Learn how to prevent your credentials from being compromised by malicious actors using Single sign-on (SSO) authentication. Find out how SSO works.

yonatan.azougy

25.05.2022

7 min read

How Does SSO Work?

SSO is built on the concept of Federated Identity Management (FIM) or the sharing of identities across different systems. The primary function of SSO in Federated Identity Management is the authentication process. 

The single sign-on SSO authentication flow works by generating a token containing specific user information via the Service Provider when a user attempts to access a web application.   

The Identity Provider (IdP) then verifies the user’s identity and grants them access to the applications they are authorized to use. The user’s credentials are stored securely on the authentication server and are not shared with the applications. 

The Service Provider’s token is then validated based on the trust relationship built between the IdP and SP during the initial configuration. If everything goes accordingly, the user is then granted access.

 Why is SSO Important?

SSO is important because it simplifies the login process for users and improves security by ensuring that each user has only a single set of credentials. 61% of data breaches were the result of compromised credentials. SSO helps protect against credential stuffing and other types of identity theft by securely authorizing each user.    

When users have to remember multiple sets of credentials, they are more likely to choose weak passwords or reuse passwords across different applications. This puts both the user and the organization at risk of a security breach, especially when they are working remotely from an unsecured connection.

What Are SSO Credentials?

SSO credentials are the username and password that a user uses to log in to a central authentication server. The authentication server then verifies the user’s identity and grants them access to the applications they are authorized to use.

For example, a user wants to access the AWS Active Directory. The admin will then assign a temporary set of credentials to that specific user via AWS SSO and AWS CLI or Command Line Interface to authenticate the user and manage services. Admins can configure multiple profiles either manually or automatically via AWS CLI. This also simplifies the AWS login process for IT admins. 

The user’s SSO credentials are stored securely on the authentication server and are not shared with the applications. When the user tries to access an application, the application contacts the authentication server to verify the user’s identity. 

Organizations can control which applications users have access to with SSO authentication. This makes it more likely that users will use the applications they need and less likely that they will bypass security controls.

What is a SAML Provider?

A SAML provider is a web application or service that runs on one or more servers and handles the processing of SAML assertions.

There are two types of SAML providers:

1)    Service Provider (SP): This entity sends authentication requests to identity providers for user authentication. 

2) Identity Provider (IdP): A SAML Identity Provider offers web-based authentication services to users and systems on the network.

What Are the Different Types of SSO Authentication? 

OAuth

OAuth is an open standard for authorization that allows users to grant third-party applications access to their data without sharing their passwords. OAuth authorizes devices, APIs, and servers with user-specific generated tokens. 

A good example of OAuth is Facebook Connect which allows users to access third-party websites and log into their accounts with the click of a button. This process allows users to bypass the traditional website registration steps as data is pulled directly from the API and client. 

With OAuth 2.0, the user’s credentials are not shared with the third-party application. Instead, the user is redirected to the authentication server where they log in with their credentials. OAuth 2.0 provides authorization flows for web and desktop applications and mobile devices. 

OAuth 2.0 adds an extra security layer by generating access tokens to the client rather than using the end user’s credentials which could be compromised as a result. 

 OpenID Connect (OIDC)

OpenID Connect is an authentication protocol that builds on top of OAuth. With OpenID Connect, the user’s identity is verified by the authentication server, and a token is issued to the user. The user can then use this token to log into third-party applications.

Identity tokens are generated via JSON Web Tokens (JWTs) which are encrypted, so the information being transmitted by third-parties is highly secured. Another important security aspect is the XML Digital Signature of the JWTs which states that the information originated was not altered in transmission. OpenID Connect is fairly straightforward and simple to integrate.

Security Access Markup Language (SAML)

SAML is an XML-based standard for exchanging authentication and authorization data between organizations. SAML is often used by large organizations that need to share user data between different applications.

With SAML, the user’s credentials are verified by the authentication server, and a SAML assertion is issued. The SAML assertion contains information about the user’s identity and whether they are authorized to access the application. An IdP authenticates a user and then passes the token to a Sevice Provider when then grants access to a specific application or company resource.

Federated Identity Management (FIM)

Federated Identity Management is a type of SSO that allows organizations to share user data between different applications via attributes such as your location. Federated identity links a user’s identity across several identity management systems.

SSO is only involved in the authentication process of federated identity. Another benefit of a federated identity is that an actual person or admin is also involved which can drastically reduce the chance of error leading to security breaches. FIM combines the use of multiple authentication technologies such as the ones mentioned above (OAuth, OpenID, and SAML).  

 Kerberos-based SSO

Identity management should be at the cornerstone of any business. Perimeter 81 simplifies the authentication process by leveraging SSO and SAML 2.0 for secure identity management of company resources from anywhere in the world.  

Don’t take any chances with weak or unprotected passwords. Set and define user permissions either on an individual or group basis with Perimeter 81’s IdP integrations. See how simple it is for yourself. 

LDAP vs. SSO – What Are the Differences?

There are a few key differences between LDAP and SSO that you should know about before deciding which is right for your organization.

LDAP stands for Lightweight Directory Access Protocol. It is an open and cross platform protocol used for directory services authentication. LDAP uses the Simple Authentication and Security Layer (SASL) to authenticate users with different mechanisms such as Kerberos. 

The LDAP authentication process involves verifying usernames and passwords by connecting with a directory service.

With LDAP, each application has its own authentication server. This means that the user’s credentials are verified by the authentication server for each application. This can be time-consuming and can lead to problems if the user’s credentials are different for each application.

With SSO, there is a centralized authentication server that all applications use. This means that the user only has to login once, and their credentials are verified by the authentication server. This can save time and reduce the chances of errors.

Benefits of Single Sign-On (SSO)

There are many benefits of SSO that can be beneficial for organizations of all sizes.

Some benefits of SSO include:

• Reduced password fatigue – Users only have to remember one set of credentials instead of multiple sets. This can reduce password fatigue and make it easier for users to access the applications they need.
• Increased security – All of your organization’s applications are connected to a central authentication server. This means that if one application is breached, the others will not be affected. This can help to increase security for your organization.
• Improved productivity – Users can access the applications they need without having to log in multiple times. This can save time and improve productivity for your organization.
• Reduced help desk costs – Users can reset their own passwords if they forget them. This can reduce the number of calls to the help desk, and ultimately reduce costs for your organization.
• Improved user experience – Users have a consistent experience when accessing different applications. This can improve the overall user experience for your organization.

Meeting regulatory compliance – SSO can be used to help ensure that all compliance regulations are being followed to access sensitive data such as PCI or HIPAA compliance.

The Role of Identity Providers (IdPs) in the SSO Authentication Process

An identity provider (IdP) is a service that stores and authenticates users’ digital identities. 

IdPs are kept separate from SSO providers, however, both work together to thoroughly authenticate each user, specifically with cloud applications. 

IdPs play a significant role in the SSO authentication process and can help to improve security and productivity for your organization.

Redefining Identity Management with Perimeter 81’s SSO Login Integration

SSO provides organizations with the ability to verify and authenticate each user before they are able to access company resources which could include private financial forecasts or Personally identifiable information (PII).

Perimeter 81’s identity management platform makes it easier for employees to access a company’s network with Single Sign-On and IdP integration. Administrators are able to quickly authenticate a user and grant access to specific resources with a few clicks. Create stronger identity policies with Perimeter 81’s SSO integration. Learn more.

SSO FAQ