At its core, Single Sign-On (SSO) is all about improving your users’ productivity and user experience. With SSO, users are able to securely access all of their applications with a single set of credentials. First, a session is established by authenticating to the SSO portal, and from there, applications can be seamlessly accessed with a simple click, meaning the user would not be challenged to re-enter their credentials when entering those systems.
While this is a basic definition of SSO, there are varying levels of maturity when it comes to SSO capabilities. Sifting through these different capabilities can be complicated, so we’ve developed an SSO maturity model to simplify the process by helping you determine the effectiveness of your organization’s current capabilities and providing a decision path for increasing that capability.
Recently, we discussed the first two levels of the SSO Maturity Model, which primarily focus on providing SSO capability into browser-based applications. While Levels 1 and 2 are great starting points for organizations implementing SSO, the capabilities in these levels can be expanded upon to further reduce risk and increase usability.
Levels 3 and 4 add non-browser based applications, such as Windows, Mac, and Linux desktop applications, into the mix. Let’s take a closer look!
Level 3: Native Single Sign-On
While many organizations have turned to SSO primarily for enhancing user experience, organizations in particular markets, such as healthcare, require SSO to access legacy client or server applications. As such, these organizations often invest in virtual desktop infrastructure (VDI) to reduce endpoint management, but still need SSO.
In Level 3, the Adaptive level of the SSO Maturity Model, the focus is on native SSO, or providing SSO for native applications on Windows platforms. At Identity Automation, we frequently see native applications used in education, healthcare, retail—basically any organization that has some sort of large enterprise resource planning (ERP) system.
While native applications are starting to become the minority as organizations are increasingly utilizing SaaS-based services, there are plenty of scenarios where organizations are still using native apps. For example, your organization may have client applications for client server implementations that require a login. Additionally, in many cases users are running a legacy Windows application that's accessing a back-end ERP. This means the user would need to log into a client on their Windows machine that then establishes their session with that back end ERP.
Level 3 is also a good time to start considering how you can empower end users to manage their own application credentials for benefits or features your organization provides to employees, such as a retirement savings account.
Back in Level 2, we discussed admin managed credentials that automatically populate, so that end users aren't even aware of their values. Level 3 kicks it up a notch by adding the ability for end users to manage their own credentials using policies that are controlled at the organizational level, replacing the need for third-party password managers.
A perfect example of this is if your organization provides a 401K plan or similar company benefit, and employees manage those accounts themselves online. The organization does not control those credentials because they’re personally owned assets. However, the application can be made available for easy access on the organization’s app launcher portal. When the user first launches the app, they are given the option to store their credentials. Essentially, this gives the user an SSO experience, but with credentials they own.
Level 4: Universal Single Sign-On
In Level 3, we discussed native SSO; however, it was constrained to Windows, as that’s the predominant platform. Now, we’re taking everything we just discussed in Level 3, and expanding it to other platforms, including mobile. At Level 4, Intelligent, an organization supports SSO on every endpoint, including MacOS, iOS, Android, Chrome OS, Linux, and thin clients.
Furthermore, Level 4 also looks at how to not only have admin managed application policies with SSO rules, but also how to empower end users to have the same capabilities without requiring an understanding of HTML code. Essentially, we’re taking the SSO set-up to a whole new level where administrators don’t have to set up application definitions with SSO rules. Rather, the clients themselves are able to monitor actions and make recommendations, such as automatically saving login credentials.
When a user opens up a web or native application, the SSO client can monitor when credentials are inputted and dynamically let the user know the application is not recognized, while giving the option for the credentials to be saved. This is similar to a password manager, but much more advanced because rather than simply creating an entry in a password manager, an application launcher definition would be created. After this definition is created, the user can see the application within their app launcher portal with the credentials ready to go.
SSO clients can even empower end users to securely share these credentials with team members or other departments. For example, many companies have one UPS or FedEx shipping account that many departments within the organization need to access. Therefore, multiple people are sharing that one login name and password, and SSO clients make this sharing simple to do. Although the credentials are shared, they are not available for users to see or retrieve, and the system controls the credentials. This is a secure way to distribute and manage shared passwords that provide SSO as well.
Discover Your Organization’s SSO Status with the SSO Maturity Model Webinar
Levels 3 and 4 of the SSO Maturity Model center around adding native applications into your SSO strategy and empowering end users. While Level 3 focuses on Windows, Level 4 expands these capabilities to additional platforms and supporting SSO on every endpoint, including MacOS, iOS, Android, Chrome OS, Linux, and thin clients.
For more details on the SSO Maturity Model, check out our webinar: Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 3 - Single Sign-On. In this on-demand recording, our Founder, Troy Moreland, discusses the progression from a basic sign-on strategy, all the way to an intelligent strategy that supports SSO on every endpoint.
Whether your organization is simply considering an SSO implementation or already has a solution in place, this webinar will help you evaluate your organization’s current level of SSO maturity and provide actionable steps to take your SSO strategy to the next level.