Single Sign-On

In the same series of security I would like to cover another important aspect of security. We all might have noticed in last few years, organizations are focusing on another security feature, known as Single Sign On (SSO). It is a process in which a single attempt of user authentication and authorization permits him to access all computers and systems where he has access permission, without the need to enter the passwords multiple times. Single sign-on reduces human error, which can be considered as one of the components of system failure and is therefore highly popular. It can also be called as Enterprise Single Sign On (ESSO) as it corresponds to authentication within enterprise as well as other authorized enterprises.

Let’s take an example of an organization which is using SSO software. Using SSO, this organization can provide access to all its users to the low risk information and multiple enterprise portals. This reduces the signing process of employees which results in higher productivity and security. However, when the same user tries to access sophisticated risky applications and information, for example a payroll system, the single sign on software demand them to use a stronger form of authentication, which may include digital certificates, security tokens, smart cards, biometric, etc.

Apart from this simple benefit, there are few more benefits, such as uniform enterprise authentication and authorization policy across the organization, improved security reporting and auditing as end to end user audit sessions are maintained, reduced burden on developers as they don’t have to implement identity security in their applications and last but not the least, SSO may result in cost saving due to reduced help desk calls for password recovery.

Now that we all are aware of SSO concept, let’s see its impact if it is not implemented properly. Single sign on systems in organizations can become a single point of failure if not properly designed. Although the application is running properly, and the SSO system goes down, no user will be able to access any resource or application secured by the SSO system. Many organizations have experienced this typical condition which also results in productivity loss. Therefore, it is recommended that organizations’ single sign on system should have good and well tested failover and disaster recovery design.

I found a good resource, which organizations should review before implementing SSO system. It is about “101 things to know about Single Sign On”. http://www.authenticationworld.com/Single-Sign-On-Authentication/101ThingsToKnowAboutSingleSignOn.pdf