In part two of our three-part series on work from home – an application and identity management guide, we’re doing a deep dive into what SSO is, how it works, and the three big considerations for why to use SSO. For a thorough exploration into this work-from-home guide, follow the link above.
What is SSO?
This is best described by example:
When using SSO, a user logs into a central portal at the beginning of their day. From there, based on their identity, tiles will appear to their corporate SaaS applications. They click on each application like Office 365, Salesforce, Concur, etc. and are granted access into those applications without having to log in again.
For these integrated applications, the portal is passing a token to the SaaS application and verifying that the user is allowed access. Think “Sign in with Facebook” as a consumer example. Facebook says ‘you’re good,’ so whatever application you’re trying to get into trusts Facebook’s opinion of you.
How does SSO work?
Almost all the major players are using a technology called SAML to make this work. We’re not going into a dissertation on what this is – that’s what Google is for if you’re curious to dive deeper. Essentially there are two main components:
- For SaaS applications that are integrated using SAML, users have no idea what their actual password is because they don’t have a password anymore. Similar to the Facebook example above, the SSO provider has verified your identity, often with multiple factors, known as multi-factor authentication (MFA) and then decided that you should be granted access based upon your identity.
- Almost all SSO providers are on par since they’re all “speaking the same language”. So, if a SaaS Application is using SAML, everyone can integrate with the service. If the application isn’t using SAML, no provider will be able to integrate with it natively. But all hope is not lost for applications that aren’t yet up to speed on SAML; there are some options to make things easier for IT and the users.
Why Use SSO?
From the user’s perspective – you’re providing them with one place to login and then allowing them to access other applications by authenticating to the initial site and being passed along as a trusted user. There’s a tremendous benefit to the end-user and the efficiency they gain while reducing their exposure to forgetting passwords and having to perform multiple logins throughout the day. But it goes much deeper than just password management.
From the business’ perspective – There are three main areas to focus on:
- Security – Based on the LastPass data from Part 1 of the series, SaaS just expanded the threat vector, on average, 25-fold when it comes to credentials. This means 25 more ways for a user (the most vulnerable part of your defense mechanisms) to be compromised. SSO brings that back down to one set of credentials. Additionally, Shadow IT, the use of unauthorized SaaS solutions, represents a significant Trojan horse threat to the organization as these applications are used without IT’s knowledge and the enforcement of best practices. By providing an extremely efficient and better user experience, IT is making it easy for users to abide by the solutions that have been blessed by IT and deterring them from going outside corporate standards to (in their eyes) just get their job done.
- Reduce Help Desk Tickets – Time and again, when surveying our customers, password resets are the #1 or #2 source of help desk tickets. It’s also been reported that every helpdesk ticket costs an organization $70 to complete! Every time a SaaS application is added to the mix, it’s one more reason to generate a password reset ticket. Some SSO providers provide the ability for the user to self-administer password resets, which virtually eliminates this source of tickets.
- De-provisioning – Two factors come into play when looking at the offboarding or de-provisioning process. First, from a security perspective, IT has to figure out what applications a user had access to when they were onboarded and disable them. Next, they have to figure out what applications the user gained access to throughout their tenure and disable those. This points back to identity management and what’s known as identity scope creep. As a user is moving from one functional area to another, are their rights from the prior area revoked, or are access rights just added to their identity? Hopefully, they find them all. In an amicable parting of ways, this isn’t as big of an issue. But in a negative or sensitive situation, it could represent a significant security risk. Secondary to the security considerations, the process of actually going to each SaaS application and de-provisioning the user individually is a resource-intensive process.
Part one of this three-part series was all about application and identity management; part two was primarily focused on SSO and SSO considerations. In part three of our three-part series on work from home – an application and identity management guide, we’re exploring questions on SAML, IAM orchestration, and finally, integrated remote virtual desktops – a better solution. For the full report, follow the link above.