Imagine Life with One Password
Nowadays, most websites and applications require some form of authentication in order to access full features and content. And as the number of services per corporate user continues to grow, a centralized login solution is increasingly attractive to both end-users and the IT teams who are tasked with securing their data. So, if your workers need seamless and secure authentication that’s easy to use, single sign-on (SSO) may be the perfect solution. Aside from improving network security, SSO can also boost productivity by cutting down on the time that users spend entering (or trying to remember) passwords for any of the 130 accounts they may use on a regular basis.
The average business user spends approximately 36 minutes per month entering passwords.
Single Sign-On Basics
Single sign-on is one set of credentials that can be used to login to several different applications. SSO is implemented as security measure and is especially useful in enterprise settings, where IT can allow employees to access a variety of applications using only their company credentials. Here are the basic steps in the SSO process:
- A user logs in to the SSO solution and begins a session, which creates a unique cookie on a central trusted server.
- When the user attempts to login to another application/service, the application checks the server for an existing authentication cookie.
- If the cookie is verified, a token containing the identity of the user is passed back to the application, granting access (without a login prompt). If the cookie is not verified, access is denied.
Single sign-on is based on the concept of a federated identity system, which links a person’s electronic identity and attributes across multiple distinct identity management systems. Federated identity systems address several security issues, including:
- Authentication: credential verification and identity establishment
- Authorization: access restrictions
- User attributes exchange: data sharing across different systems
- User management: administration of user accounts
A federated identity system is only concerned with establishing the identity of a user and making that information available to each subsystem that requires it. This is the approach that makes it possible for a user to login once and automatically authenticate across all services, regardless of platform, technology or domain.
SSO is great because it makes life easier for everybody. Instead of having to remember dozens of passwords, or worse, reusing the same password in multiple places, SSO makes it so that you only need to remember one.
IT Systems Administrator, NetMotion Software
Getting your workers set up with single sign-on is surprisingly straightforward, as there are several off-the-shelf solutions readily available that integrate with most major enterprise applications. A few of the more common third-party identity providers include:
- ADFS 2.0/3.0
Set up may vary a bit by provider, but once you have selected the best option for your needs, you will need to configure application-specific domains/URLs, configure user attributes, assign users to the appropriate applications, and test to make sure everything works as expected.
SSO Best Practices
There are a few single sign-on best practices that can increase the security and effectiveness of your implementation.
1) Disallow username/password login.
If single sign-on is in use, it should be used for ALL applications and replace username/password options.
2) Disallow password resets.
Users should be prevented from changing their passwords via email.
3) Disallow email address changes.
Companies should only allow employees to use official corporate email addresses that IT can control.
4) Enforce session timeouts.
Idle sessions should be promptly expired. If a user clicks on a link in an application after the session is expired, the identity provider should request authentication again.
5) Choose enterprise applications that are SSO-ready.
High quality web browsers, word processors and file sharing applications (to name a few) are typically ready for single sign-on out-of-the-box. But is your mobile VPN? From single sign-on, NetMotion Mobility maintains always-on secure access to business-critical applications regardless of network. Workers only need one set of login credentials, at the start of each shift, and NetMotion handles all subsequent logins as they access various networks.