SSO: What is Single Sign On? Universal SSO Service for Enterprises
Contents
What SSO Means and How it Works
Single Sign-On Disadbantages and Advantages
Universal SSO Service by Hideez
Example of configuring ASA AnyConnect VPN to Hideez Enterprise Server through SAML
Configure ASA for SAML via CLI
Add the Service Provider to HES
When navigating an app or a website, you’ve probably seen the option to log in with Facebook or Google. And next thing you know, you are magically signed into the third-party website without even making an account.
It’s not magic, it’s a single sign-on technology, or SSO. What is it, how does it work, and why do so many modern organizations use it for security reasons?
What SSO Means and How It Works
Single Sign-On is a user authentication process that lets users access multiple applications with one set of login credentials, like a username and password. This means that once a user is logged in, they don’t have to log in repeatedly for every application linked to this system.
Actually, single sign-on is a federated identity management arrangement between three entities:
- Users — Individual people need to access different services. They should be able to manage personal information such as their login or password, and they should be uniquely identifiable.
- Service providers (SP) — Traditionally, these are websites and applications that the users want to access, but they can include all sorts of products and services such as WiFi access, your phone, or “Internet of Things” devices.
- Identity providers (IdP) — Databases that store user identities which can then be federated to various IT resources. They can also store many instantiations of user identity, which contain information such as usernames, passwords, SSH keys, biometric information, and other attributes. One of the most popular identity providers nowadays is Microsoft Active Directory which was designed to manage Windows usernames and passwords and connect them to on-premise Windows-based IT resources.
In order for SSO to work, most applications rely on open standard protocols to define how service providers and identity providers can exchange identity and authentication information with one another. The most common protocols are SAML, OAuth, and OpenID Connect (OIDC) which securely allow one service to access data from another.
Today, we can see a trend that companies are starting to realize: remote work from home means that more users have to log in to their accounts over the internet to access important information. And this is the whole new realm of potential attack vectors. Criminals already know this, and they are taking advantage of it. So more and more companies are starting to address those new threats by implementing SSO solutions.
Single Sign On Disadvantages and Advantages
The main advantage of SSO is the great user experience and convenience it brings to users. They have minimum passwords to remember, it streamlines the sign-in process, and lessens the chances of phishing.
SSO is especially great for businesses running remotely due to COVID-19 because single sign-on services provide the most secure and user-friendly authentication for remote logins. Using SSO can also be part of an integrated access management system for faster provisioning and de-provisioning of users.
On the other hand, SSO presents risks because it creates a single point of failure that can be exploited by attackers to gain access to other apps. Additionally, like many IT tools, SSO requires implementation and configuration that can get quite expensive.
Many SSO vendors charge individually by feature, so the fees add up quickly and can become a heavy burden on the budget of small or medium-sized businesses.
Anyway, we believe that the convenience of SSO is worth all the shortcomings it brings.
Single Sign-On Examples
A typical and good example for single sign-on is Google. Any user that is logged in to one of the Google services is automatically logged in to other services such as Gmail, Google Drive, Youtube, Google Analytics, and so on.
Single sign-on usually makes use of a central service that orchestrates the single sign-on between multiple clients, which in the case of Google is Google accounts.
Moving on to enterprise security, nowadays, there are a lot of single sign-on products and services for business. These are typically password managers with client and server components that log the user into target applications by replaying user credentials.
Hideez Authentication Service is one such example of secure SSO solutions. One of the unique benefits of Hideez SSO is that it allows combining basic authentication methods (username/password + one-time password) with fully passwordless logins (FIDO2 tokens or mobile application).
So, how does the Hideez Single Sign-On work?
Step 1. User accesses any Service provider, i.e. application supporting SAML or OpenID protocols;
Step 2. The Service provider sends SAML/OIDC request to the Hideez Server, and the user is automatically redirected to the Hideez server;
Step 3. User is prompted to fill in login details or select one of the available methods of authentication: a hardware security key (Yubikey, multifunctional Hideez Key or any other physical security token), or Hideez Authenticator mobile application;
Step 4. Hideez server sends an authentication result to the Service provider and redirects the user back to the initial application.
Step 5. A user is authenticated, probably without noticing anything except for a few redirecting calls at the URL bar of his browser.
Universal SSO Service by Hideez
Hideez Single Sign-On Service is a SAML Identity Provider (IdP) that adds SSO to Windows Active Directory using SAML 2.0 federation. Admins can configure single sign-on to any web or mobile application that supports OpenID Connect or SAML standards. And on top of that, we make SSO fully passwordless!
Unlike SSO with traditional password-based logins, Hideez SSO can eliminate passwords and replace them with FIDO2/Mobile App passwordless experience, where possible. Even if some of your applications do not support SAML or OIDC standards and cannot be made fully passwordless, you can use the Hideez Key as a hardware password manager and automatically fill in login credentials at the push of the button.
You can choose whichever authentication factor is most convenient for your employees:
- Smartphones. Hideez Authenticator is an SSO app for Android and iOS devices. It can turn users’ smartphones into passwordless hardware tokens that replace their usernames and passwords with secure logon based on one-time QR codes using biometric verification or verification of the PIN code in the end-user's smartphone
- Hardware security keys. Hideez Key tokens are multifunctional Bluetooth/NFC/USB devices protected by a PIN. You can use them to log in to services without passwords based on FIDO2 standard, store credentials for password-based logins, generate one-time passwords for 2FA, and even lock or unlock Windows computers based on device proximity.
Hideez Enterprise Server integrates with Microsoft Active Directory, Azure Active Directory, and LDAP identity systems to simplify onboarding and user management. Your employees can just use one SSO application to access all the things, making Hideez SSO Service super user friendly. Not to mention you don’t have to remember login credentials or think about preventing phishing and identity thefts.
Hideez outperforms all of the current competitors in convenience and price, offering full compliance with the strongest authentication standards, such as GDPR, NIST, PSD2, PSI-DSS, and HIPAA. By taking precautionary steps well in advance you can save so much money and time in the long run.
Schedule a demo or get started with the Hideez SSO to discover the future of passwordless security!