October 18, 2018 Blogby Arie Timmerman

Single Sign-On for controlled user experiences

In this blog, Arie Timmerman, Technical Consultant at iWelcome, shares some interesting thoughts on Single Sign-On: “Yes, it improves user experiences but there is no one-size-fits-all.”

 

What is Single Sign-On?

Single Sign-On is the principle of enabling a user access to multiple applications while logging in once. As such, it is a vital product feature of any Consumer IAM solution.

Single Sign-On allows protecting your resources using a set of strong access controls. It simplifies monitoring who enters – or tries to enter illegally – your systems. Single Sign-On allows applying authentication and authorisation policies centrally. By decoupling application data from user data, a fundamental form of risk sharing is applied.

Despite the benefits, logging in automatically with the same access controls does not fit for all use cases. Some of these cases require enforcing more stringent authentication policies than others. This can be due to different user preferences, application requirements or identity provider access policies.

There is one truth that holds for all: users, applications and identity providers all have the ability to make Single Sign-On more secure.

 

In the end, the user is always in control

For better or worse: a user’s behaviour directly impacts security. Specifically for Single Sign-On, a user can prevent automatic log in from happening simply by not accepting cookies, or by clearing these after closing the web browser.

Furthermore, a user can simply logout after he has finished his tasks. On a private and properly secured computer this is usually not necessary. However, on a public computer this is very relevant.

Some login environments allow users to protect their accounts with more secure forms of authentication. Examples here are fingerprint (or: biometric) and multi-factor authentication.

Single Sign-On (from here on referred to as SSO) improves user experiences for regular users, while it allows more privacy-aware users to stay in control of their ‘authentication journey’.

 

User authentication is managed on application-level

In the end, it is up to the individual applications to decide whether access is granted or denied. In its simplest form, this goes by allowing authenticated users access and denying access to anonymous users.

Depending on the application, special authentication requirements may apply. Some applications may require two-factor authentication (2FA) for certain functions. With step up authentication features, organisations can decide to apply 2FA only once required while starting with basic authentication. In other cases, an application might enforce re-authentication. For example, if the last log-in was more than X time ago.

Without SSO setup, each individual application needs to manage authentication and keep track of logged in users. Cookies were used for this purpose. In many cases, however, this situation remains in place after adopting SSO. This is both unnecessary and unfortunate. Unnecessary, because the user can easily access log in again to the application due to the central managed session. Unfortunate, because by doing this, applications do not take full advantage of the capabilities of SSO provided by consumer identity management solutions.

 

The identity provider as single source of truth

Having the central role in the authentication process makes the identity provider the most knowledgeable and reliable actor in the infrastructure ecosystem. The identity provider knows which users are allowed access to what applications. This opens up a lot of powerful capabilities.

In its most basic form, the identity provider can control the process of automatically logging in users first by simply asking the user “do you want to stay signed in?”.

After login, a session with a specific lifetime is set. With an active session, log in happens automatically. If the session expires, the user needs to sign in again. A logout destroys the session immediately, and depending on the setup, logs the user out of the connected applications.

The full power of the identity provider is unleashed with contextual aware authentication. Based on a wide range of factors – such as the device used to log in, the geographical location, or the time of the day – the level of confidence in the identity of the user can be determined.

In conclusion, Single Sign-On is all about preventing unneeded user-interaction while keeping security to the highest level necessary. There does not have to be a trade-off between security and usability. If done right, SSO will improve both.

 

Arie Timmerman

Technical Consultant at iWelcome

After finishing his Master in Business Information Technology, Arie gained over five years of experience in Identity & Access Management, working for large consultancy firms as Capgemini and PwC. Within iWelcome, Arie is involved in IDaaS client implementation projects as technical consultant.

Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via marketing@iwelcome.com.