25. October 2021
Single sign-on (SSO) – a proven remedy for password fatigue
Single sign-on (SSO) creates maximum user convenience with a centralised service for user authentication - no more constant logging in and out of accounts.
Cloud applications, web apps, on-premises software, PC, email, social media, payment systems… – sometimes we use numerous digital services on a daily basis and that inevitably means: Usernames and passwords have to be constantly typed in, updated or reset. Quite apart from the fact that the login procedures put our memory to the test, the frequent entries are annoying. They take up valuable working time and sometimes tempt us to choose easy-to-remember but insecure identifiers out of convenience and despite all reminders. In order to deal with the tedious log-in processes easily, efficiently and with strong authentication, we have now also geared our mydocma construction software platform towards single sign-on technology. Abbreviation: SSO, translated into German: single sign-on.
SINGLE SIGN-ON – THE DIGITAL MASTER KEY
A log-in is comparable to a key. Consequently, many accounts evoke associations with a digital bunch of keys the size of an XXL. Full, confusing, cumbersome to use. Door openers often differ only marginally in their profile – failed attempts are inevitable! If we stick with the metaphor, there is a more user-friendly solution for quick access: the master key. Applied to the IT world, this is the single sign-on principle. The procedure replaces many individual login processes by utilising an overarching identity of the user. Access to all solutions connected to the system is authorised with just one secure user name/password combination.
What is the mechanism behind the SSO system?
Single sign-on is made possible by a centralised authentication service, the so-called identity provider. It is, so to speak, the issuer of the master key – an entity that stores, manages and verifies all identities with the respective authorisations. Digital solution providers such as edr software, known as service providers in technical jargon, receive secure proof of identity from the identity provider once a user has been successfully validated, after which seamless access is granted. The exchange between identity and service provider takes place through the mutual transmission of a signed token – this applies to both authentication requests and user confirmations. In addition to the identity details, this data packet also contains a certificate, with which both sides identify themselves as a trustworthy source.
Log-in with single sign-on
The SSO processes described run in the background. The principle of simplicity reigns in the foreground. For the user of our mydocma platform, this results in two practical login scenarios.
Scenario 1:
He/she types in the user ID on our platform and is immediately logged in because the system registers that authentication has already taken place with the identity service provider.
Scenario 2:
He/she enters the user ID on our platform and the system immediately recognises that authentication has not yet taken place. An automatic redirection to the identity provider’s input screen or to the company’s log-in page is initiated immediately, where the user name/password combination is entered once. Once the confirmation button has been clicked, login to the mydocma portal and all other applications connected to the SSO system is complete.
Single sign-on: a step towards a password-free future
We initially launched the single sign-on principle in conjunction with Microsoft’s identity and access management system, Azure Active Directory (Azure AD for short). This makes it easy to manage unrestricted access to the desired digital resources via the company login. On request, however, we can also initiate the SSO process using other identity providers such as ADFS, OneLogin, Okta, Auth0 or G-Suite. Single sign-on is particularly useful and profitable for companies that employ several people and have a large collection of applications.
Is the SSO system secure?
The single sign-on procedure inevitably raises the question: Can it not also be fraught with insecurity if just one log-in data record opens the door to a multitude of modules? If the best practices for SSO are adhered to, the answer is: No! The “danger” is in front of the computer. Password post-its on the PC for everyone to see, long lists of passwords in the drawer and risky practices such as the reuse of passwords or passwords consisting of simple sequences of numbers are all too common. In short: what makes a company’s IT environment insecure is an excessive number of logins and log-in data.
SSO counteracts this and follows very strict security guidelines such as password complexity, multi-factor authentication and SSL certification. The reduced login processes also minimise the attack surface for hacker attacks. In addition, the one-time login process raises the user’s awareness of both a “strong password” and trustworthy sites. The system also offers audit logging, which can be used to trace all user activities and clarify any inconsistencies. As access management is controlled centrally, accounts can be blocked quickly, e.g. if a device is lost or an employee leaves the company, and the risk of unauthorised access can be averted.