Many mid-to-large sized organizations and a fast-growing segment of SMBs have embraced and deployed one of the many single sign on (SSO) solutions available. In simplest terms, SSO is a session and user authentication solution allowing an employee to use just one login credential (Active Directory credentials or email/password) to access any number of web-based sites and services. SSO authenticates that the user has specific access rights and obviates the need for further prompts when the user switches from one application to another in the same session.
SSO solutions also help simplify the otherwise complex task of administration of user access by allowing administrators to quickly revoke or authorize access to specific users for specific services. In organizations that have to manage scores if not hundreds of internal and external services, SSO is a valuable tool.
Not surprisingly given the cybersecurity threat environment today and the intrinsic link between weak or stolen passwords and the incidence of breaches, the SSO market is growing briskly at a nearly 15% compound annual growth rate.
The benefits of SSO
- Rapid provisioning for cloud applications. For organizations who have adopted SSO, deployment of cloud-based applications (which support the SAML 2.0 protocol) can usually be completed quickly. If an application or service connecting to an SSO supports SAML 2.0, the application can be quickly provisioned by the SSO administrator and made available to employees.
- Increased security. By enforcing the use of Two-Factor Authentication with the SSO solution, organizations can protect accounts with a unified 2FA method that works across a linked application.
- Increased productivity. Productivity is increased, and IT help desk password resets are drastically minimized since employees do not need to manage or remember their passwords for the applications connected through the SSO platform.
The limitations and challenges of SSO solutions
When adopting an SSO solution, it’s important to understand its limitations. First, there is one important feature that SSO solutions today do not have, and that is the ability to support all accounts and services that employees use, both for work and personal use while at work. For example, SSO works only with a set list of cloud services and cloud applications that support SAML (Security Assertion Markup Language) protocols. Without this, business users are left to find some way of keeping track of all the passwords they use for all unsupported systems. Often these employees are privileged or high-end users, meaning they have access to sensitive data on various systems.
Also, for applications that do not support SAML, most SSO solutions lack the flexibility to store a variety of sensitive information beyond simple username and password. An SSO solution is not an encrypted digital vault. They cannot accommodate login credentials for native applications, bank account numbers, digital certificates, SSH keys, PINs, employee census data, confidential images, documents and video files. By contrast a digital vault inherent in the better password management solutions available today can securely hold much more information, including encryption keys and digital certificates.
As stated, there are many positive benefits of using an SSO product for cloud applications. But there are several gaps in the technology which have created difficult situations for many IT admins, including the following:
1. Limited application coverage
To deploy a service or application with an SSO provider, the service must fully support SAML 2.0 technology. There are various levels of SAML support. For example, some apps can dynamically provision a user account, but some apps don't support this ability. The SSO administrator must then be responsible for manually provisioning specific applications to users.
2. Insufficient support for native applications
SAML was created to primarily focus on web browser-based applications. The protocol depends on web browsers for many of the protocol exchanges that take place, such as redirects and form posts. As cited in Wikipedia, "The single most important use case that SAML addresses is web browser single sign-on (SSO).”
The fact that SAML was created as a solution for web browser SSO is the reason that Single Sign On products do not work well for native applications. A software developer who would like their product to work with SAML is forced to embed web-based forms into their applications, mimic the behavior of a web browser, perform parsing of XML and HTML and deal with the complexities of the user interface during the process.
The emergence of App Stores for distribution of native applications to devices and computers increases the complexity of developing SAML integration, since often the same app is deployed to both SSO and non-SSO users. Many products in the app stores were designed for mass market users, not necessarily for Enterprise. Therefore, major rewrites of the applications must take place to support both login flows. New and emerging software companies don't always prioritize the development of SAML features. It takes significant effort to build, deploy and test this functionality.
3. Insufficient support for legacy applications
Many enterprises utilize legacy applications that simply do not support SAML-based authentication for various reasons. IT organizations need to be able to roll out an SSO solution with full coverage of these applications and in many cases, it could take months or years to implement the necessary software changes to a legacy platform—not to mention the risk in causing other bugs or unforeseen issues.
4. Limited use cases for IT and non-password-based data
For the aforementioned reasons, there are many services and applications that companies use which do not support SAML or will never support it based on the architecture and use case. IT departments and employees with access to IT-related products and services often require the use of passwords or other credentials. A few examples of this include:
- Logging into a server or a network appliance
- Storing SSH and other private keys
- API access keys and cloud credentials
- Bank account / financial information
- Private customer information
- Confidential photos and videos
- Social media accounts
- Shared passwords
- Custom applications
When an application falls outside of the SSO scope, the result is that the employee typically resorts to bad password management habits.
While SSO solutions continue to grow and do indeed provide invaluable security services to organizations, many SSO users also supplement and further bolster their security profile by adding a comprehensive password management solution to their portfolio. Password management solutions with secure password generators and auto-fill capabilities provide the same type of single sign-on functionality for sites and services that don't support SAML-based login. They also give IT significant visibility into the overall password practices of every employee and provide the tools to enforce good habits.
The better password managers include separate digital vaults for business and personal passwords, which is vital given the BYOD nature of business users today. Employees can take their personal passwords with them if they leave the company while the business passwords stay behind.
5. Inherent and significant security gaps
Due to the limited coverage of SSO solutions, significant security gaps exist. A plethora of native and cloud applications are not covered by SSO solutions and thus, cannot be integrated as an SSO service. Further, SSO solutions are not digital vaults—they cannot manage, encrypt or store files, photos, videos, notes, codes, keys, certificates and other sensitive digital assets that can result in a data breach. The outlier passwords and assets not covered by SSO represent a major security threat to an organization. The protection of every password and sensitive digital assets counts because these assets are primary attack vectors for hackers.
Case study: MRA Associates boosts its SSO profile
A good example of this strategy of pairing an SSO solution with a comprehensive password manager is given by the experience gained at MRA Associates. This Phoenix-based, fully independent investment adviser differentiates itself from the constellation of wealth management and advisory firms by being 100% partner-owned and managed, boasting absolutely no influence from banks, shareholders, or corporate overlords. MRA has about 60 employees in three locations.
According to Zack Feldman, MRA’s Technology Associate, the company’s employees are continuously accessing various online services and resources, including email, financial products, HR resources, and various Web-based SaaS services, to name a few. All these and other resources require separate logins. It is imperative at MRA that employees have ubiquitous access from their smartphones, laptops and tablets. Some of these devices are employee-owned, complying with MRA’s BYOD policies.
Reaping the benefits of SSO
About two years ago MRA began using ADFS Server from Microsoft. With its integration with MS Active Directory, this solution is designed to bring benefits for business applications such that users can have easy and quick access to a high trust key and digital certificates held within ADFS Server. These can be used to create digital signatures on business documents and data. ADFS server has proven a boon to employees that use just one login and user name to access any sites or services supporting ADFS. For IT, Feldman said security has gotten a great boost from the SSO’s centralized management. As an example, if an employee leaves, it is a simple matter for IT to disable his or her access to all sites immediately, Feldman notes.
However, this single point of failure feature is a double-edged sword. Should the server fail for any reason, employees have no site and services access unless you set up multiple ADFS servers, which is often beyond the reach of smaller organizations.
Filling the gaps
Feldman noted there is one other shortcoming of the SSO solution. Not all vendors and products support ADFS and SSO solutions in general, as previously discussed. As Feldman says with respect to certain sites and services, “there are always outliers.” Outliers must be protected noting they represent digital assets that are often more sensitive than web-based sites and applications.
Thus, MRA needed a comprehensive password management solution to remedy these shortcomings with SSO without overburdening employees or interfering with seamless access to services. Without such a solution, Feldman says, passwords for these sites and services not supporting SSO may well be kept on an Excel spreadsheet, which is hardly a secure solution. Also, if an employee who may have securely shared passwords with others leaves the company, then all passwords must be manually changed. Finally, the very small Operations team at MRA can easily be overburdened by password-related helpdesk requests, such as password resets or forgotten passwords, in the absence of a comprehensive password manager.
Feldman and MRA turned to a comprehensive password management solution integrated with Active Directory and SSO systems. Now, with just one single sign on, employees access the password management solution, which auto-fills every site and service with a highly secure, machine generated password. Feldman says that once these passwords were imported into the password management solution, the rest ‘was very easy’, adding that employees eagerly embraced it, such as the operations team which was an early user.
Without question, SSO solutions are here to stay. The value they provide an organization is significant. But simply put, SSO solutions can’t accommodate the full range of data security, access and device flexibility challenges that organizations face today. Thus, organizations should supplement their SSO strategy with an EPM (Enterprise Password Management) solution that can cover the many additional use cases and protect all sensitive digital assets.