Does SSO Equal Good Security?

By Greg Keller Posted December 12, 2016

Identity compromises are a major issue for IT organizations. More breaches have been caused by compromised credentials recently than ever before. This spate of breaches has many IT organizations thinking hard about how to protect their users.

One common tool that many IT organizations are leveraging is web application single sign-on. So, the question for IT admins becomes, does SSO equal good security?

Sending Out an SSO

sso-security

In many cases, an SSO solution can be considered a security solution. However, it isn’t a black-and-white issue.

For web applications that leverage SAML as the authentication protocol, there is a good chance that their security has been stepped up. In general, SAML integration works on assertion rather than a username and password concept. That assertion is being made by the identity provider to the service provider (in this case the web application). The identity provider is ensuring that the user is who they say they are, so the service provider ends up relying on that. The stronger that an identity provider can make the authentication process, the better it is. For example, adding multi-factor authentication steps up the authentication process.

While this is true for web applications that leverage SAML, many more actually still use passwords. Those passwords end up being stored in a vault with the SSO provider. The passwords are stored either on the person’s machine or in the cloud. When the user decides to log into the site, the SSO solution enters the password for the user. While this is convenient for the end user, it doesn’t really solve the problem of making everything more secure.

JumpCloud® Answers The Call

true single sign-on SSO

A new concept in the Identity-as-a-Service world is starting to emerge. Called Directory-as-a-Service®, the solution is delivering on the promise of a True Single Sign-On solution. As a central, authoritative directory service, the goal is to let IT control user management to applications, systems, and networks. The core identity provider leverages a wide variety of protocols, including SAML, LDAP, SSH, RADIUS, and REST. In addition, the platform never stores a password that can be reverse engineered. Credentials are stored as a one-way hash and all communication is over mutual TLS. For enhanced security, multi-factor authentication can be implemented on Mac and Linux systems and on the user console, which enables access to applications.

The concept of True Single Sign-On also is complemented by the ability to log authentication events. These events can help detect compromises across the infrastructure.

True SSO Does Equate to Good Security

If you would like to learn more about how an SSO solution can increase your security, drop us a note. Or please try our Directory-as-a-Service platform yourself. Your first 10 users are free forever.

Greg Keller

Greg is JumpCloud's Chief Product Officer, overseeing the product management team, product vision and go-to-market execution for the company's Directory-as-a-Service offering. The SaaS-based platform re-imagines Active Directory and LDAP for the cloud era, securely connecting and managing employees, their devices and IT applications.

Recent Posts