g., a code sent to a mobile phone, a fingerprint, or an ID card. Because these additional credentials are ones that hackers can't easily steal or spoof, MFA can dramatically reduce risks related to compromised credentials in SSO.
The SSO scheme describe above - a single log-in and set of user credentials providing session access to multiple related applications - is sometimes called simple or pure SSO. Other types of SSO - or authentication methods similar to SSO - include:
SSO may be implemented using any of several authentication protocols and services.
SAML (Security Assertion Markup Language) is the longest-standing open standard protocol for exchanging encrypted authentication and authorization data between an identity provider and multiple service providers. Because it provides greater control over security than other protocols, SAML is typically used to implement SSO within and between enterprise or government application domains.
OAuth/OAuth 2.0 (Open Authorization) is an open standard protocol that exchanges authorization data between applications without exposing the user's password. OAuth enables using a single log-in to streamline interactions between applications that would typically require separate logins to each. For example, OAuth makes it possible for LinkedIn to search your email contacts for potential new network members.
OpenID Connect (OIDC)
Another open standard protocol, OICD uses REST APIs and JSON authentication tokens to enable a web site or application to grant users access by authenticating them through another service provider.
Layered on top of OAuth, OICD is used primarily to implement social logins to third-party applications, shopping carts, and more. A lighter-weight implementation, OAuth/OIDC is often to SAML for implementing SSO across SaaS (software as a service) and cloud applications, mobile apps, and Internet of Things (IoT) devices.
LDAP (lightweight directory access protocol) defines a directory for storing and updating user credentials, and a process for authenticating users against the directory. Introduced in 1993, LDAP is still the authentication directory solution of choice for many organizations implementing SSO, because LDAP lets them provide granular control over access the directory.
ADFS (Active Directory Federation Services) runs on Microsoft Windows Server to enable federated identity management - including single sign-on - with on-premises and off-premises applications and services. ADFS uses Active Directory Domain Services (ADDS) as an identity provider.
'Zero trust' takes a 'never trust, always verify' approach to security: Any user, application, or device - whether outside the network, or already authenticated and inside the network - must verify its identity before accessing the next network resource it wants to access.
As networks become more distributed, spanning on-premises infrastructure and multiple private and public clouds, a zero-trust approach is essential for preventing threats that penetrate the network from gaining more access, and doing maximum damage.
SSO - and particularly SSO as part of an IAM solution - is viewed widely as a foundational technology for implementing a zero-trust approach. The fundamental challenge of zero-trust is to create a security architecture that can clamp down on attackers who penetrate the network - without hampering the ability of authorized end users to move freely about the network and get their work or business done. When combined with multi-factor authentication, access and permission controls, network micro-segmentation and other techniques and best practices, SSO can achieve help organizations achieve this balance.
Connect every user to the right level of access with IBM Security Verify IAM solution.
IBM Security Verify lets you go beyond basic authentication with options for passwordless or multifactor authentication.
Proactively protect users and assets with AI-assisted, risk-based authentication with IBM Security Verify.
Infuse cloud IAM with deep context for risk-based authentication to enable low-friction, secure access.
Strengthen data privacy protection, build customer trust and grow your business.
Infuse risk confidence into IAM systems to deliver smarter authentication with IBM Security Verify Trust software.
Discover security solutions wrapped around every user, every device and every connection.
Identity and access management (IAM) is a critical part of your security program to help protect data by controlling corporate network access.
Zero trust is a framework that assumes a complex network’s security is always at risk to external and internal threats.
Data security helps protect digital information from unauthorized access, corruption, or theft throughout its entire lifecycle.
Cybersecurity technology and best practices protect critical systems and sensitive information from an ever-growing volume of continually evolving threats.
Defining insider threats, identifying their source and describing measures to protect against them.
Mobile device management (MDM) is used to provide a workforce mobile productivity tools and applications while keeping corporate data secure.
IBM Security Verify is a single identity-as-a-service (IDaaS) solution for workforce modernization and consumer digital transformation. Verify features comprehensive cloud IAM capabilities, including single sign-on, advanced risk-based authentication, adaptive access management, automated consent management and much more.