Single sign-on (SSO) is a method of access control that allows a user to log on to a system and gain access to other resources within the network via the initial logon. If SSO was not implemented, the user would need to log on multiple times and remember multiple passwords for the various systems. For example, when Kevin needs to access the file share, the print server, the customer database, and his email, he does not want to have to remember a different password for each resource. Fortunately, his organization implemented Kerberos, a single sign-on system, and instead his initial logon credentials are used for these resources. Use of SSO:
To understand if you should implement SSO, it is also important to understand the risks associated with allowing the same credentials to be used by multiple resources. Some risks of using SSO are:
Constantly resetting passwords can be demanding on IT resources and increases costs. However, an SSO system might be too expensive for smaller organizations. If the organization is small and resetting passwords is not a costly factor, an SSO solution may be more of a drawback than a benefit.
The scope for SSO is to provide a unified sign-on interface for end users that allows them to authenticate once and access multiple systems and applications. In particular, the interface should be independent of the authentication mechanisms. An SSO interface provides the capability to use credentials for other systems, but it does not specify a mandatory authentication mechanism, leaving that decision to individual access control administrators. The administrator might, for example, require two-factor authentication for sensitive applications while only requiring a username and password for more routine access.
Adding the access controls previously discussed in this chapter provides an extra layer of security for SSO. Using credentials to limit access to resources and documents is essential for an organization attempting to limit the level of risk. Configuring user- and role-based access control profiles in an SSO system is a task that can be simplified with identity and access management software. This software is available through third-party vendors, and it allows you to incorporate SSO capabilities and control user- or role-based access control in a few steps.
These tools allow organizations to manage authentication and authorization for large numbers of users or groups from a single source. The advantages and disadvantages do not change with the implementation of additional capabilities but add to the security needed to ensure the right information gets into the right hands at the right time.
There are various ways to implement SSO within an infrastructure. Determining which system to deploy within the network must be done by analyzing the benefits and risks of the system as well as the return on investment (ROI). The following are three common SSO configurations implemented within an enterprise:
Enterprise SSO allows credentials to be passed outside of the corporate domain or network. Participation in an enterprise SSO system ensures that the logon credentials will work with any resource even if its credentials do not match. For example, suppose Kevin logs on to his computer system with the username of kevin1. The credential for his time card is his employee ID, 13579. Being a part of an enterprise SSO means that his kevin1 username will work as his time card logon.