Ruslan Rakhmetov, Security Vision
We have already talked about authorization, what methods there are and how users work with data. Today it is time to understand the Single technology Sign-On ( SSO ) is a technology that allows users to authenticate once to access multiple applications or services without having to re-enter their credentials for each of them. This is very convenient for both users and system administrators, as it simplifies the login process and improves security.
SSO is directly related to both authentication and authorization, but plays different roles at both stages:
1) SSO allows you to authenticate once (prove who you are), and then use this fact of confirmed identity to log into other services. The technology does not determine what the user is allowed to do - it simply says: "Yes, this person is John Smith."
2) After SSO has confirmed the identity, each individual application or system performs authorization - checks what rights this user has. SSO confirms, for example, that the user is an admin, but the project management system itself decides: "Admins can change settings, but regular users cannot."
SSO is like one pass with which you enter the office, the cafeteria, and the conference room (show it once - then go on without checks) or like a key that opens all the doors in the house at once: the apartment, the storage room, the mailbox, and the garage (like in the movie " The Skeleton Key" instead of Nicole Kidman's set of keys in another thriller " The Others").
For users, everything is very simple, you can log in once, without having to remember multiple passwords for different services. For information security and IT employees, the technology simplifies the management of accounts and passwords, and allows for centralized access control. Since passwords are entered less frequently, the likelihood that a user will fall for a phishing attack decreases, and user accounts and their access can be centrally managed and monitored.
SSO is actively used in corporate systems and for the integration of various services and applications, such as Google Workspace , Microsoft 365 and others.
However, SSO technology also has a couple of disadvantages: if the system fails, the user will lose access to all services at once, and setting up SSO can be complex, especially in large organizations with many different applications.
The principle of SSO operation can be described in several steps:
- Authentication
The user enters their credentials (login and password) on one of the applications or services that supports SSO.
- Authentication token
After successful authentication, the service creates a special token (for example, JWT - JSON Web Token ), which confirms the user's identity (this token can be used to access other services).
- Redirection
When a user attempts to log into another app, that app checks for a valid token. If the token is present and valid, the user is automatically granted access without having to enter the password again.
Single sign-on is not the only way to manage access, so we'll look at other technologies as well.
Multiple logins (regular accounts), when the user creates a separate login and password for each site or application. This is not as convenient as SSO , because you need to remember a bunch of passwords, avoid repeating them, and access control will weigh in disparately. On the other hand , this method maintains the independence of systems.
Password managers (for example, 1 Password, Bitwarden, Kaspersky Password Manager), i.e. an application that stores all your logins and automatically enters them when you log in. As in the case of SSO , the password is entered automatically, encryption is provided and works in any systems that do not necessarily support SSO . On the other hand, the user manages passwords himself and there is no way to make the work of IT specialists easier for corporate perimeters.
Federated Identity ( Federated Identity ) when the user logs in through an external trusted service (for example, a university logs in through Google Workspace). This is a concept similar to SSO, only between organizations: for example, this is how login via VK works ID, T - ID and others.
Multi-factor authentication (MFA), when the user logs in with a login and password, and then confirms the login via phone, code or biometrics. But this is not even an alternative, but an addition to SSO and the usual logins listed above
SSO works like a hotel card, after receiving it upon check-in you can open your room, go to the gym, use it in the elevator. One entrance = access to everything. For this, you can imagine the technology as a cocktail, the main "ingredients" of which are:
1. Authentication protocols
These are the languages of communication between systems. For example, OAuth 2.0 (used to access resources on behalf of the user), OpenID Connect (OIDC), which is an extension of OAuth that is used specifically for login, and SAML ( Security Assertion Markup Language , an XML-based protocol often used in enterprise systems).
2. Identity Provider ( IdP )
This is the "control center" that checks who you are. It authenticates the user and issues a confirmation. Similar centers are available at Google ( Google login ), Microsoft Entra ID , Okta , Keycloak and Auth 0.
3. Service Provider (SP)
These are applications that want to know who you are and trust the IdP . For example, when you log into a corporate CRM, the provider redirects you to the IdP and then returns you to the CRM with confirmation.
Tokens and assertions
After logging in, the IdP creates a “piece of paper” that says: “This is Ivan Ivanov, he logged in at 12:32, his role is administrator.” There are different token formats, for example, JWT (JSON Web Token , lightweight, readable, convenient in OAuth / OIDC) and S AML Assertions (XML document, used in SAML).
5. Redirect flow
The CRM example in the point above.
6. Session / Cookie Management
After successful authentication, a session is created in two sources: on the IdP side , so as not to log in again, and on the SP side, so as not to check the token each time.
7. Single Logout ( SLO )
Some SSO systems can not only log in everywhere at once, but also log out of all systems with one logout. But it doesn't always work and not everywhere.
Instead of logging into mail, CRM, cloud storage, and an internal portal every day, an employee logs into the system once and gets access to all the necessary resources. SSO is the key to convenience, security, and efficiency. Single sign-on helps businesses minimize risks, simplify life for users, and reduce support costs.
.jpg)
