How does single sign-on work? SSO made easy

Stefan Seufert, CTO/Vorstand EIKONA AG

Sign in once, launch all the programs you need – what could be simpler? The solution: a single sign-on (SSO) that saves time while enhancing security.


After all, if you only have to remember one password instead of a long list of them, you will more likely use a strong password that is difficult to crack. A single sign-on provides many benefits, including:

  • Single sign-on to access different applications saves time.
  • The quality of the account data improves.
  • Authorisation services use secure verification procedures.
  • Acceptance of the authentication process increases.
  • The user experience improves for employees.
  • Reduction in the number of logins and credentials improves security.

In addition to dramatically streamlining internal processes, single sign-on makes customer service login processes simple and convenient because authorisation services can also control customer system access.


Open authorisation

One standard opens all the doors

Single sign-on is enabled by an open API standard for the secure authorisation of desktop, web and mobile apps. It uses the OAuth 2.0 protocol, which contains binding rules for login processes. The most important achievement of this approach is the separation between authorisation and the underlying authentication. Users thus receive permission to use an application without having to provide proof of their identity and credentials. The second necessary element of a single sign-on solution is the OpenID Connect authentication layer. It allows different applications to run a token-based query of the users' identity and share information from their profile with the connected client (the application) for both instances to use. It supports session management and contains functions for encrypting identity data and locating OpenID providers.


Secure and convenient

Big-name companies use OpenID

Organisations using OpenID for single sign-on login processes include technology giants Amazon, Google, IBM, Microsoft and SAP. Deutsche Telekom also uses the process in Germany. While it is tempting to trust this method based solely on the global reputation that these large companies have established. However, the method itself provides plenty of reasons to trust it: No service shares its passwords with other services during authorisation. OpenID only transmits a token-based notification that users were able to authenticate themselves for a particular login. No data about the user is transferred for the authorisation – a secure and convenient procedure.

There is another standard, too: SAML (Security Assertion Markup Language). It is older than both the OpenID and OAuth 2 systems. With SAML, users are authenticated and authorised using an encrypted session cookie with an expiration date.

Firmly established

Use well-known platforms

When using single sign-on for authorisations in day-to-day operations, it is best to employ platforms whose services are already being used at your organisation. For example, users of Microsoft operating systems or Office programs can use their login data for single sign-on purposes. Google and Amazon, established leaders in the search and payment markets, are used quite frequently in Germany. These companies' enormous reach in the German IT market makes it likely that users who are not employees at your company will have an account on these platforms. Service providers, for example, can provide access to their customer service portals to customers using Amazon, Google or Microsoft accounts. This eliminates the need to manage separate user accounts. Conclusion: single sign-on is a solution that benefits everyone – not just in your organisation's application environment but also in customer service.


Stefan Seufert
Stefan Seufert
CTO

As a design guru, the software developer delves into logistics service providers' requirements like no other. He is passionate about exchanging information securely and efficiently and thus speeding up the physical logistics process.


Add a comment

Please add 4 and 9.