Single sign-on, also known as SSO, is a widely popular component of identity and access management (IAM) that not only helps organizations address important access challenges, it also offers clear productivity and user experience benefits.
While there are varying definitions for the term, at Identity Automation, we define SSO as a one-time login that permits the user to seamlessly access their complete workstation. This initial authentication could be an ID/password challenge or it could be a passwordless challenge, such as using physical or biometric means of authentication. Once the user successfully confirms his or her identity, they will not be prompted for an additional login when accessing applications within the single sign-on environment.
However, SSO is not a one-size-fits-all-solution— and once implemented, there are varying levels of SSO capabilities which can be evaluated using a maturity model. Similar to the Federation and Multi-Factor Authentication Maturity Models we’ve previously discussed, the SSO Maturity Model helps organizations define their current level on the capability scale and understand next steps that can be taken to advance these capabilities.
While many organizations utilize SSO to at least some extent, the majority of these organizations’ SSO implementations lie in the first two of the four stages of the maturity model. Let’s take a closer look at these two levels before we delve into the full SSO Maturity Model in our on-demand webinar.
Level 1: Reduced Sign-On vs. True Single Sign-On
In Level 1, the Basic level of the SSO Maturity Model, organizations utilize Reduced Sign-On (RSO), which relies on directory services where accounts can be managed in one place. At this level, an organization has integrated many of their applications via Lightweight Directory Access Protocol (LDAP) to reduce the number of credentials an end user needs to remember. Essentially, the directory password is pulled and used to sign into applications that have matching credentials. For many organizations, this involves using simplified credentials, where users set the same password for multiple applications.
Organizations have an RSO experience when one of two scenarios occurs. In the first scenario, users still have a single credential, but have to authenticate multiple times with it to access some applications. The second situation centers on the fact that many applications now require an additional authentication step for more security. In both of these cases, true SSO is not reached, as the user still has to further authenticate, whether it be due to a time-out or specific application policies that require extra authentication.
Furthermore, at the Basic level, organizations may also still utilize shared accounts or credentials. For example, many companies have one UPS or FedEx shipping account, but many departments need access. Therefore, multiple people are sharing that one login name and password. This is a major security risk as there is no log to track who is working in the account and making changes. Furthermore, when an employee leaves the organization they still retain access until the password is changed, which is often a forgotten task.
In addition, users may use personal or company-provided password vault applications to store credentials at the Basic Level. These are also known as Password Managers, and they help end users keep track of their unmanaged credentials. Plug-ins may also be used to fill these values in for applications.
While RSO is convenient for users, organizations at this stage are putting themselves at higher risk of a breach. In order to increase SSO capabilities, organizations must look for solutions that increase usability, while decreasing risk.
Level 2: Web SSO Capabilities
In Level 2, the Advanced level of the SSO Maturity Model, an organization understands the need for SSO, especially with ever-growing SaaS implementations. At this point, the SSO solution is more sophisticated and uses technology to pass credentials through to applications, either as agent or agentless web SSO.
At the Advanced level, Federation tends to start tying in with SSO as well, and organizations at this level have also reached at least Level Two of the Federation Maturity Model. This means that when a user launches an application, he or she is redirected back to a central login page to put in their directory credentials. Upon successful authentication, the user is sent straight back to the application. While best practice is to take advantage of federation as a primary authentication method for Web or SaaS SSO, form fill methods can also be used to handle exceptions if applications do not support federation protocols.
In addition, at the Advanced level, Password Managers tend to go away. Instead, administrative managed credentials are automatically populated, so that end users aren't even aware of their values. A user can click on an application’s icon without ever knowing what username and password are being passed to the application for authentication. That way, when an employee leaves, there is no need to change the password, as it was never known. Furthermore, the user would no longer have access to that application because they would not have access to the SSO portal to launch it in the first place.
If all organization-managed web applications are integrated with your SSO, then your organization is in a great place! However, there are many ways to continue to improve. Start by looking at other risk gaps, like Windows clients and VDI deployments. In addition, moving away from passwords entirely will further reduce risk.
Learn How to Advance Your SSO Strategy at Our Live Webinar
In essence, SSO solutions enable users to access all of their applications using a single set of credentials, and the first two levels of the SSO Maturity Model primarily focus on providing SSO capability into browser-based applications. While Levels 1 and 2 are great starting points for organizations implementing SSO, these capabilities can be expanded upon to further reduce risk and increase usability.
To learn more, make sure to watch our webinar: Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 3 - Single Sign-On. In this on-demand recording, our Founder, Troy Moreland, not only discusses Level 1 and 2 in more detail, but he also dives into Levels 3 and 4, where we start exploring how to add non-browser based applications into the mix, such as Windows, Mac, and Linux desktop applications.
Whether your organization is simply considering an SSO implementation or already has a solution in place, this webinar will help you evaluate your organization’s current level of SSO maturity and provide actionable steps to take your SSO strategy to the next level.