SSO: What it is and why it’s important
In a modern business environment, the number of services, apps, and devices in use across departments is nearly immeasurable. This increase in usage means more accounts, which means more passwords. That presents a challenge not only for users but also IT departments as they struggle to keep up with corporate accounts. SSO is the answer to this quandary for both.
What is SSO?
SSO stands for “Single Sign-On” and is a process that allows users to use a single set of login credentials to gain access to multiple applications and services — one account attached to a number of authorized digital services. There are three main types of SSO in use today:
- Web-based SSO: This is the most common type of SSO. It’s usually used alongside cloud-based services.
- Enterprise SSO: This type of SSO is used by enterprises and other organizations to authorize employee access to a suite of services and other internal applications.
- Federated SSO: This type of SSO allows third-party organizations to connect to each other under a single set of login credentials. Using “sign in with Google” to access a non-Google service is an example of federated SSO.
SSO works largely the same way a standard username and password system does, but instead of verifying the user’s specific credentials, the user logs in through the SSO portal, which verifies the user session, and hands the info over to the application’s authentication system. If all is on the up and up, the user is granted access to the application (or in some cases, the suite of applications).
To put that into simpler terms, think about concerts or sporting events. When you enter, you’re often carded to make sure you’re of legal drinking age, then a stamp is placed to verify that you can purchase alcohol. Then, when you go to the bar, the bartender sees your stamp and serves your beverage — no further verification required. In this instance, the guy carding at the door is the SSO, the stamp is the user session, and the bartender is the service you’re logging into.
A quick note on SAML, OAuth, OIDC, and SSO: If you’ve read about SSO, you’ve like also read the terms SAML (Security Assertion Markup Language, OAuth (Open Authorization), and OIDC (OpenID Connect). While both can enable SSO, there are some key differences.
SAML is an authentication protocol that verifies a user’s identity and authorizes access to data.
OAuth is an authorization service that grants users access to specific resources by a provider.
OIDC is built on the OAuth 2.0 protocol but adds an additional ID token. This is largely used for websites and mobile app logins.
Think of it this way: SAML is like having the keycard to get inside a building and unlock multiple doors, while OAuth and OIDC are like having a personal escort that only lets you enter where you’re allowed.
How SSO improves security
It’s easy to see how SSO simplifies logging in to multiple services, but it’s not immediately clear how it improves security. There are a number of security benefits to implementing SSO:
- Reduced password fatigue: In an age where every organization has its own online presence that requires a dedicated login, it’s understandable that users are simply tired of trying to remember dozens or hundreds of passwords. With SSO, the number of required passwords is reduced to one for all of the supported services.
- Increased password strength: Password fatigue has another unwanted outcome — reused passwords. In order to remember all of those different sets of login credentials, users often re-use passwords, which is a security risk. With just a single password to remember with SSO login, it’s easier to make (and remember) stronger passwords. There’s an argument here for password managers, but this isn’t the time or place for that. (Also, use a password manager!)
- Centralized access control: For organizations, the ability to manage access to all employee services in a single place is truly impactful. Granting and removing access to services because a single click instead of individual access across multiple applications.
- Consistent security enforcement: In an SSO-enabled environment, organizations can enforce strict security measures, like unique passwords, routine password changes, and the like. This allows for consistent and repeatable security practices that are automatically enforced.
- Reduced chance of password theft: The more accounts you have, the higher number of passwords, and the increased probability that one of those passwords will inevitably get stolen at some point. And if you re-use passwords, well, then maybe that one stolen password turns into five, 10, 20, or more compromised accounts. SSO can circumvent all that.
Of course, there’s always a chance that the user’s SSO login credentials get compromised, which is the largest downside to SSO. But if implemented correctly and security policies are strictly enforced, the odds of that happening are much slimmer. SSO is an excellent tool, but it has to be utilized properly to be most effective!
The Benefits of SSO
Apart from enhanced security, there are a number of additional benefits to SSO integration, both for users and IT departments.
For IT departments and security teams, SSO is a one-place-to-rule-them-all management portal for account access. As previously mentioned, this simplifies the account activation/deactivation process, saving IT time and money. For users, SSO simplifies the account creation and login process. They create a single account with a strong password and get access to all corporate apps and services. It’s a win-win.
These two things combined also improve security compliance across the enterprise. With most SSO providers, IT can set strict security rules for passwords. Length, characters, and regular password resets are all table stakes features for SSO, which all go a long way in ensuring optimal security. Similarly, many SSO providers also allow IT teams to set timeout session windows where users will need to re-enter their passwords, further improving security.
SSO and Esper
Esper is proud to offer SSO support for SAML and OIDC for organizations that want all the benefits of single sign-on. Our help center has all the details on setting up SSO (with SAML and Okta or OIDC and Okta), as well as deleting SSO connections and a detailed FAQ.