The web application single sign-on (SSO) space is a well-known and popular part of the overall identity and access management (IAM) industry. With many vendors, new and old, flooding the scene, IT admins have a lot to consider regarding SSO. Not only are there a wide variety of SSO provider choices out there, but there are also a handful of SSO benefits and drawbacks that need to be weighed.
While some organizations are evaluating web application single sign-on focused tools like Okta vs. OneLogin, others are looking at SSO more holistically, analyzing the overall benefits and risks of SSO and then comparing them to a more comprehensive IAM solution. As such, we’ve curated a list detailing some SSO pros and cons to help make the decision easier.
What is SSO?
Before we dive right into the pros and cons, though, let’s discuss SSO at a high level. Web application single sign-on, which can also be classified under the umbrella of first generation Identity-as-a-Service (IDaaS) by industry analysts, generally uses the SAML (Security Assertion Markup Language) protocol to verify access to service providers (web applications) via a core identity provider (directory service). These service providers are most often applications delivered “as-a-Service” from the web.
In short, the traditional single sign-on model allows users to connect to all of their web apps with one set of credentials. However, there are other modern, integrated, and more expansive single sign-on and IAM solutions out there now. If you’d like to learn more about the modern version of SSO that connects users to far more than web apps, check out: What is True Single Sign-On (SSO)?
Otherwise, the pros and cons discussed in this article are related to web application SSO specifically, as the modern version of SSO (True SSO™) comes with its own list of benefits and risks.
The Pros of SSO
Web application single sign-on is primarily used in organizations to efficiently connect users to their web apps, which takes a load off of both IT and end users, and there are many reasons why this happens. Check out all of the benefits that your organization can reap from using SSO:
1. Simplified password management
A core benefit of web app SSO is that it eliminates much of the tedium of managing user passwords. In fact, with most web app SSO solutions, end users don’t even use passwords to login to applications. Ultimately, with SSO, IT admins only need to make sure their users are being managed at the identity provider (IdP) level with their core directory service. That core identity is what the SSO solution verifies and then attests to third-party web apps.
2. Increased admin control
With SSO, IT admins can have better visibility as to what apps their end users have access to, meaning fewer chances for Shadow IT and other potential risk factors flying under the radar. On top of that, admins can remove user access to certain apps when necessary, reducing existing attack vectors. An important enhancement made to SSO solutions over the years is user lifecycle management, where modern SSO tools can automatically provision and deprovision users through protocols such as SCIM and SAML JIT.
3. Efficient critical sign-in processes
The average individual spends 48 minutes a month entering and resetting passwords. While this may seem insignificant, when password entry stands in the way of split-second action, as needed in fields such as healthcare or law enforcement, these minutes count. Whereas when SSO is in place, users get instant access to the apps they need to handle whatever situation they’re in. To put it in a different context, if your organization is not part of a field like this, consider the fact that the estimated cost of loss in productivity averages about $5.2 million annually.
4. Improved security
SSO eliminates the need for multiple passwords, meaning fewer attack vectors as a whole for bad actors. This means less risk for your affiliates (partners and customers) as well as your organization, especially when multi-factor authentication (MFA) is layered on top of SSO. Plus, admins can easily view and change access levels which keeps your organization secure from disgruntled ex-employees. Plus, many sophisticated SSO tools include capabilities such as push MFA and conditional access, which can provide step-up authentication techniques, adding a deeper layer of security.
5. Reduced password fatigue
Password fatigue can drive even the most vigilant employee toward complacency. Password fatigue occurs when individuals are forced to create too many new credentials over time which leads them down paths like writing passwords down and reusing old ones just so it becomes a little easier to remember them. Eliminating password-based sign-in processes with SSO tackles the heart of password fatigue by distilling credential verification to the SAML protocol and process. SSO password managers can also help reduce password fatigue.
6. Fewer help desk requests
The average password request costs $70 in help desk labor costs. Since SSO greatly simplifies password management, it takes much of the burden off IT help desks, saving significant amounts of time and money.
The Cons of SSO
Though web application SSO has its benefits, there are some trade-offs and risks that are inherent in these tools. The cons of web app SSO include:
1. Costly/best at scale
Simply put, SSO can get expensive, fast. For smaller companies, SSO can provide great benefits, but it can also become a heavy burden on the budget. Many SSO vendors charge individually by feature and most of the core features are add-on charges, so the fees add up quickly.
2. Requires an IdP
The backbone of any SSO solution is an organization’s IdP/directory service. SSO solutions are typically layered on top of a directory, forcing organizations to pay for separate solutions to achieve the end they want. Of course, like SSO, this can become costly for organizations, both in overhead required for setup and implementation, as well as the recurring costs to continue using it.
3. Mainly limited to web apps
IAM is a massive field, spanning much of the responsibilities of IT. Managing access to web apps with SSO is only a small portion of IAM, meaning IT admins need to employ a whole host of solutions alongside web app SSO to create a complete IAM solution. Users still need to access their devices (Mac, Windows, Linux), server infrastructure, VPNs, WiFi networks, file servers, on-prem applications, and much more. Web application SSO doesn’t help with those IT resources.
4. Requires extra-strong passwords
While end users only need to remember a single password for SSO, it is best if that password is long, complex, and well-protected. Although this is generally a boon for identity security as a whole, it also opens up the possibility of a user forgetting or compromising this password, nullifying the benefits of SSO.
5. If an SSO provider is hacked, all connected resources are open to attacks
Since SSO is linked to many critical resources, if an SSO provider is targeted by an attack, entire user bases will be compromised. If an end user’s SSO portal is compromised, then their access to those applications is also at risk if MFA isn’t being utilized.
6. SSO requires implementation and configuration
Like many IT tools, SSO is rarely “plug-and-play,” meaning IT admins have to put in the required time and effort to integrate and tailor their SSO service to their organization. Not only do the applications need to be configured, but with a third party IdP in use, that integration can be complex and challenging.
7. Multi-use computers present a problem
In an instance where there is a shared computer (i.e., conference rooms), the use of an SSO solution can open unnecessary attack vectors in the case that a user forgets to log out.
How to Deal with the Cons of SSO
It’s apparent that web app SSO solutions bring important benefits along with some undeniable drawbacks to organizations. This is primarily because web app SSO tools are point solutions, meant to be layered on top of an existing directory to solve a connection issue between users and their web apps. Due to this fundamental reason for their creation, the cons of web app SSO tools tend to outweigh the pros, primarily in small-to-medium sized enterprises. This is especially true in today’s modern IT environment, where users need to seamlessly connect to a wide variety of IT resources.
A better solution for your organization’s SSO and IAM needs may be an overarching cloud-based directory platform. The JumpCloud Directory Platform is one such solution.
Why is this a potential solution? This holistic IAM platform contains built-in True Single Sign-On™ capabilities, which allow users to sign in to virtually all of their IT resources (not just web apps) using one set of credentials. This modern SSO solution paired with integrated MFA capabilities, sets your organization up for success by securing user identities and access while facilitating productivity.
With JumpCloud, IT admins can avoid most of the work and costs associated with implementing web app SSO on top of a separate directory service while still reaping all the benefits, plus much more. The platform also includes features such as PAM, MDM, IGA, streamlined user lifecycle management, and more, to ensure that every identity and access management need your organization has is met.
Try JumpCloud’s SSO Solution Free
Test out JumpCloud’s modern, simplified IAM solution with True SSO, and see if it’s right for your organization! Start a trial of JumpCloud today.