Trials and demos
How to buy

What Is Single Sign-On?

Single sign-on (SSO) is an identification system that allows users to access multiple applications and websites with one set of login credentials. The implementation of SSO within an enterprise helps ease password management and improve security as workers access applications that are on-premises as well as in the cloud.

Single sign-on with Duo

    How does SSO work?

    When a user signs into an SSO service, the service creates an authentication token that verifies the user's identity. This token is a piece of digital data stored in the user's web browser or on the SSO service's servers.

    When a user attempts to access an application, the token checks with the SSO service, which passes the authentication token to the app. If the token is valid, the user is allowed to access the app. If the user has not yet signed in, they are prompted to do so through the SSO service.

    Most SSO services verify user credentials against a separate identity management system, or identity provider (IdP). The SSO service acts as an intermediary between the user and the IdP. It checks the user's login credentials against the IdP's database, but it does not manage the database itself.

    The ability to pass an authentication token to external apps and services is critical to the SSO process. This allows identity verification to take place separately from other cloud services, making SSO possible.

    Authentication tokens have their own communication standards to help ensure that they are correct and legitimate. The most common standards are Secure Authentication Markup Language (SAML) 2.0 and OpenID Connect/OAuth 2.0. These standards are like common "languages" for authentication tokens.

    Methods of SSO

    Both on-premises and cloud-based SSO solutions are offered in the marketplace.

    On-premises SSO

    Traditional on-premises SSO solutions require the provisioning, configuration, and upkeep of physical servers or virtual machines.

    Cloud-based SSO

    Cloud-based SSO solutions are software as a service (SaaS) and fully hosted by the vendor. The customer doesn't have to install, manage, or maintain any type of hardware.

    With both types of SSO solutions, users can access multiple cloud applications with a single username and password, or they have the option of using no password at all.

    Learn how Duo can help with SSO

     

    What is an SSO token?

    SSO tokens help improve security and convenience by allowing access to multiple applications with one set of credentials. Authenticating all users through a central identity provider can help reduce password fatigue, improve password security, and protect applications from unauthorized access.

    A token is a set of data passed from one service to another during the SSO process. This data can be a user's email address and information about the service sending the token. Importantly, the token must be digitally signed for the receiver to verify it is coming from a trusted source.

    When a user signs into a service with their normal login, the SSO authentication token is created and stored in their web browser or in the SSO solution's servers. This token is passed through the user's browser to the service provider.

    When a user attempts to access an application from the service provider, the service provider sends a request to the identity provider for authentication. The service provider then verifies the authentication—sending the user token to confirm their identity—and logs the user in.

    What are the benefits of SSO?

    There are multiple benefits from SSO, including:

    • In today's hybrid workforce environment, SSO can help to improve workers' productivity especially when they need to access applications that are either on-premises or in the cloud. Password fatigue and errors are reduced as workers traverse multiple applications.
    • Companies that have implemented SSO experience fewer help desk requests for password resets and other account issues. SSO can eliminate unproductive tasks while delivering cost savings.
    • Implementation of SSO along with 2FA can help organizations improve security and compliance. According to Verizon, more than 80% of attacks on web applications come from stolen credentials. SSO can help prevent such attacks by allowing users to access multiple applications with a single login credential or even go passwordless.
    • Enforcing 2FA for users accessing applications using SSO can help companies adhere to regulatory compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

    Is SSO secure?

    SSO can be secure, depending on how the SSO solution is implemented. The identity and access management (IAM) strategy defined by business stakeholders, such as the chief information security officer (CISO) or director of information security, should clearly map out user or user group roles and permissions for each application.

    If certain users should have higher privileged access to certain applications, it is important to apply more stringent security policies as part of the SSO implementation. This can include enforcing access based on location, devices used, device health or posture, and more.

    Adopting an SSO solution with granular per-application policies that integrates with strong multi-factor authentication (MFA) can help mitigate the risk of credential compromise. Detailed logging and reporting of authentications, devices, and users can help provide insights for improving security.

    While there is no perfect security solution, risk-based authentication for MFA can better secure SSO for organizations. This adaptive approach assesses potential risk at authentication and escalates authentication measures when necessary for the user requesting access.

    What role does two-factor authentication (2FA) play in SSO security?

    When implementing SSO and giving your users easy access to work applications, a critical part of helping to ensure the integrity of the sign-on process is the ability to verify their identities with 2FA, also known as multi-factor authentication (MFA).

    Security experts recommend implementing SSO with 2FA. Unlike passwords, which can be stolen or guessed, 2FA requires users to provide at least one authentication factor in addition to a password a code sent to a mobile phone, fingerprint or facial recognition, or a physical ID card. These additional credentials are ones that adversaries cannot easily steal or spoof, so 2FA can dramatically reduce risks related to compromised credentials in SSO. It is critical to set customized policies and controls for each application to be more secure, protect the organization from risky users, and keep your data safe.

    complexity without single sign-on and simplicity with single sign-on

    Is SSO the best access management strategy?

    SSO authentication is a core element of the best access management strategy. It helps organizations improve security and ease for users by reducing the need for multiple passwords. This can help mitigate password fatigue, improve password security, and lower the risk of password-related threats.

    Single sign-on solutions can also help protect applications from unauthorized access. Authenticating users exclusively through a trusted central identity provider establishes a unified security checkpoint that effectively lowers the risk of unauthorized access and streamlines user management.

    However, SSO is not the only component of a comprehensive access management strategy. It is important to complement SSO security with other measures, such as multi-factor authentication (MFA), risk-based authentication, and device trust.

    • MFA requires two or more factors of authentication, like a password and a one-time code.
    • Risk-based authentication analyzes user behavior and other factors to identify and respond to potential threats.
    • Verified Push provides additional security against push harassment and fatigue attacks.
    • Device Trust (trusted endpoints) identifies risky devices, enforces contextual access policies, and reports on device health.

    How do you implement SSO?

    Implement SSO by choosing a solution from a reputable SSO vendor that meets the needs of your organization. Deploy and integrate it with your existing applications. Register your users, configure your applications to use the SSO solution, and test the solution to help ensure it works properly.

    Start with a pilot group to test the solution and identify any potential problems before rolling it out to all users. Communicate with your users about the SSO implementation and let them know what to expect. Be sure to prepare support for users who may have difficulties using SSO.

    Here are some additional tips for implementing SSO:

    • Plan your SSO rollout strategy meticulously and follow best practices.
    • Regularly update your SSO solution with the latest security patches.
    • Enforce strong MFA for all SSO logins, such as with biometrics or hardware tokens.
    • Train your users in how to use SSO and best practices.

    What features should an SSO provider have?

    Security

    An optimal SSO solution offers a variety of security features like MFA, risk-based authentication, and verified push to fortify login. It should enable admins to set and enforce access policies by user groups, geographic location, and device security posture. These features are vital for ensuring that only authorized users can access applications and data.

    Ease of use

    For SSO to be effective, it should offer a frictionless experience for administrators and end-users alike, including employees, partners, and contractors. The deployment must be quick, management straightforward, and daily operations seamless to boost productivity and drive down help desk costs.

    SSO features that can reduce complexity without sacrificing security include biometrics, hardware tokens, self-remediation options, and mobile authenticator apps.

    Integration

    The SSO solution should be able to integrate with your existing infrastructure and applications, including those that are cloud-based and on-premises, and web and client-based. It should accommodate various identity providers like Microsoft, Okta, and Ping without requiring a system overhaul.

    For smooth and secure integration, support for common protocols like SAML and OpenID Connect (OIDC) is essential. This adaptability helps to ensure that as new applications are onboarded or as your infrastructure evolves, your SSO solution remains compatible and effective.

    Support

    Quality support from your single sign-on provider is invaluable for a successful rollout and for troubleshooting any issues that may arise. You should expect access to a knowledgeable and responsive support team that can guide you through setup and address problems efficiently.

    Scalability

    Your SSO software should be able to scale to meet the needs of your organization as it grows without impeding performance or user experience. Select an SSO solution that offers high availability and uptime with strong service-level agreements (SLAs) and the ability to scale quickly for enterprise rollout.

    In the Identity and Access Management (IAM) world, SSO security reduces reliance on passwords and helps with transitioning to passwordless authentication for use cases that permit it. The SSO solution should keep pace as new cyberthreats emerge and adversary tactics evolve. When migrating applications to SSO, expect to see continuous improvement in support and capabilities.

    Choosing the right SSO solution

    Mature and enterprise ready

    Look for a solution that offers strong security; is usable by all employees, including partners and contractors; is available in different regions; supports a variety of apps, including cloud and on-premises, web and client-based apps; and supports common protocols such as Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).

    Identity and access management (IAM) platform

    An SSO solution should ideally be integrated with an advanced 2FA solution. Think of SSO and 2FA as modules of an IAM platform that work together to authenticate and help enable federated application access to users, based on granular conditional access policies.

    Simple, not simplistic

    Choose a solution that's easy to deploy; easy to manage and administer; and helps your users stay productive by getting up and running quickly without sacrificing security.

    Resilient and scalable

    Select an SSO solution that offers high availability and uptime with strong SLAs and the ability to scale quickly for enterprise rollout.

    Honor data sovereignty and compliance regulations

    Validate that the SSO solution has obtained security certifications such as SOC 2 and ISO 9001. Certifications provide assurance that data is protected.

    Long-term vision for your SSO solution

    Because rolling out an SSO solution requires planning and support, try to ensure security investments and human resources devoted to the solution stay relevant for years to come. Always think about the long-term goals of the technology that you're deploying.

    In the IAM world, SSO reduces reliance on passwords and helps with transitioning to passwordless authentication for use cases that permit it, with an eventual goal of moving to desktop SSO. The SSO solution should also keep pace as new cyberthreats emerge and adversary tactics evolve. When migrating applications to SSO, you should see continuous improvement in support and capabilities.
    How Duo can help with SSO

    Resources

    Cisco blogs

    Duo security blogs Cisco endpoint security Cisco Umbrella blogs

    Get started

    Secure Access: Try Duo for free (SSO, MFA, and Device Trust) 2024 Duo Trusted Access Report

    Connect with us

    Cisco zero trust security Cisco Duo Adaptive multi-factor authentication (MFA), Duo security Adaptive access policies Passwordless: The Future of Authentication white paper Cisco's guide to zero trust maturity Security service edge

    Related security topics

    What Is Duo? What Is a User Authentication Policy? What Are Password Security and Protection? What Is Multi-Factor Authentication? What Is Identity Access Management (IAM)? What Is Trusted Access? What Is Endpoint Security?