Single sign-on (SSO) is a property of access control of multiple, related, but independent software systems. With this property, a user logs in once and gains access to all systems, without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems.
As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.
What are the benefits of Single Sign-On (SSO)?
- Reduces phishing success, because users are not required to enter password everywhere.
- Reducing password fatigue from different user name and password combinations.
- Reducing time spent re-entering passwords for the same identity.
- Can support conventional authentication such as Windows credentials (i.e., username/password).
- Reducing IT costs due to lower number of IT help desk calls about passwords.
- Security on all levels of entry/exit/access to systems without the inconvenience of re-prompting users.
- Centralized reporting for compliance adherence.
SSO uses centralized authentication servers that all other applications and systems utilize for authentication purposes, and combines this with techniques to ensure that users do not actively have to enter their credentials more than once.
Common Single Sign-On configurations:
Initial sign-on prompts the user for credentials, and gets a Kerberos ticket-granting ticket (TGT).
Additional software applications requiring authentication, such as e-mail clients, wikis, revision control systems, etc., use the ticket-granting ticket to acquire service tickets, proving the user's identity to the mail server / wiki server / etc. without prompting the user to re-enter credentials.
Windows environment – Windows login fetches TGT.
Active Directory-aware apps fetch service tickets, so user is not prompted to re-authenticate.
Initial sign on prompts the user for the smart card. Additional software applications also use the smart card, without prompting the user to re-enter credentials. Smart card-based single sign-on can either use certificates or passwords stored on the smart card.
OTP (One-Time Password) Token:
Also referred to as one-time password token. Two-factor authentication with OTP tokens follows industry best practices for authenticating users. This OTP token method is more secure and effective at prohibiting unauthorized access than other authentication methods.
Integrated Windows Authentication:
Integrated Windows Authentication is a term used more commonly for the automatically authenticated connections between Microsoft Internet Information Services and Internet Explorer. Cross-platform Active Directory integration vendors have extended the Integrated Windows Authentication paradigm to UNIX, Linux and Mac systems.