by Chris Low

What you need to know about single sign-on

Jul 19, 2017
Access ControlAuthenticationEnterprise Architecture

Single sign-on is an access control management method that is used to provide login access to various services using a central credentials management server. All other services that are integrated in the central auth server can then be used only using a single authentication mechanism.

Separation of concerns has been an important phenomenon in all modern organizations. The result is that monolithic stacks are being broken into multiple services for more granular control. Some of these services can then be outsourced to other providers as well, who often have expertise in handling that particular service. This is not confined to the development teams in the organization either. Each team has different a set of requirements and use different tools and services to do their job.

With this explosion in the number of services each team uses, access management becomes a menace for the sysadmin. The sysadmin is required to ensure that each employee only has access to the services they are authorized to use. They also need to take care of credentials management to make sure that the employees are accessing the infrastructure securely. This is fairly easy to do in small organizations, but once the organization starts to grow, handling these tasks manually becomes very difficult to scale. This is where Single sign-on (SSO) comes into play.

What is single sign-on?

It is an access control management method that is used to provide login access to various services using a central credentials management server. All other services that are integrated in the central auth server can then be used only using a single authentication mechanism. 

Benefits of single sign-on

The biggest advantage of SSO is the scalability it provides. Automated credentials management means that the sysadmin is no longer required to manually take care of all the employees’ access to the services they want. This in-turn reduces the human error factor as well. 

Another important benefit is that 3rd party services can then be used only using an employee’s credentials assigned for use of internal systems. This prevents the storage of sensitive information in places that are out of the organization’s reach. Some 3rd party services may not provide the type of authentication system that an organization requires, such as using physical key cards. The use of a central authentication server places a layer of abstraction between the actual service and the user. This enables any form of authentication to be used for any 3rd party service, as long as that service supports integration with the central authentication system.

For example, the marketing and sales teams might require access to an email campaign automation service or a CRM via username/password based login, the software development team might require access to the software repository via SSH, or the legal department might require access to contracts management service  via 2-factor authentication. The type of authentication required can vary widely and the sysadmin needs to account for that. Different teams have no business with the services that the other team is using. The sysadmin also needs to make sure that each team is only getting access to what they are supposed to use. SSO enables this by adding a limited scope of each employee’s internal account. This can also be used to limit the access of 3rd party services by the employees when they are out of the organization’s premises.

Single sign-on providers

In most organizations, SSO is setup using a directory service. A directory service is a kind of database system that holds the authentication and policy structure. Active Directory is an implementation provided by Microsoft, which is often used in Windows systems. Lightweight Directory Access Protocol (LDAP) protocol is the most common way of setting up access to the directory service. This is a standardized and vendor neutral protocol. An LDAP server holds entries for all the employees and various attributes and can be set on those entries that define its access scope. Whenever an employee wants to login to any service, they provide their internal credentials, and the service makes a trip to the LDAP server to get attributes for their entry. If they have the required attributes to access the service, they go through the authentication. It is worth noting that LDAP is a plain-text protocol and should only be used with SSL. This means using LDAPS instead. 

Another common method used is Kerberos. In contrast to LDAP, this system only requires one time login and provides an access token that is used to automatically login to all other services. SAML is often used for applications that are web-based.

Organizations these days sometimes also use OAuth services provided by 3rd party services. The “Sign-in with Google/Facebook/Twitter” is an example of such a system. The downside is that dependence on these services takes the control out of the hands of the organization. Some of these services might also be blocked in some environments, and this dependence may cause a problem with that.

Deciding which mechanism to use depends entirely upon the organization’s requirements. For small organizations, SSO might be overkill, but medium to large ones should not ignore the benefits that come with it. Deciding which type of SSO should be used and with what kind of authentication mechanism can only done after in-depth investigation.