By Greg Keller Posted December 12, 2016
Identity compromises are a major issue for IT organizations. More breaches have been caused by compromised credentials recently than ever before. This spate of breaches has many IT organizations thinking hard about how to protect their users.
One common tool that many IT organizations are leveraging is web application single sign-on. So, the question for IT admins becomes, does SSO equal good security?
Sending Out an SSO
In many cases, an SSO solution can be considered a security solution. However, it isn’t a black-and-white issue.
For web applications that leverage SAML as the authentication protocol, there is a good chance that their security has been stepped up. In general, SAML integration works on assertion rather than a username and password concept. That assertion is being made by the identity provider to the service provider (in this case the web application). The identity provider is ensuring that the user is who they say they are, so the service provider ends up relying on that. The stronger that an identity provider can make the authentication process, the better it is. For example, adding multi-factor authentication steps up the authentication process.
While this is true for web applications that leverage SAML, many more actually still use passwords. Those passwords end up being stored in a vault with the SSO provider. The passwords are stored either on the person’s machine or in the cloud. When the user decides to log into the site, the SSO solution enters the password for the user. While this is convenient for the end user, it doesn’t really solve the problem of making everything more secure.
JumpCloud® Answers The Call
A new concept in the Identity-as-a-Service world is starting to emerge. Called Directory-as-a-Service®, the solution is delivering on the promise of a True Single Sign-On™ solution. As a central, authoritative directory service, the goal is to let IT control user management to applications, systems, and networks. The core identity provider leverages a wide variety of protocols, including SAML, LDAP, SSH, RADIUS, and REST. In addition, the platform never stores a password that can be reverse engineered. Credentials are stored as a one-way hash and all communication is over mutual TLS. For enhanced security, multi-factor authentication can be implemented on Mac and Linux systems and on the user console, which enables access to applications.
The concept of True Single Sign-On also is complemented by the ability to log authentication events. These events can help detect compromises across the infrastructure.