Single sign-on (SSO) enables employees to access web applications using their existing identities, even if they’re working remotely. Although useful, SSO solutions are limited: they don’t authenticate to any other key resources that an employee has to leverage, such as their system, IT infrastructure, or other network resources.
Now that remote work becomes a new status quo, IT admins need to expand the concept of SSO to virtually all IT resources, also known as a True Single Sign-On™ experience. In order to achieve True Single Sign-On for remote workers, however, IT admins need to look beyond their current tool stack and seek out a centralized cloud directory service.
What is True Single Sign-On?
The concept of True Single Sign-On predicates on leveraging an identity provider (IdP) to have one identity that authenticates to anything IT-related that an end user needs to do their work. With one identity for all IT resources, end users only need to remember one set of credentials, which means they can make their password strong and unique enough to withstand attacks. If that identity is backed by multi-factor authentication (MFA), then it’s even more secure.
An IdP with True Single Sign-On provides IT admins a singular location to manage resource access, which means that they can apply the principle of least privilege to ensure that their users only have access to their required resources, limiting the threat of compromised credentials. On the flipside, True Single Sign-On means that end users only need to change one password to affect all of their other resources, meaning they can leverage something physical, like their system, to change passwords and forego internet-based methods and avoid phishing attempts in the first place.
Although True Single Sign-On provides remarkable benefits to an organization, implementing it isn’t necessarily as straightforward. To understand why, it’s best to see how True Single Sign-On and SSO in general have evolved to their current state.
The Evolution of SSO and True Single Sign-On
As stated earlier, traditional SSO solutions, also dubbed Identity-as-a-Service (IDaaS) solutions, source user identities from an organization’s identity provider and federate them to web applications and other resources that fall outside of the IdP’s direct influence. SSO solutions became essential for many organizations with on-prem IdPs following the rise of SaaS apps to prominence in the modern work world.
Before the widespread adoption of SSO solutions, however, the concept of True Single Sign-On was the norm for most IT environments. Using on-prem IdPs, most often Microsoft® Active Directory® (AD), the average employee needed one set of credentials, one identity to access all of their IT resources. Of course, at the time, the list of IT resources in the workplace usually consisted of Windows® systems and applications, along with other on-prem resources like networks and file servers. These essential work tools all fell under AD’s sphere of influence, or domain, so leveraging an AD identity to authenticate to them was easy.
Modern IT innovations and demands, such as the need for entire workforces to work from home during times of crisis, fundamentally change the way IT admins need to think about their domain. After all, much of the modern IT landscape, from non-Windows systems to web apps and now even the end user themselves, exist outside of the on-prem domain, and subsequently outside of AD’s ability to authenticate to them with a single identity.
This evolution has left IT admins with a few hard choices. They can continue to use their existing identity provider and purchase best-of-breed tools like SSO solutions and others to extend their on-prem identities to remote workers and resources. Purchasing a handful of IAM solutions means extra costs and vendor relationships to manage, along with more training to get end users up to speed. In times where budgets are slim and workers operate remotely, these drawbacks might be too much for IT departments to handle.
If buying additional IAM tools isn’t in the cards, IT admins may even try to manage their end user identities manually. As far as best practices go, manual IAM is certainly not one of them. Manual IAM means that IT admins and end users alike need to manage passwords for each individual resource a user leverages in their day-to-day. As the list grows, passwords are likely to be reused or made weaker to facilitate remembering them, ultimately presenting attack vectors for bad actors to prey upon. Beyond identities, if end users are granted access to resources outside of what they should be, they could potentially make attempts on an organization’s data themselves.
Instead of manually managing identities or purchasing bunches of new tools, IT admins should instead consider consolidating their IAM needs by looking towards their sources of truth: the directory service. By replacing their existing identity provider with one equipped to manage modern resources and end users, IT organizations can achieve True Single Sign-On once again.
As such, a modern directory service would need the following characteristics:
- OS/Platform-agnostic: Capable of managing any system and control access to any application, infrastructure, network, or other resource
- Protocol-driven: Uses authentication protocols like SAML, LDAP, and RADIUS to securely extend identities to these resources from anywhere in the world
- Cloud-based: Leverages cloud infrastructure to provide around-the-clock uptime and remote management capabilities
It comes down to challenging the traditional concept of the domain. By definition, a modern directory service is domainless; it isn’t limited by a brick and mortar office or the extent of its ethernet cables. With a domainless enterprise, end users aren’t limited by where they work or which resources they can leverage because IT’s IAM tooling isn’t limited by what it can securely authenticate to.
Implementing True Single Sign-On with a Modern Directory Service
As your organization continues to adopt modern IT resources and works to enable a fully remote workforce, now is the time to consider reimagining your IAM infrastructure by implementing True Single Sign-On with a modern directory service.
We here at JumpCloud® are pioneers of the cloud directory service, and would be happy to help you however we can, whether it be finding a True Single Sign-On solution to extend your existing AD infrastructure or leveraging an entirely new modern directory service altogether.