Single sign-on (SSO)

Technical terms simply explained.

What does single sign-on mean?

Single sign-on is an authentication process that authorizes a user to access all services connected to the SSO system instead of having to log in separately for each service.

The login is valid until the user initiates a single sign-out (simultaneous logout from all connected services) or a specified period of time has elapsed.

  • Authentifizierung bedeutet "Echtheitsprüfung". In einem Authentifizierungsverfahren (z. B. über Eingabe eines Passworts) kann sich eine Person identifizieren.

  • Es gibt bereits Dienste, die diese Authentifizierungsverfahren anbieten: Authentication as a Service (AaaS)

  • In Unternehmen werden Authentifizierungsdienste im Rahmen eines zentralen Identitätsmanagements organisiert.

  • Der Authentifizierungsdienst (Identity Provider) tritt als dritte vermittelnde Instanz neben einen IT Dienst und den Nutzer des IT-Dienstes

  • Der Identity Provider stellt eine "Assertion" aus, die der Nutzer dem Dienst vorzeigt. Assertions sind sozusagen "Versicherungen", dass der Nutzer diese Identität besitzt.

  • Mehrstufige Authentifizierung / Multi-Faktor-Authentifizierung (MFA): Mehr als nur Nutzername und Passwort werden zur Authentifizierung abgefragt, z. B. PIN, TAN, Geburtsort der Mutter, biometrische oder geographische Daten des Benutzers, etc. oder ein physisches Gerät (Dongle) muss bei der Anmeldung verwendet werden.

(Quelle: https://de.wikipedia.org/wiki/Authentifizierung)

What single sign-on methods are there?

Portal solution: Login and authentication take place in a portal to which several services are connected. The user receives a cookie, for example, which uniquely identifies them within the portal and allows them to use the web applications. Example: Google Suite

Ticketing system: In a network of trustworthy services, a user receives a common identification that the services exchange with each other. This is also known as a "circle of trust".

Local solution: The user installs a client that fills in login masks with the previously "learned" login data. Examples include browser-internal password managers or services such as Lastpass.

What are the advantages and disadvantages of single sign-on?

Services such as Google, Facebook, Twitter etc. offer SSO."Sign in with Facebook" offers users the option of authenticating themselves via the social media service. For end users, this offers a high level of convenience, as SSO replaces a large number of passwords that users would have to remember. As a portal solution, you can use all (free) Google services, e.g. Maps, Gmail, Calendar, etc., with a Google account.

An SSO system offers certain advantages for companies and their employees when using various services such as cloud systems, SaaS or other web applications:

  • Time savings and ease of use thanks to a single user login

  • Security thanks to just one password: the password only needs to be transmitted once and only in one place. This reduces man-in-the-middle attack points. Users no longer have to remember many, possibly insecure passwords, but only one, which can also be more complex.

  • Fewer help desk requests for password resets

  • Scalability through access control: The administrator can connect services to the SSO system, grant or limit access for individual employees and withdraw access to all connected systems at once after an employee leaves. However, the SSO strategy must also include identity and authorization management.

However, an SSO solution also has disadvantages and risks:

  • If there is no single sign-out solution, access remains open until the specified time period has expired. If the employee leaves their workplace, third parties theoretically have the opportunity to use this access to all connected systems.

  • If the SSO identity is stolen, this allows access to several systems instead of just one.

  • To protect against misuse or hacker attacks, some SSO solutions use multi-factor authentication (MFA), which requires more authentication features to be transmitted than just the user name and password. If MFA is used, this reduces the ease of use previously mentioned as an advantage.

Identitätsmanagement ist die Verwaltung von Benutzerdaten, die einzelnen Personen zugeordnet sind.

Eine Person kann nur eine physische Identität haben, aber mehrere (virtuelle) Identitäten besitzen, z. B.:

  • Identität in Onlineshop: Name, Adresse, Bankdaten, Bestellhistorie

  • Identität in Forum: Pseudonym, Anzahl der Beiträge, Profil

Beispiele aus der Offlinewelt:

  • Führerschein

  • Personalausweis

  • Kundenkarten

  • Bankkonto

Eine Identität kann gewöhnlich nur einer Person zugewiesen sein, wobei Identität die Gesamtheit personenbezogener Attribute, die diese Person individualisiert, bedeutet.

Im Unternehmen können verschiedene Accounts (E-Mail, Betriebssystem, Arbeitstools etc.) einer Person konsolidiert werden. Auch können Berechtigungen verwaltet werden. Hierzu bedarf es einer Schnittstelle zwischen Identity Management und Access Management, dem Identity and Access Management (IAM, IdAM)

(Quelle: https://de.wikipedia.org/wiki/Identit%C3%A4tsmanagement)

  • Überwindet Mechanismen von Sicherungen gegen Unbefugte.

  • Erfolgt nach vorheriger, erfolgreicher Authentifizierung.

  • Erlaubnis, Einräumung von Rechten, Gewährung von Zugriffen auf Ressourcen

(Quelle: https://de.wikipedia.org/wiki/Autorisierung)

Single sign-on with OpenID

OpenID is a decentralized authentication system for web-based services. A user creates a user name and password (their OpenID) with an OpenID provider. With the help of the OpenID (identifier, URL-based), the person can log in without providing user data if it concerns relying parties (supporting websites).

Decentralization means that anyone can become an OpenID provider and provide OpenID identities. The open source software can be installed on your own server.

URL-based means that the OpenID is transferred as a subdomain (username.example.com) or as a path (example.com/username), for example.

Facebook offers Facebook users the option of authenticating themselves with OpenIDs from any provider.

In addition to OpenID, there are other systems such as Shibboleth (based on SAML) or Kerberos.

SAML steht für “Security Assertion Markup Language” und ist ein XML-Framework zum Austausch von Authentifizierungs- und Autorisierungs-Informationen. Durch SAML können sicherheitsbezogene Informationen beschrieben und übertragen werden.

(Quelle: https://de.wikipedia.org/wiki/Security_Assertion_Markup_Language)

Further ease of use with OAuth

OAuth is an open protocol that allows API authorization to web applications, apps, etc. The user grants a service permission to access their data that is stored with another service without having to transfer sensitive data such as passwords. Examples of this include asking apps whether they are allowed to access hardware (camera, microphone, etc.) or data (in the smartphone, on other apps, etc.).

(Source: https://de.wikipedia.org/wiki/OAuth)

Further sources:

https://de.wikipedia.org/wiki/Assertion_(computer science)

https://de.wikipedia.org/wiki/OpenID

https://de.wikipedia.org/wiki/Single_Sign-out

https://de.wikipedia.org/wiki/Single_Sign-on

https://www.computerwoche.de/a/wunderwaffe-sso,3545560

https://praxistipps.chip.de/was-ist-single-sign-on-einfach-erklaert_99624

Video:

Book tips

Single Sign-on mit SAP

Tag cloud