What Is Single Sign On (SSO),
How To Implement It, And
What Are The Benefits?
Technological advances make it easier for humans to complete all forms of work. Many applications are ultimately born to meet needs. However, with so many applications, users often forget the accounts and passwords they use. From this problem, a login system known as Single Sign On (SSO) emerged as a solution to this issue.
Technology comes with all its benefits and disadvantages. Now, getting a product you need can be done with just one click. The development of technology makes many people smarter so that hacking actions are also increasing, disrupting the security of user data.
In order to anticipate security problems, each application is equipped with a system that requires users to enter an email or account name along with a password. Problems will not arise if one person only uses one application. In fact, in an era that requires everyone to race with this technology, everyone uses several applications. In fact, some applications require users to use other accounts for security reasons. This is where the problem of forgetting accounts or passwords often occurs.
What is the Single Sign On (SSO) System?
- As an authentication service system, Single Sign On plays a role in overcoming the problem of forgetting passwords and facilitating the process of logging into a site or application. With this system, users only need to log in once to log in to multiple applications at once.
- The method is to strictly identify the user after the user enters credentials, such as an email address and password. The system then allows the credential information to be used in one or a set of trusted systems. This service can be used by companies, small organizations, and individuals to facilitate the management of usernames and passwords.
- In a typical web SSO service, an agent module on the application server retrieves the individual user’s authentication credentials from a trusted SSO server. At the same time, the system grants the user permission to log in to the user’s data warehouse, such as the Lightweight Directory Access Protocol (LDAP) directory.
- After that process, the service allows the user to log in to all trusted applications. It will also prevent other applications from displaying the login page in the same session.
- For developers who are still new to software development, the difference between Directory Server Authentication (same-sign on) and this service system seems unclear. The same thing can also happen between this service and LDAP. If you are still confused, please see the difference between Single Sign-On and several other sign-in services below.
SSO vs Same Sign On vs LDAP
- In addition to SSO, there is actually a sign on system called same sign on. A single sign on system only requires users to log in once to log in to various applications. While same sign on requires users to log in every time they want to log in to an application, but with the same credentials.
- To increase security, same sign on utilizes tools such as DirSync with its ability to replicate passwords. The same account can have multiple passwords in different applications. As a result, if the credential information in one application is hacked, that information cannot be used to open other applications because the passwords are different.
- Same sign on was developed in 1992 by Tim Howes—at that time a student—and his team at the University of Michigan. Initially, this system was designed to connect users to systems across the university. At that time they utilized the X.500 Directory Access Protocol (DAP).
- Over the course of its journey, LDAP has proven to be more effective in supporting this system. If previously LDAP was used to access systems and applications, now this directory has also been used to authenticate users who want to access DevOps tools, such as Jenkins®.
- Over time, many software houses have difficulty connecting their on-prem IdP (usually Active Directory) to web applications via LDAP. The reason is, LDAP is a protocol developed in the 90s while web applications only appeared in the early 2000s. To overcome this, Secure Assertion Markup Language (SAML) was created.
- SAML aims to add traditional directory service functions to cloud-based applications. In practice, developers often stack SSO on their AD designs. Developer companies can also continue to use LDAP-based systems that use web applications with SAML support.
- In short, LDAP is an application protocol used to re-check information on the end server, while SSO is a user authentication process that grants access to various systems.
SSO and LDAP Challenges
- Traditional SSO and LDAP are quite capable of connecting users to their respective applications. However, their use is notoriously complicated among IT admins. For example, traditional LDAP is designed in an on-prem framework, making it difficult to use and maintain. As a result, IT admins have to spend more time and effort in implementing it.
- In addition, legacy LDAP-based directory services struggle with cross-platform system environments, on-prem web applications, cloud infrastructure on AWS® and GCP®, physical and virtual file storage, and remote networks. So, SSO is often one of many additional separate directory services needed in a traditional AD or OpenLDAP environment. In other words, while LDAP and SSO can solve some of the IAM problems in modern organizations, the problems that must be faced are actually more than that.
- Do these challenges sound troublesome to you? Don’t worry. If you don’t want to experience any hassle in the future, just leave all your Single Sign On website and application matters to SoftwareSeni.
- SoftwareSeni is a one-stop IT solution company. You can consult about making digital products (web apps & mobile apps), making digital products, to making specification documents for the digital products. With a variety of technology choices and handling by experienced IT experts, the quality of digital products will be guaranteed.
- SoftwareSeni has quite strict operational standards and data security & privacy with work results that have been tested internationally. The intellectual property of the digital products developed will be entirely yours, without exception. In addition, SoftwareSeni also offers service on demand to always ensure that the digital products you have can work optimally.
- Previously it was mentioned that SSO can be run with the help of SAML. Not only SAML, OpenID is also commonly used to support SSO technology. If SAML is widely used by companies, OpenID is often used by services visited by general users, such as websites. There are also SSO configurations based on Kerberos, smart cards, and mobile devices. Here is a more complete explanation of the five configurations.
SAML
This SSO protocol is included as an open standard. It provides authentication and authorization based on assertions in XML format. This standard is most widely used by software applications in the form of services, such as Salesforce, Github, Jira, ServiceNow, and Workday.
a. SAML Workflow
- Here is the SAML based SSO authentication flow:
- -User accesses service provider URL
- Service provider (SP) site creates SAML <AuthnRequest>
- -SP directs browser to SSO URL and submits SAML
- -Browser directs user to SSO URL with SAML
- -Identity provider (IdP) site parses SAML request and requests user authentication
- -IdP displays login page
- User enters credentials to IdP
- IdP creates SAML <response>
- IdP provides signed SAML <response> Assertion
- -Browser performs Post signed SAML <response> to SP
- SP performs verification and grants login access to user.
b. How to adopt SML-based SSO to application?
Before you can start using, you should read SAML technical documentation first. After that, you can continue to choose a stack system according to the website development that is being worked on. Here are some alternatives that can be used:
- One Login: This SAML toolkit supports five different programming languages, namely PHP, Java, .NET, Ruby, and Python,
- Spring Security: Additional SAML used for the Java programming language, and
- Passport SAML: provides SAML 2.0 authentication for Passport, a Node.js authentication library.
c. How to choose a SAML SSO identity provider for a company or application?
The right way to choose an identity provider is to adjust it to your needs and budget. Here are the recommendations that you can choose
- Okta.
Okta is a feature-rich identity provider, such as supporting user identity customization in each application, integration into on-premise AD, and has a provisioning function that uses the System for Cross-domain Identity Management (SCIM). This function allows administrators to register and manage user authorization in each application.
- Ping Identity
Ping Identity also has many features that companies need. It also has an AD alternative, namely Ping Directory.
- Azure Active Directory
Azure Active Directory is an identity provider from Microsoft. Considering that most companies use Microsoft products, the features it provides can certainly meet the needs of companies.
In general, SAML is indeed very suitable for use by companies because it has a high level of security and features that can adapt to the company’s authentication function.
The reliability of its security system can be seen from the authentication that uses assertors. The authentication contains an X.509 certificate document that has been signed by the identity provider and user information to be authenticated by the service provider.
In addition, account registration for each application, managing complexity and changing passwords, and setting user authorization levels in each application can be done in the same place. This provides convenience in setting security and practicality for the company’s IT admin.
- OpenID
OpenID was introduced by the Open ID Foundation in 2006. Then in February 2014 they re-introduced the third generation of Open ID called Open ID Connect (OIDC). This standard has been used by more than one billion accounts, the most famous of which are Google and Facebook.
a. OIDC Workflow
The OIDC authentication flow can be described as follows:
- User accesses the service provider (RP) URL and selects the OpenID to use
- RP provides the Client ID to the identity provider (OP)
- RP directs the browser to the SSO URL and provides the Client ID
- Browser directs to the SSO URL with the Client ID
- OP reads the authorization code and requests user authentication
- OP displays the login page
- Browser enters credentials to OP
- OP displays the user consent page and authenticates and requests consent
- Browser provides consent
- OP provides the authorization code to the browser
- Browser provides the authorization code to RP
- RP provides the authorization code to OP to obtain an ID token and validate the user.
- OP submits the authorization code to request tokens for ID, access, and refresh.
- RP provides login access.
b. How to choose an OpenID identity provider for your mobile app development?
- Since OpenID is accessible to anyone, you can choose from several popular identity providers, such as Google, Facebook, and Microsoft according to your needs. This is different if you need SSO to be authenticated in a group of applications that you develop. For example, service provider A has groups of service applications B and C that have different user databases and authorization functions. Here, A acts as an identity provider for B and C.
- If you experience this case, you can integrate the application with a third-party identity provider. The reason is, most identity providers already support the use of SAML and OpenID together.
In short, it can be said that OpenID modernizes SAML which already exists and is used by most applications. However, identity provider vendors for enterprises generally already support both standards.
- Kerberos
Kerberos, derived from the word Cerberus which is a three-headed dog guarding the gates to Hades, is an authentication protocol developed by the Massachusetts Institute of Technology (MIT). Introduced in the 1980s, it was developed as a user authentication solution in a large and distributed network. It uses a secret thesis key with a complex algorithm.
a. How Kerberos Works
At the beginning of the work process, Kerberos asks for user credentials to get a Kerberos ticket granting ticket (TGT). Additional software applications that require authentication, such as Whiskey, revision control systems, and email clients, use the TGT to obtain a service ticket. The ticket is then used to prove the user’s identity to the email server or others without having to ask the user to re-enter their credentials. If using Windows, the flow is Windows login -> get TGT -> Active Directory get service ticket -> user logs in. On Linux, the flow is login via Kerberos PAM module -> get TGT -> client applications such as Firefox, SVX, and Evolution use service ticket -> user logs in without re-authentication.
- Smart Card Based
This is one of the most practical SSO configurations. Users only need to use the smart card once when logging in and do not need to enter credentials again. To perform authorization and authentication, the application only needs to use the certificate or password stored on the card.
- Using Smartphones
There is a reason why smartphones get their nickname, one of which is because they are equipped with the ability to provide credential access. Thus a smartphone can access systems such as computers and building access control. This can happen with the help of SAML and OIDC authentication methods that use X.509 certificates to identify smartphones to access servers.
Why Single Sign On?
In this fast-paced era, not many people have time to repeatedly enter credentials every time they open an application. Compared to the same login system that existed before, the single sign-on system is more effective because it can provide access to multiple applications at once with one login.
Are those the only advantages? Of course not. Here are some other advantages of SSO.
1. Simplifies setting usernames and passwords.
When there is a change in company employees, SSO reduces the workload of IT admins and the possibility of errors. Employees who leave the company will automatically lose their right to log in. In addition, service managers do not need to spend more time and bandwidth to find user credential information when they forget or change their passwords.
2. Increase identity protection.
With SSO, companies can increase employee identity security with techniques such as Two-factor authentication (2FA) and multi-factor authentication (MFA).
3. No fear of forgetting passwords.
In this technological era, everyone must have several accounts at once which will be troublesome if each application asks for different credentials. With SSO, users only need to memorize one credential for all the applications they use.
4. Speed up the login process when it’s critical.
In work environments such as hospitals, defense industries, and emergency services, when many people and departments need fast, unlimited access to the same application. In such situations, preventing errors and malware disruptions can be the difference between life and death.
5. Lighten the workload of IT admins.
Fewer users calling due to lost passwords can save budget and increase security.
6. Reduce security risks for customers, vendors, and partners.
Relationships between companies often lead to security issues that can be handled by SSO.
Why choose Mitra IT?
• Expert Team: We have a team of experienced and creative technology experts.
• Comprehensive Solutions: We not only provide technology but also offer full support to ensure your business success.
• Focused on Results: We are committed to helping you achieve your business goals.
Don’t miss the opportunity to maximize your business potential!
Contact us now for a free consultation.