Extending Single Sign-On to Cloud: Convenience or Does it Sacrifice Security

It's challenging enough for service providers to manage security for a single cloud service, let alone multiple cloud services. But many companies are pursuing a multi-cloud strategy, a reality that seemingly conflicts with customer expectations of bulletproof yet uncomplicated security policies. 

Customers are demanding single sign-on (SSO) capabilities, but providers and customers will have to ask themselves if the convenience of cloud SSO is worth its potential security risks.

Functionalities of SSO

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts.

In a basic web SSO service, an agent module on the application server retrieves the specific authentication credentials for an individual user from a dedicated SSO policy server, while authenticating the user against a user repository such as a lightweight directory access protocol (LDAP) directory.

Some SSO services use protocols such as Kerberos and the security assertion markup language (SAML). SAML is an XML standard that facilitates the exchange of user authentication and authorization data across security domains. SAML-based SSO services involve communications between the user, an identity provider that maintains a user directory, and a service provider. When a user attempts to access an application from the service provider, the service provider will send a request to the identity provider for authentication. The service provider will then verify the authentication and log the user in. The user will not have to log in again for the rest of his session. In a Kerberos-based setup, once the user credentials are provided, a ticket-granting ticket (TGT) is issued. The TGT fetches service tickets for other applications the user wishes to access, without asking the user to re-enter credentials.

Although single sign-on is a convenience to users, it presents risks to enterprise security. An attacker who gains control over a user's SSO credentials will be granted access to every application the user has rights to, increasing the amount of potential damage. In order to avoid malicious access, it's essential that every aspect of SSO implementation be coupled with identity governance. Organizations can also use two-factor authentication (2FA) or multifactor authentication (MFA) with SSO to improve security.

Enable SSO for cloud apps

Business problem
Enterprise companies are using cloud apps at an ever-increasing pace. By extending Single Sign-On (SSO) to cloud apps, employees can use their corporate credentials to sign into software as a service (SaaS) apps or in-house apps hosted in the cloud.
SSO provides a single point of authentication through an Identity provider (IdP). Users can access third-party cloud apps but their credentials aren't stored with the third party. In many cases, credentials for the third-party apps don't exist.

Solutions
To provide users with SSO-based access to selected cloud apps, Cloud Identity as your IdP supports the OpenID Connect (OIDC) and Security Assertion Markup Language 2.0 (SAML) protocols. Cloud Identity has a large catalog of SAML apps.

Third-party identity providers
If you have a third-party IdP, you can still configure SSO for third-party apps in the Cloud Identity catalog. User authentication occurs in the third-party IdP, and Cloud Identity manages the cloud apps.
To use Cloud Identity for SSO, your users need Cloud Identity accounts. They sign in through your third-party IdP or using a password on their Cloud Identity accounts.

One Secure SSO Portal for All Apps
With One Login’s single sign-on portal users only have to enter one set of credentials to access to their web apps in the cloud and behind the firewall – via desktops, smartphones, and tablets. This greatly increases productivity while keeping data secure. One Login’s policy-driven password security and multi-factor authentication ensure that only authorized users to get access to sensitive data. You can implement more demanding password policies such as required length, complexity and restrictions on password reuse, as well as session timeout and password, reset self-service policy to heighten protection without impeding your users.

Cloud single sign-on adds convenience, but does it sacrifice security?

Cloud SSO has become desirable as more companies adopt applications using multiple cloud services. But providers must not jeopardize security.

Increased Security
With more and more apps moving to the cloud, security is a prime concern and that is achieved by using an effective CASB i.e. Cloud Access Service Broker solution with single sign-on. A major advantage of an SSO solution is that the user will not have multiple weak passwords that may be a target of theft attacks. Instead, they have a single credential, which will be strong and more carefully secured. An example is the use of tokens to authenticate rather than forwarding passwords or storing credentials on user devices henceforth reducing the data theft risk.

Decreased Costs
A large number of password resets multiplied with the number of users would always increase IT costs of organizations. Fewer passwords would mean lesser resets and definitely lesser time, which in turn would save the costs for user administration.

Working of a Single Sign-on Solution
When the applications were on-premises, the requirements of single sign-on used to be somewhat simpler. But today’s business environment is much more complex. Cloud services and SaaS applications require better cloud security and more flexible single sign-on, but at the same time, they have increased its value. Today, most of the enterprises use federated SSO to enable authentication across domains. The secure single-on is provided to a trusted group of applications or service providers and this is possible even when the apps are owned by third parties or are out of firewalls.

How Single Sign-On (SSO) Solution Works 

  • A centralized authentication server to confirm a user’s identity is implemented by the Identity-Provider organization. The server validates user identity and issues access tokens
  • The username and password is directed to the Identity-Provider (IdP) for verification when the user signs in for the first time
  • The credentials are checked by the authentication server against the directory where the user data is stored thereby initiating an SSO session on the browser of the user.
  • Instead of requesting a password, the service provider requests the identity-provider to validate the user identity.
  • The identity-provider then provides an access token, which is accepted by the service provider, who grants access without showing the sign-on screen to the user.

Single Sign-On and the Standards

The single sign-on uses identity standards like SAML, OAuth and OpenID Connect. The secure sharing of data among multiple identity and service providers is thus enabled by the use of standards. The older standards work with old apps and the new ones are more suited for web-based and SaaS-based apps. Each has its own merits and an enterprise should use SSO solution that supports the full set.
Definitely, implementing Single Sign On gives the organization improved security and secure data access to its customers and employees. As IT environments get more complex, it is better that organizations invest in SSO solutions to provide seamless work experience.

Authored By - Praveen Gopinath
TCS Cyber Security Practice

Rate this article: 
Average: 4.3 (11 votes)
Article category: