How Does Single Sign-On Work?

Amid a spike in cyberattacks, the need for authentication has risen. Almost all websites or web apps require authentication to access content, features, and services. Using passwords on multiple platforms takes time and effort and is only partially secure.

Single sign-on (SSO) helps navigate this difficulty and save time. But the question remains, how does single sign-on work? 

This article will give a complete walkthrough on how single sign-on works (and assess its strength!)

Firstly, What is SSO?

Single Sign-On (SSO) is a session-based user authentication technique that enables users to use one login credential and its associated tokens to access or authenticate multiple applications. SSO helps enhance the customer experience while maintaining availability and security during authentication. Most SaaS applications allow SSO. 

Often, employees use SSO to access various web applications using one email access. This authentication technique is beneficial because the users can implement their password-based authentication without repeatedly using it. Also, it eliminates the burden of remembering passwords for multiple applications. 

While web SSO uses browser storage mechanisms like SSO tokens, cookies, and local storage to support the user session for multiple authentications, federated SSO comes in handy when developers need to implement SSO with third-party applications.

How Does SSO Work?

Let us explore how Single Sign-On (SSO) works. SSO works on the trust relationship between an application, known as the service provider, and an identity provider. Some popular identity providers are One Login and Auth0. The trust relationship works on a certificate that gets exchanged between the service provider and the identity provider. The flow of authentication and login usually works like this:

1. First, the visitor will browse a website (service provider) using their web browser.

2. When the user tries to access the app's feature, the service provider prompts the user to authenticate or register.

3. Suppose the user has already logged into an email service. In that case, the service provider sends the authentication token containing some information about the user to the SSO system (identity provider).

4. The identity provider verifies whether the token is valid. During this process, it will check whether the user performed their authentication. If correct, it will go to step 6.

5. If the user still needs to log in to some other service, the service provider will prompt the user to log in to the email service or other web service. Some include OTP for authenticating that web service.

6. Once the identity provider validates that the credentials are appropriate, the application will transmit the token back to the service provider, verifying that the authentication was successful. 

7. The token passing gets performed via the user's browser to the service provider. 

8. The service provider again checks whether the token is valid. Then, it builds the trust relationship between the service provider and the identity provider. Finally, the user gains access to the new service.

Let's suppose you logged in to your email (Gmail) account. Now, you want to access some other service (let's say Facebook). So, you will visit Facebook's official sign-in page. It will prompt you to use your username and password. It will also show you to log in via Gmail, Microsoft, or Apple account. So, you can choose Gmail (since you have already logged into your account). It will directly take the SSO token and verify it to give access to your account.

What is an SSO token?

During the SSO authentication process, the sign-on technique uses the SSO token that collects and transmits information passed from one service to another during the SSO process. Such information can be the users' email IDs or token IDs.

SSO tokens are digitally signed. Any service accepting the token verifies whether the SSO token is from a trusted source.

Is SSO secure?

There is no straight answer, as it depends on various factors. From a perspective, SSO is secure because users do not have to type the password repeatedly. It protects the users' credentials from shoulder surfing, keyloggers, and other malware attacks.

However, SSO is prone to session hijacking, credential stuffing, and misconfiguration or vulnerable applications. However, our team recommends upgrading to multi-factor authentication (MFA) to help guarantee the highest level of password-related cybersecurity for your organization.

Conclusion 

SSO can be a secure way of authenticating users. It's recommended that organizations, if they choose to use SSO, combine it with activity logs, permission control, and access control to deliver more robust security.

Looking to implement SSO? Contact our ethical hackers here at Packetlabs for in-depth tips and personalized advice.