SSO Definition
Single Sign-On (often referred to as SSO) represents the ability of an access control system to allow a user to carry out a single authentication process (e.g. enter username and password only once) in order to access software systems, digital and application services or IT resources, without having to repeat the authentication each time for each individual application.
Many companies today use this authentication system because IT environments can be increasingly heterogeneous and distributed, with resources being scattered across both internal and external locations—mostly because of their decision to outsource and because of cloud computing.
With SSO, each application service can be safely used by users after authentication. However, before Single Sign-On emerged, you needed to have access to the resources by entering the username and password each time for each individual application, often having to use different credentials for each resource. Unfortunately, that is still true for some companies today, which inevitably leads to negative consequences not only for the user experience but also from a cybersecurity perspective.
One can simply think about the time that is necessary to support users who forgot or lost their credentials and are no longer able to access the systems. Not to mention the complexity in the governance of policies and access controls managed by IT.
SSO is considered to be quite advantageous because of the following reasons:
- It simplifies password management: the greater the number of passwords to manage, the greater the possibility that passwords that are similar to each other and easy to memorize will be used, which decreases the security level of the system overall;
- It simplifies the management of access to the various services;
- It simplifies the definition and management of security policies for a company.
SSO is part of a broader concept called Federated Identity Management (FIM). For this reason, it is occasionally referred to as federated SSO. However, with FIM we simply have a relationship between two or more domains or systems, while Single Sign-on is usually considered as a specific feature that is available within a FIM framework.
OAuth 2.0 is an example of a framework that is part of a FIM architecture. Similarly, it entails a trusted relationship between two systems and allows the users’ information to be shared within such domains. Building on top of OAuth 2.0, the OpenID Connect (OIDC) layer is an example of a protocol that provides Single Sign-on functionalities.