Single Sign-On (SSO)
Single sign-on (SSO) is a method of access control that allows a user to log on to a system and gain access to other resources within the network via the initial logon. If SSO was not implemented, the user would need to log on multiple times and remember multiple passwords for the various systems. For example, when Kevin needs to access the file share, the print server, the customer database, and his email, he does not want to have to remember a different password for each resource. Fortunately, his organization implemented Kerberos, a single sign-on system, and instead his initial logon credentials are used for these resources. Use of SSO:
- Eliminates the need to remember multiple passwords. By reducing the number of passwords, you reduce the amount of time spent by administrators who must reset user passwords.
- Ensures that the same password policy is applied to all resources.
- Reduces the need for an administrator to manage various accounts on individual resources. Having centrally managed access also helps when employees leave the organization. Removing all of their access to multiple accounts at one time is efficient and ensures that employees cannot access the accounts later.
To understand if you should implement SSO, it is also important to understand the risks associated with allowing the same credentials to be used by multiple resources. Some risks of using SSO are:
- If an attacker obtains the initial password, he or she will have access to all resources.
- If an employee leaves his or her system unlocked and steps away, the employee essentially provides full and open access to all resources.
NOTE
Constantly resetting passwords can be demanding on IT resources and increases costs. However, an SSO system might be too expensive for smaller organizations. If the organization is small and resetting passwords is not a costly factor, an SSO solution may be more of a drawback than a benefit.
Defining the Scope for SSO
The scope for SSO is to provide a unified sign-on interface for end users that allows them to authenticate once and access multiple systems and applications. In particular, the interface should be independent of the authentication mechanisms. An SSO interface provides the capability to use credentials for other systems, but it does not specify a mandatory authentication mechanism, leaving that decision to individual access control administrators. The administrator might, for example, require two-factor authentication for sensitive applications while only requiring a username and password for more routine access.
Configuring User and Role-Based User Access Control Profiles
Adding the access controls previously discussed in this chapter provides an extra layer of security for SSO. Using credentials to limit access to resources and documents is essential for an organization attempting to limit the level of risk. Configuring user- and role-based access control profiles in an SSO system is a task that can be simplified with identity and access management software. This software is available through third-party vendors, and it allows you to incorporate SSO capabilities and control user- or role-based access control in a few steps.
These tools allow organizations to manage authentication and authorization for large numbers of users or groups from a single source. The advantages and disadvantages do not change with the implementation of additional capabilities but add to the security needed to ensure the right information gets into the right hands at the right time.
Common Configurations
There are various ways to implement SSO within an infrastructure. Determining which system to deploy within the network must be done by analyzing the benefits and risks of the system as well as the return on investment (ROI). The following are three common SSO configurations implemented within an enterprise:
- Kerberos—As previously stated, Kerberos is a form of SSO that employs a trusted third-party infrastructure for authentication.
- Cookies—Once a user logs on to a system, a cookie is placed on his or her machine. When the user wants to access this system again, the system checks for the cookie. If the cookie is available and valid, the user will not need to log on again.
- Smart cards or biometrics—Authenticating directly to the computer system through either a smart card or using biometrics will subsequently allow access to the other tools available on the system, such as email or enterprise communication tools.
Enterprise SSO
Enterprise SSO allows credentials to be passed outside of the corporate domain or network. Participation in an enterprise SSO system ensures that the logon credentials will work with any resource even if its credentials do not match. For example, suppose Kevin logs on to his computer system with the username of kevin1. The credential for his time card is his employee ID, 13579. Being a part of an enterprise SSO means that his kevin1 username will work as his time card logon.