Single Sign On (SSO) is a mechanism for authenticating to separate systems using a single identity (you can read the Wikipedia article & definition here). Ever seen the "login with Facebook" or "Sign in with Apple" type buttons on websites? That's SSO at work. In this post I'm going to cover why it's good for account management, while also talking about some of the possible pitfalls. I won't be talking about how to set SSO up here, and that varies based on different systems - consult vendor documentation!
Why is a single identity good?
If you administer systems then you've probably inherited a system at some point, only to find there are accounts still present for your predecessor, past employees, or people you've never even heard of that no-one else can quite remember. When an employee leaves it's common for an Active Directory (or Azure AD / Entra) account to be removed but other applications can get left behind. Maybe the IT team doesn't manage them, or they never knew the ex-colleague had an account there.
When it comes to systems getting left behind, I got a message from a former colleague (and reader of this blog) months after they had left letting me know they still had access to our landlord's CCTV system over the Internet. My ex-colleague hadn't realised they still had our system still in their app, opened it to add their new office, and their credentials still worked. They were kind enough to let us know and I terminated access - a system that I didn't even know I had access to. Easily done.
When it comes to usability, having only one account to remember the details of is very handy. That said, I do strongly recommend you use a password manager (1Password works very nicely on MacOS, Android, Linux, and Windows) which can help remove some of the friction found with multiple accounts. Add in the fact that different systems have different password requirements, and having multiple user accounts is a right pain.
Now, imagine having just one identity that's used for everything. All of a sudden we've solved at least two problems - IT and application administrators only have to worry about one account, and end-users only have to remember one credential set.
Still have a separate admin account though!
To be clear, I'm not saying each person should only have one account. It's considered good practice to not use your day-to-day account for priviliged operations, so you should still have separate accounts for performing privileged actions.
Enforces MFA and access restrictions
MFA, or Multi Factor Authentication, is a great tool to help reduce account compromise. Once MFA is enabled an attacker needs your username, password, and MFA code / device. By using one identity across multiple systems you can gain MFA protection on all of them. This is because your identity provider (IdP) enforces MFA as part of the authentication step, before telling your destination application (the one you're logging in to) that you have logged in successfully.
Access restrictions would be enforced in the same way, because that's handled by the identity provider too. This means it's possible to say "staff can only login from the UK" and have that setting apply to multiple applications and systems.
Of course, because both are handled by the IdP and not the destination system you only have one configuration to update.
I've touched on this a bit already, but having multiple systems tied to one identity can massively streamline (and thus speed up) your processes. Consider a new colleague's first day. Without single sign on you'd need to create them an account in every system they need to use. Instead, by using single sign on we can create one account, add the account to a set of groups in the IdP, and the colleague would have access to all the systems they need on day one (so long as the other systems support that!).
Configuration changes can be applied in one system, the IdP, and impact all systems at once. Need to change password complexity rules? One place. Suddenly need to force a reset of all staff passwords everywhere? One place. I won't list more examples, I'm sure you get the idea.
Thinking about a bad scenario, consider when someone leaves the company on bad terms. At the moment I'm on a distribution list with a number of others that receive emails like "terminate access now!" and everyone has to react pretty quickly. Moving all our systems to single sign on would allow us to secure everything quickly, and reduce effort across the company.
How big is the account problem really?
Thinking just about work, I've got a lot of systems - and this is just my non-privileged identity. If I had a separate account for each of them I'd have a lot of accounts to manage:
- Productivity suite (email, documents etc.)
- Password manager
- Vulnerability management tool
- Ticketing system
- Static analysis tool
- Dependency tracking tool
- Instant messaging service
- Apple account
- Expenses system
- HR system
- Penetration test supplier portal
- Cybersecurity information sharing site
- Cloud computing provider
- some I've certainly forgotten
If I were to leave the company, somone would have to deal with at least thirteen accounts, either by taking them over or closing them. Adding in my privileged accounts, particularly before we closed the offices, and I could add an account for each switch, firewall, CCTV, and door control systems. That's a lot of accounts to forget, er, manage.
Why is a single identity bad?
One of the immutable laws of security is "technology isn't a panacea" (the cure for everything) and it'd be negligent of me to imply SSO solves everything or not mention the fact that having a single identity creates some risk. If someone compromises that one account then they have access to everything. Email, files, business applications...you get the idea.
There's an element of this risk already when you consider the "forgot my password" function on sites will almost always send you a password reset link to your email address. If I compromise your email account then I can probably compromise a lot of sites you access, whether you're using single sign on or not.
So, it's important to protect that single identity. Passwords are probably the first part of your defence of the account - make sure they're good. A twelve character minimum password length isn't a bad starting point (the longer the better), and twelve characters isn't as hard to remember as people first think. Three random words of at least four letters long meets the length requirement and is at least friendly . Add in a number or punctation somewhere and you're off to a great start.
(I'm well aware that stating a password length in this post means it probably won't age well. This is written in 2023, so please adjust the minimum password length based on advice from when you're reading this.)
Next, require users to enable multi factor authentication (even the CEO ) to make it more difficult for an attacker to compromise the account. Set country restrictions when you can (if your staff only work from one country, especially if that's company policy, why do they need to login from somewhere else?), and potentially time restrictions too (does a 9 - 5 receptionist really need to logon out of hours?).
User training is also really important here. Attackers are wise to MFA, and it's not unusual for an attacker to try to socially engineer a user to get them to provide the MFA code. Train your colleagues so they know not to provide MFA codes to other people unless there's a remarkably good reason. If you're a security professional, make sure your colleagues know they can contact you without fear if they think something looks suspicious (or if they've made an error).
If you haven't guessed by now, I'm a massive fan of single sign on, both as an end-user and as an administrator. Done correctly, with well protected accounts, single sign on makes things easier all round 😀.
Banner image: Login window, from OpenClipart.org, by j4p4n
 Why the CCTV system was exposed to the public Internet is a separate issue.
 If you need to remember a password, perhaps it's the one you type in to your computer to access it, it's got to be friendly. One place I worked set random passwords to decrypt the drive before Windows would start -
eLp13297HGG wasn't unusual. As a result, people simply wrote the password on a label and stuck it to the wrist rest - the encryption was pointless.
 Particularly the CEO!