

Discover more from IAM Bitesize - Identity & Access Management Weekly Guides
10: What is SSO?
Audio Cast:
Takeaway Points:
SSO stands for single sign on
It primarily emerged from the employee workforce identity ecosystem
The idea was to improve usability and security by reducing the number of times an employee would log in to different systems needed to perform job role
Historically employee systems often had their own “local” usernames, passwords and access control lists
This would result in the end user having to remember different usernames - but often re-used a “good” password - a security anti-pattern
Help-desk and security administration costs were high as a result - often due to password and account reset requests
The management of account setup and access was also complex, often manual and extremely effort intensive
Whilst provisioning systems helped reduce account creation and management, access management systems introduced SSO capabilities
The idea being the end user would “authenticate” once to a single system called an identity provider (IDP)
Applications would then integrate against this IDP and reuse the authentication event - often by the use of cookies, access tokens and assertions
Integration took the form of policy and web agents (that sat in front off or alongside applications), gateways and federation standards such as SAML - and later OAuth2 and OIDC. SDK’s could also be used.
Downstream systems now didn’t have to manage local passwords any more and instead would redirect unauthenticated users to the IDP for a login
The IDP would authenticate the user with a range of options - typically a directory for usernames and passwords, followed by multi-factor authentication options such as one time passwords
The IDP would then create a session - an amount of time the user could stay logged in for before having to re-authenticate
As long as the session was active and valid, other systems would allow the end user to gain access seamlessly
Use cases:
employee’s accessing workforce systems by logging in once each day or week - then seamlessly accessing relying systems
customers logging in once and accessing different brands without re-logging in