Posts

Companies more and more rely on cloud services. As a result, the number of accounts and the amount of login data are growing rapidly. However, if the number of user names and passwords continues to climb, interfaces and security risks will increase. Single sign-on with privacyIDEA therefore offers the option of centrally managing an identity in order to ensure enhanced security and flexibility.

Single sign-on (SSO) is often misunderstood: The attribution “single” does not necessarily imply that the user only has to remember a single password – this is only partially true. In fact, SSO means that a user only has to log in once, but then still has access to several (cloud) applications at the same workstation – without further “logins”.

This is one of the reasons why companies like to use SSO for their own web services. The crucial factor, however, is not the reduction to one password – a central LDAP server would be sufficient for this – but the fact that users only login once. With SSO, companies offer their employees a central point of contact, whereby they can access all ERP, web or cloud applications they need for their (everyday) work with a single “login”.

According to Bitkom, 44% of all applications and work processes now run cloud-based (83% for large companies) and more and more cloud services are being used, so the need for single sign-on solutions is becoming more and more important. So here’s an overview, not just of the benefits of SSO, but also of what companies have to consider, if they want to use SSO securely and efficiently for their organization.

What is Single Sign-on (SSO)?

In particular, the growing demand for cloud applications is leading to an increased use of SSO. The reason for this is an obvious one: more applications (in the cloud) also mean more passwords or login data for different accounts. Single sign-on offers exactly this option: you only have to log on once, but then you are logged on to several applications.

How can a company benefit from SSO?

A single sign-on system, for example, reduces the proliferation of different accounts and passwords, which significantly increases ease of use for employees. They will most certainly prefer to remember one “master access” rather than many individual accesses.

In addition, too many accounts demonstrably worsen password hygiene, i.e. too many users often use the same passwords for different portals, which cannot benefit IT security.

Scattered “account silos” across multiple solutions – companies want to avoid this, not only because it is simply impractical, but also because it is insecure. With SSO, IT departments can easily create new user accounts centrally and even manage individual permissions. And if an employee leaves the company, “offboarding processes” can also be administered remotely.

Exactly this reduction to one credential – e.g. password and user name – minimizes the risk that access data is lost or consists of easily guessable passwords. On the contrary, if used correctly, SSO increases productivity, facilitates effective IT monitoring, and ultimately provides more control and security – while employees are granted or denied access to multiple systems, platforms, and other business-related resources with a single login.

How can SSO be used in the company?

However, in order to work properly, single sign-on services must access specific protocols. There are quite a few of these – for example SAML2, which is used intensively by Salesforce, or OpenID Connect (OIDC), which is also used by Google, for example.

SAML protocol

With a SAML protocol, the user receives an encrypted session cookie with which the user can authenticate to certain (cloud) services over a specified period of time. The big advantage is that the external service does not have to establish a connection to the internal authentication service (Identity Provider – IdP) – the connection to the user’s browser is all it takes.

OAuth2 with OpenID Connect

The OAuth2 protocol is used to authorize Google services such as Gmail or Google Drive. OpenID Connect is a further development of common protocols such as OpenID or SAML. Since it is generally regarded as simple and secure, OAuth2 with OpenID Connect is increasingly becoming the standard for authorizing API access on the web (and also for apps).

Users receive a unique access key which, in combination with the OAuth2 protocol, enables them to login. Information about the identity of the user as well as the authentication provided is returned to a client via an OpenID-specific token, also known as an ID token. The login then only applies to this one client.

Individual authorization processes – with Keycloak

However, since companies often have to meet different IT security and compliance requirements, they use so-called identity or access management systems – such as the open source solution Keycloak, which uses the two protocols mentioned above and is developed by JBoss under the direction of RedHat. So if role-based authorization does not meet internal needs, Keycloak offers adjustable authorization services.

This way, organizations can manage permissions for all their services through the Keycloak management console and have the ability to define exactly the policies they need.

The security issue – opportunity and hurdle at the same time

The fact that single sign-on systems fundamentally increase security is undisputed: they reduce the password jungle, prevent the creation of (account) silos, increase productivity and facilitate offboarding processes. But a large residual risk remains: A successful attack would always result in several applications being affected in one fell swoop.

But this hurdle can be overcome by additionally integrating a 2-factor authentication solution for SSO. With privacyIDEA as authproc filter (in simpleSAMLphp), for example, users can extend and individualize the authentication process in various ways. The first factor is authenticated against the authentication source (e.g. LDAP) and the second against privacyIDEA.

Functions, that Keycloak and privacyIDEA offer

With Keycloak you can log in with a second factor of privacyIDEA. The following functions allow a secure and user-friendly login:

Secure login with SSO

Exclusion of certain groups

Automatic token enrollment (if a user does not yet have a token)

Since privacyIDEA 3.0: Support of pushtokens

No input necessary: User confirmation via smartphone

Conclusion

The Single Sign-on concept has always been a big issue in many organizations. If companies today use common software and cloud solutions such as Office 365, Box or Slack, this does not mean that they need or want different passwords and login data for these services.

Especially in view of cultural subjects such as Bring your own device (BYOD) or the increasing number of decentralized workstations that can no longer be controlled by internal IT, the use of SSO is increasingly becoming a basic necessity in order to make traceable authentication processes secure and flexible.