What is SSO
In simple terms, Single Sign On is a user authentication method that gives rights to a user to enter one name and password in order to access multiple applications the user has access to. In this authenticates the user remains authenticated for all the applications they have been given permits to and eliminates further prompts and logins when they switch applications during a session. This helps promote health password management habits, since the user doesn’t have to remember too many passwords.
How does it work?
When someone (for example, using a browser) sends an HTTP request for access to a protected resource, a policy agent managed by the SSO provider intercepts the request and examines it. The request must have a valid session token (cookie, segment of code, etc.) in order to be able to access the resource. In case of invalid SSO session token (no or wrong login info, invalid session cookie, etc.) is found, the policy agent contacts the server which then invokes the authentication and authorization processes. If the authorization process succeeds, the resource access is granted, otherwise revoked.
Types of Single Sign-On (SSO)
A. Basic Web Based SSO
This is a browser-based application in which cookie support is required. Characteristic of and suitable for apps deployed on a single web server and single domain.
B. Cross Domain SSO
This is where multiple entities manage user’s credentials. A user authenticated in one domain or application gets automatically signed-on to an application using another area.
C. Federated SSO
This method extends SSO across enterprises. Users from each enterprise get access across each other’s federated apps. Federated SSO provides an authentication token to the user which is trusted across multiple organizations. The user does not need to create different accounts for every organization in the federation to access web properties and applications. Microsoft is a universally known user of this type of SSO
D. Password Synchronization
Passwords are synchronized across multiple computers, devices and applications. Each computer, device, the application still authenticates the user, but this is done on the backend, seamlessly.
E. Enterprise SSO
Also known as Employee SSO, in this authentication, after the main authentication, the services it intercepts advanced login prompts and processes them on behalf of the user. The algorithm learns as you use different apps.
SSO Authentication Methods
- One Time Passwords
- Tokens and Smartcards
- Digital Fingerprints / Machine Fingerprints
The advantages of SSO
- Eliminates the requirement for users to memorize multiple usernames/emails and passwords beyond their initial login.
- Helps reduce workload of the Customer Support about locked accounts and forgotten usernames and passwords.
- Solo-entry point to the corporate network and its useful resources, overall better user experience.
- One can employ Advanced Security to Systems (e.g. Smart cards, On-time Tokens)
Disadvantages of SSO
- Critical impact in case of user credentials exposed. Potentially the whole organization is compromised if high level user credential is compromised.
- The logic is complex and has more risks. It needs to be combined with strong authentication methods like (Smart cards, One-time Tokens).
General Security Principles
- Implement Authentication with Adequate Strength
- Enforce Least Privilege
- Protect Data in Storage, Transit and Display
- Enforce Minimal Trust
- Log and Trace User Action
- Fail Securely and Gracefully
- Apply Defense in Depth
- Apply Security by Default
- Mandatory to restrict access to validated users.
- Strength depends on application risk/data classification.
- Compliant with regulations/standards.
- Provide for secure password and account management.
- Mitigates brute-forcing and credentials harvesting.
- Mitigates Man in The Middle Attacks (MiTM).
- Flaws in Role-Based Access Controls (RBAC)
- Flaws regarding horizontal and vertical privilege escalation & forced browsing.
Session Management Flaws
- Session cookies and authentication tokens unprotected (e.g. clear text) between client and server.
- Missing session invalidation at idle-timeout and user logout.
- New session token to prevent re-use for authentication.
- Non-secure storage in a session in cleartext.
- Lack of strong random generation of session cookies and identifiers.
- Lack of coordinated session between application tiers.