How can SSO improve customer security and user experience?
SSO, or Single Sign-On, is a service which allows a user to log into one application or network domain, and then be authenticated and logged in automatically to other associated applications or domains. The user therefore only needs one set of identity-verifying user credentials (e.g. username/password) for authentication and to securely access multiple applications, services, and even different service providers.
Note: for a more technical look at ‘What is Single Sign-On (SSO)’, check out our blog, ‘What is Single Sign-On (SSO) – technical guidance for web application developers‘.
SSO has long been used in the enterprise to reduce (and better manage) the number of credentials an employee requires to access enterprise applications. However we now also see common use of SSO for external users, like customers, consumers, or partners. With breaches and attacks on customer identity data increasing, this blog post focuses on the much needed trusted customer / consumer scenario.
For example, an energy company could use the SSO capability of an Identity Platform to enable customers to use just one identity for for authentication and simplified login to all of its digital services – account settings, electricity reporting, gas usage, payment history etc.
Let’s look at some FAQs around SSO – the benefits, levels of security and set-up.
What are the benefits of SSO?
SSO improves User experience (UX)
Enhanced UX is perhaps the most obvious benefit of Single Sign-On. Repeat logins are cumbersome and annoying, so removing this necessity is a big advantage. As customers increasingly demand a good digital experience, poor UX will lead to loss of business.
As a further UX benefit, the sign-on could be authenticated with any credentials that you expect your visitors will want to use – e.g. username/password or an existing digital identity from an Identity Provider (IdP). Federated identity from an IdP includes a range of existing digital identities, from social (Facebook, Google, Twitter) to something stronger, like a national digital identity (eID) or bank ID.
There’s no need for the user to create a brand-new set of credentials at all, if you so choose – many options exist for a user to verify themselves with a digital identity they already have – keeping users happy and enhancing security (more on that later).
SSO reduces admin time and costs
With just one set of credentials to manage, login and authentication issues are dramatically reduced, which means much less time wasted by IT admins sorting them out – a benefit that scales with the growth of your business.
Furthermore, simplifying internal creation and deactivation of access credentials – for example, when partner contracts begin/end within a B2B service – also saves time.
As we all know, time equals money. SSO saves time, and therefore saves your business money.
Is Single Sign-On secure?
Whilst an initial impression of SSO might leave you questioning the security of only needing one set of credentials to manage access to several systems, SSO actually improves security when implemented correctly.
If we take the B2B partner use case from above with simpler revoking of access credentials when contracts expire, this also means it’s much easier to view and manage who has access to your organisation’s data.
What’s more, initial authentication can be very strong, with multi-factor authentication (MFA) now a standard Identity & Access Management capability. Users are likely to create a stronger, unique password if they only need to create one, or opt for MFA if they only need to do it once.
Passwordless authentication could also be used in SSO. Passwordless allows users to log in using something they have, rather than something they know (and need to remember). This could be a Time-based One Time Password (TOTP) or a registered mobile device.
SSO allows you to improve your security posture by reducing the amount of identity credentials you expect your users to manage and, instead, consolidate multiple identities into a single identity – i.e. one set of credentials for all your applications.
If levels of security assurance requirements vary between your services, you can create the following workflow. If a user has authenticated with a higher/equal level of assurance in the first application to the level required for the second application, they can Single Sign-On to the second application. However, if a user has authenticated with a lower level of assurance in the first application and the second requires higher level of assurance, you can require the user to re-authenticate.
What are the SSO protocols?
The Single Sign-On protocols are well tested, proven and mature and traditionally included enterprise orientated Security Assertion Markup Language (SAML) and Web Services Federation (WS-Fed). Today, in Customer Identity and Access Management (CIAM) and partner (B2B IAM) Single Sign-On use cases we also see OAuth 2.0, OpenID Connect (OIDC) and Mobile Connect being used, with the use of access token to authorise specific account information to be shared.
It’s important to choose an SSO solution that supports the Single Sign-On protocol that best fits your use case.
If you need to compare the protocols to determine which one(s) are best for your business, download our free white paper on SSO authorisation protocol comparison.
How easy is Single Sign-On to implement?
SSO is a standard identity management function for many organisations, making it one of the most common digital identity use cases and crucial element for access management. However, heed caution when attempting to integrate SSO protocols and functionality in-house from scratch. IAM can be complex, and with complexity comes risk. Fortunately there are many SSO solutions that can help reduce this complexity.
SSO is evolving
Many organisations traditionally managed user identities and identity providers through dedicated systems like Microsoft’s Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). Access management solutions, using SSO, federate these locally stored identities to the enterprise’s application library, both local and more commonly now, in the cloud.
The evolution of the cloud has now seen the movement of identities directories to cloud, with directory services forming a critical component of Identity-as-a-Service (IDaaS) solutions. Furthermore the scope of identity directories has expanded and now includes CRM, HR and other directory-as-a-Service offerings. With everything in the cloud, IT admins have much more control and visibility into the identity data they need to protect.
Choosing an SSO Provider – how IDaaS can speed up implementation
Using a SaaS (software-as-a-service) solution for embedding SSO functionality into your application can dramatically reduce the time and cost of deploying services. One such SSO-as-a-Service is Ubisecure IDaaS (Identity-as-a-Service or, as referred to by Gartner, SaaS delivered IAM).
The time to market (and time to value) for IDaaS is reduced compared to a more complex identity solution due to the standardised feature sets and because the enterprise does not need to manage the deployment, security, configuration and maintenance of the solution themselves. It’s a matter of simple out-of-the-box deployment – rather than reinventing the wheel. IDaaS also reduces the risks created by bad design choices that can happen when developing a single sign solution in-house.
Read more about IDaaS at ubisecure.com/idaas/.
Read more about Ubisecure SSO.
Interested in setting up SSO for your own business technology? Check out this case study of how one Ubisecure customer implemented Single Sign-On to the benefit of all users in their system.