Single sign-on (SSO) is one of several authentication technologies aimed at streamlining and keeping login information and processes secure. SSO makes it feasible for one login to be enough for a group of related sites and applications.
It is often implemented along with multi-factor authentication (MFA), wherein more than one factor of authentication is needed to authenticate the user. In addition to a password, the user needs a pin, a physical token or key, a code sent to a smartphone, or some kind of biometric input. Thus, if the SSO login is compromised, MFA operates as an extra layer of security.
What is Single Sign-On?
Single sign-on is a capability that allows an end-user to login once and get access to all the resources they need. It eliminates the need for users to enter usernames and passwords for individual applications and systems. Instead, they simply sign in once and the solution communicates the appropriate credentials to the separate applications and systems.
Single sign-on can be part of a password management tool if the tool acts as a central trust broker for a system or organization, as opposed to simply “vaulting,” or storing, multiple passwords.
Some SSO solutions run on-premises, while others run in the cloud, and some provide multiple deployment options. But the cloud is increasingly becoming the preferred option for SSO. Most vendors offer at least a software-as-a-service (SaaS) option on top of on-premises software offerings. And more than a few are now favoring SaaS-only SSO.
According to Gartner, SaaS is by far the largest growth area of SSO and has become the dominant model. Thus, vendors hoping to perform well will need to provide cloud-based SSO services.
How does Single Sign-On work?
SSO can be achieved in various ways, but the most common approach is federation; the user logs into an identity provider (IDP) service. The IDP hands off a token, assertion, or ticket to an application in order to gain access without asking the user to re-authenticate. Kerberos, Security Assertion Markup Language (SAML), OAuth and OpenID Connect (OIDC) are some of the common federation technologies.
SSO can either be sold as a standalone product or as part of an identity and access management (IAM) or security suite. Single sign-on is often bundled with access control, centralized authentication, session management, authorization enforcement, multi-factor authentication, and other functions.
Increasingly. authentication systems apply principles of zero trust – allowing users access only to those resources and privilege levels they need. And passwordless authentication methods are also growing in importance, given the security limitations of passwords.
Gartner sees access management eventually becoming about decentralized identity. Instead of a user-focused system of identity and verification, an “identity trust fabric” will provide a layer of security between users and applications – a concept not that far removed from SSO. That evolution will take time, however.
Also see: Best Zero Trust Security Solutions
Key Single Sign-On Features
At its core, SSO is really about providing users good digital access experiences across applications. Ease of use, then, is a key ingredient along with speed of deployment.
At a bare minimum, SSO must offer a standards-based way to support various provisioning use cases and easily connect to applications. Further features include out-of-the-box flows, passwordless support, and support for a variety of user stores and applications (both on-premises and SaaS).
Increasingly, users are demanding that SSO tools are SaaS-delivered and drag-and-drop intuitive. SSO solutions should also provide authentication capabilities such as FIDO, OTP, and push authentications. And an SSO solution should be able to provide seamless experiences that allow users to easily register new users, track their consent, and give them self-service capabilities such as integrated password reset or profile and consent management.
“It’s no longer sufficient to simply enable all standards-based applications to be a viable SSO solution,” said Matthew Berzinski, senior director of product management at ForgeRock. “Supporting OAuth, OIDC, and SAML are table stakes.
“As legacy customers go through digital transformations, they need to be able to enable SSO for legacy applications with token exchange and form fill.”
Also see: Best Identity and Access Management (IAM) Solutions
Top Single Sign-On Providers & Solutions
ForgeRock Identity Platform
The AI-powered ForgeRock Identity Platform includes full-suite identity and access management (IAM) and identity governance and administration (IGA) capabilities. It can be implemented across an organization for all identities (workforce, consumers, and more), and it offers feature parity across all delivery options, including on-premises, any cloud environment, multi-cloud, hybrid, and as-a-service.
- Contextual and adaptive authentication, including usernameless and passwordless
- Data isolation technology gives full control of services
- Granular data residency with regional availability to make compliance easier
- Dedicated services within a multi-tenant cloud service to ensure maximum performance
- Enterprise-wide risk visibility with AI-driven access reviews and approvals
- Intelligent access trees allow the infusion of context and choice into every step of the user journey
- Cloud tenant isolation provides the assurance that regulated organizations need, such as the financial sector
- SSO, strong authentication, and directory are part of a full set of identity management and governance solutions
- Business organization model that enables partners and business units to set up separate entities with their own delegated administration capabilities
PingOne Cloud’s SSO capabilities are a core part of the platform. Since SSO is critical to both internal and external identity use cases, Ping Identity includes SSO capabilities with PingOne for customers or PingOne for Workforce solution packages. Ping Identity’s SSO solutions support a variety of standards and out-of-the-box integrations, and they connect to many types of applications no matter where they are hosted.
- Seamless access to SaaS, mobile, cloud, and enterprise apps with one set of credentials
- Cloud or on-premises deployment options
- Adds risk and fraud signals as well as SSO capabilities
- Serves more than half of the Fortune 100
- Can incorporate non-standards-based apps, apps spread across multiple clouds, and on-premises environments
- Orchestration capabilities make it easy to choose Ping Identity’s service or other identity services and manage from a single drag-and-drop interface
Okta is an SSO provider with a network of pre-built integrations that help to securely adopt and deploy SSO to cloud apps in weeks. Okta’s cloud-based single sign-on service connects everything from cloud to ground for one place to view, manage, and secure all user access, whether they are internal employees or external partners.
- 7,000+ pre-built integrations
- Connections to all apps—on-premises and the cloud
- 1,400+ SAML and OpenID Connect integrations
- Password vaulting, RADIUS, and LDAP support
- Connections to third-party legacy SSO solutions
- One central control point
- Connect to and sync from any number of identity stores including AD, HR systems, and other third-party identity providers
- Consistent security policies that adapt to user behavior
- Built-in security tools, such as Okta Insights, to automatically identify and block malicious login attempts
Microsoft Azure AD provides a frictionless user experience for single sign-on and a simplified app deployment with a centralized user portal. It can enforce strong risk-based access policies with identity protection and conditional access.
- Automated provisioning workflows and self-service tools to help reduce IT costs
- Unburden users of having to memorize credentials for different apps or reusing weak passwords, increasing the risk of data breach
- Access all apps from any location, on any device, from a centralized and branded portal
- Automated user provisioning and de-provisioning
- Measure the user, location, and device risk to determine whether access should be allowed, verified, limited, or blocked
- Self-service password reset
- Choose from thousands of pre-integrated applications, including Workday, ServiceNow, SuccessFactors, Adobe, Concur, and Workplace by Facebook
Also read: Top 9 Active Directory Security Tools
OneLogin’s policy-driven password security, multi-factor authentication, and context aware access management ensure that only authorized users get access to sensitive data. OneLogin helps organizations implement more demanding password policies such as required length, complexity, and restrictions on password reuse as well as session timeout and password reset self-service policy to heighten protection without impeding users.
- OneLogin Desktop leverages the secure profiles of laptop and desktop computers enrolled with the OneLogin Cloud Directory
- Once users have logged in, they can directly access all their apps via the OneLogin SSO portal
- Create any number of logins to the same type of application
- Allows users to login to OneLogin using their Social Identity Provider credentials from services such as Facebook, Google+, LinkedIn, and Twitter
- Users can add their own personal apps like LinkedIn, Twitter, and travel booking sites
- Enforce least privilege access by delegating admin rights at a granular level
- Programmatically assign privileges based on role and alleviate the burden on IT for access requests
IBM Security Access Manager is an authentication and authorization solution for corporate web, client/server, and existing applications. It controls user access to protected information and resources. By providing a centralized, flexible, and scalable access control solution, Security Access Manager builds secure and easy-to-manage network-based applications and infrastructure.
- Supports authentication, authorization, data security, and resource management
- Uses a wide range of built-in authenticators and supports external authenticators
- The authorization service, accessed through an API, provides permit and deny decisions on access requests for native Security Access Manager servers and other applications
- Existing applications can take advantage of the Security Access Manager authorization service and provide a common security policy for the entire enterprise
- Controls user and group participation in the domain and applies rules to resources that determine the security policy for a domain. These rules are defined by access control lists (ACLs), protected object policies (POPs), and authorization rules
Micro Focus makes it easy for users to access all enterprise applications while increasing security at the same time. Users sign on to their desktop and have access to all applications requiring a password. Also known as web access management (WAM), users sign on once and have access to all their web-based applications, regardless of their location—in the enterprise or in the cloud.
- Users can reset their password as needed through a self-service portal, providing immediate access
- Administrators maintain full control of password policy and challenge questions
- Delivers an SSO experience to users who consume SaaS applications
- Pre-integrations for hundreds of cloud-hosted services
- Enforce strong credential policies to reduce potential breaches as a result of poor password practices
CyberArk makes it possible to create users and groups, federate identities from on-premises and cloud-based directories, or use any combination of directories to meet specific requirements. It enables one-click, secure access to business and personal apps—without the need for custom scripting or configurations.
- Machine learning analyzes user activity, assigns risk, and executes policies
- Users gain quick, reliable access whether in the office or on the go
- Works with thousands of SaaS, mobile, and custom apps
- Give users access to everything they need in once place
- Self-service password reset
- Security protocol templates for custom apps
Read next: Top Network Access Control (NAC) Solutions