Single Sign-On (SSO) Security

By Greg Keller Posted April 22, 2016

While single sign-on solutions are excellent at assisting end users in getting access to the IT resources they need, they are also a massive security risk. The concept of single sign-on started many years ago as the network emerged in the workplace and there were a wide variety of different resources that an end user needed to access. Often those various IT resources each required a unique login, making it difficult and tedious for the end user. Over time, technologists built out solutions that enabled a single set of credentials in order to log in to each IT resource, simplifying the user experience. Obviously, a single set of credentials which affords access to the entire network of systems and applications could also be viewed as a serious security risk. In this case, if any user’s credentials were compromised, all of the IT resources that relied on those credentials would be compromised as well. Single sign-on security was paramount to solving both of these issues.

The Way it Was for Single Sign-On

Over a decade ago, an end user’s experience was very much like a True SSO experience. A user would login to their computer which was essentially a domain login. The user’s credentials would be checked with Microsoft’s Active Directory and once verified, the user would have access to anything on the network for which they were granted permission. Microsoft’s domain controller in conjunction with AD would federate access to those resources accordingly. Because everything was behind the firewall and Windows based, it was easy for IT admins to manage and secure the network. If a user was no longer actively employed or their credentials were believed to be compromised, the user was either terminated in AD or their password was reset. Access to those resources was also predicated on being inside of the network and often physically inside of the organization’s offices, adding another element of security.

Enter The Cloud

Fast forward to the cloud era and the picture is much different. Today’s IT network looks very little like the one most organizations were using over a decade ago. Currently, and in most cases, there is virtually no IT equipment on-premises. The only on-premises equipment left in many offices today are the WiFi access points and the end user devices. Servers and applications have shifted to the cloud. Corporate data centers are no longer the norm as Infrastructure-as-a-Service providers such as AWS and Google Compute Engine emerge as the dominant solutions. Web applications are the new norm with just about every function within an organization being supported through cloud-based SaaS platforms.

Making the Move to the Cloud

Today’s modern network requires a very different type of single sign-on solution. Legacy on-premises directory services such as Microsoft AD and OpenLDAP can no longer connect users to the myriad IT resources they need to access. With users leveraging Macs and Linux devices, LDAP and SAML-based applications, RADIUS-based WiFi networks, and Google Apps (among others), a new generation of cloud-based Identity-as-a-Service platforms have become a requirement for nearly every IT organization. This modern approach to SSO is called Directory-as-a-Service® and integrates multi-platform, multi-protocol, and location independence.

If you would like learn more about how a cloud-based identity management solution can increase your SSO security, drop us a note. We’d be happy to walk you through it. Or, feel free to try out our cloud-based directory for yourself. Your first 10 users are free forever.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts