Top 8 Single Sign-On (SSO)
Azure Active Directory (Azure AD)Fortinet FortiAuthenticatorAuth0FronteggCyberArk IdentityLastPass BusinessKeeperOneLogin by One Identity
Let's say we decide that our users need to have MFA, multi-factor authentication. It is very easy to implement that with Azure Active Directory.
It has things like conditional access. For example, if someone is accessing sensitive information, then we could force them to do multi-factor authentication. Therefore, we can stop access if it is coming from a location that we did not expect.
I prefer the passing tool that sent an active directory console to a Fortinet FortiAuthenticator, then Fortinet FortiAuthenticator does not pass the locks.
It's a very powerful platform. It has the ability to do the usual stuff, according to modern protocols, like OIDC and OAuth 2. But the real benefit of using the platform comes from its flexibility to enhance it with rules and, now, with what they call authentication pipelines. That is the most significant feature, as it allows you to customize everything regarding the authentication and authorization process.
It has Audit Log and many cool features that if we were to develop them by ourselves, it would require a lot of research and development resources. Frontegg gives us everything we need to ensure that our customers have a safe and reliable authentication system in which they can also manage some of the features and roles by themself which gives them more control over their environment.
The setup, via cloud, is simple.
The initial setup is straightforward. It takes me up to an hour and a half.
One feature that is really important to us is the ability to create secure notes.
It is easy to use.
The possibility of assigning information to different groups and individuals has been the most valuable.
I like a couple of things about this solution. Being able to share passwords with other people is valuable. You can see if the information is out on the dark web and whether you have weak passwords and the last time they were changed. You could also have the 2FA or MFA codes embedded in the application so that you don't have to use your phone or any other 2FA device, which is something very important.
The most valuable feature is the ease with which we can manage the sign-on feature.
When it comes to access management, the solution's single pane of glass is extremely important. The single pane of glass for access management enables collaborative work between IT and security. We have access to certain applications that require device trust. Based on the role, we can access those applications through OneLogin Desktop.
Advice From The CommunityRead answers to top Single Sign-On (SSO) questions. 635,162 professionals have gotten help from our community of experts.
Single Sign-On (SSO) Articles
Single Sign-On (SSO) Topics
How does single sign-on work?What is an SSO token?What is the point of single sign-on?How is SSO implemented?How does SSO work across domains?
How does single sign-on work?
A single sign-on (SSO) service involves an agent module sitting on the application server. When a user wants to access the network, the module retrieves the authentication credentials from a dedicated SSO policy server and compares them against a user repository. For example, a lightweight directory access protocol (LDAP).
The advantage of SSO is that it authenticates the user for all of the applications the user has rights to. This eliminates the need for signing in for each application during the same session.
At the base of SSO is the relationship between a service provider and an identity provider in the form of a certificate exchange. This certificate proves that the identity information comes from a trusted source. In an SSO, the identification data is inside a token.
The usual flow consists of the following steps:
- The user goes to the application or website they want to access (the service provider).
- The service provider sends a token containing information about the user (email, username, and password) to the SSO system (the identity provider) with a request to authenticate the user.
- The identity provider checks whether the user has been authenticated, and in that case, grants the user access to the application.
- If the identity provider hasn’t logged in before, then the system prompts the user to provide identity credentials. Sometimes it requires a username and password. Other systems give the option of a one-time password.
- Once the identity provider validates the credentials, a token is sent back to the service provider to confirm it was a successful authentication.
- The token received by the service provider then is validated and grants the user access.
Despite all of these steps, the authentication process happens in a matter of seconds.
What is an SSO token?
A token is a collection of identity information that goes from one system to another. A token may consist of a user’s email and password, and data about the system that is sending the information.
An example of a token is the way Google manages access to the products in G-Suite. Once you sign in to your Gmail, you get access to other applications, like YouTube, Google Drive, and Google Photos, without having to log in again for each app.
The token ensures you will gain access to multiple systems without needing to remember different credentials for each one.
What is the point of single sign-on?
SSO provides benefits in terms of security, customer experience, and reduced costs. The average organization uses an array of applications and services, both cloud-based and on-premises. A single sign-on helps to solve the tech sprawl by giving a single point of access.
In terms of security, SSO reduces the number of attack possibilities. User credentials are usually key targets for cybercriminals. The more credentials, the more opportunities for attackers to gain access. Single sign-on minimizes risk by requiring a single set of credentials.
SSO also helps with compliance, since many regulations require that organizations implement methods that protect data. SSO offers a way to effectively authenticate users who access electronic records as well as allowing for the automatic log-off of users.
Single sign-on also improves the employee’s experience. It saves time and improves productivity. Since most employees switch between an average of ten different apps for work, eliminating the need for signing in for each one saves considerable time and money.
SSO eliminates password fatigue and vulnerabilities. It also reduces the costs necessary to set up different help desks for resetting and management of passwords.
How is SSO implemented?
To implement an SSO in a central dashboard, you need two endpoints. One of the endpoints initiates an authentication request and redirects the user to a login form. The other endpoint accepts and receives the response, after a successful login process.
The data can be transferred from one entity to another by one of three methods:
- HTTP redirect binding encloses the data by receiving a parameter.
- HTTP post binding sends the data in the HTTP post request.
- HTTP artifact creates a direct connection to each endpoint.
How does SSO work across domains?
Cross-domain single sign-on is a method for transferring user credentials across multiple secure domains. CDSSO allows the integration of multiple secure domains by enabling users to move between different domains with a single set of credentials.
A user can make a request to a resource located in another domain. The CDSSO transfers an identity token from the first domain to the second domain. Thus, the second domain can authenticate the user without the need for the user to provide new credentials.
The authentication flow for multiple domains is as follows:
- A user requests access to a resource in the second domain using a link in the first domain.
- The server processes the request in domain A, then sends an authentication token that states that the information comes from the first domain.
- The domain B server decrypts and validates the token, calling out a CDSSO authentication mechanism. The domain B authorization service allows or denies access to protected objects.