Single Sign On with SAML
What is It and Should My Business Use It?
Do you ever get password fatigue? I think we all have. Most business applications need to know who you are in order to provide you access to appropriate data. However, more and more non-business applications are adding personalization to help tailor information to what we care about (or what the application developer thinks we care about). As a result, we're required to login to just about every application we use. On top of this, some of these applications want to access other applications to learn more about us so they can provide us with a better experience. The truth is, we want a better experience, so we're often willing to create accounts, reset our passwords, and login again and again and again.
And while we're willing to give up our information to applications we choose, we don't want just anybody to get this information. Best practices tell us to use secure passwords (you know, the long ones with special characters that nobody can possibly remember ... including you!), to change them frequently (just in case you do manage to remember), and, we can't forget, use a different password for every application! Initially, we try our best to follow best practices, but it becomes too cumbersome so we stop. However, then come a few high-profile data breaches, an increased focus on data privacy and security, and it isn't long before all applications we use start enforcing best practices.
It naturally follows that we'll look for solutions to make our lives easier. So along come password vault and single sign-on solutions. A password vault is great for personal use but can be a business liability. The benefit of the password vault is having all of our passwords in one place. If we use a personal vault, we're naturally going to store our company passwords in there (I mean all you have to do is click OK to the "Do you want to save this password?" browser plug-in message). The liability comes when an employee leaves the company or their vault is compromized. Many of the passwords may belong to the employee, so simply disabling their accounts in all applications they had access to is possible. This in itself can be time consuming, costly, and make it easy to miss things. Even if you manage to secure the indivdual's accounts, they may have saved shared account credentials that cannot be easily disabled or reset. Now what?
Fortunately, there is a better solution for the corporate environment: Single Sign-on (also known as SSO).
Dissecting the Acronyms
SSO stands for Single Sign-on. It allows you to seamlessly jump among applications you use daily without logging into each separately. Your social media accounts, CRM applications, ERP environment, CMS, cloud storage, and even your digital printing service work off a single login. It does this by providing a secure process for verifying the identity of the client (end user) to the application. The process consists of authenticating a user (verifying they are who they say they are) and authorizing them to access their requested resources. To help ensure the SSO process is secure, a number of proven, standards-based technologies are required, including:
- SAML stands for Security Assertion Markup Language, a standard protocol for exchanging authentication and authorization data. SAML 2.0 is the most widely used version of the SAML standard.
- oAuth stands for Open Authorization and, as the name suggests, is a standards-based protocol for user authorization. oAuth 2.0 is the current industry standard implementation of the oAuth standard.
- IdP and SP stand for Identity Provider and Service Provider, the roles taken on by the applications you use. The IdP is responsible for managing user identities and getting you logged in. The service providers are the applications with which you interact throughout your day. A single application can serve both roles.
For individual users, convenience is the biggest perk of SSO. Your business also benefits in several important ways, including cost. In addition to providing your users with a much better website experience, eliminating multiple passwords can save your organization money - and lots of it. Multiple passwords typically mean lost passwords, and Gartner has estimated that password reset requests make up between 20% and 50% of all IT help desk tickets. Worse still, Forrester Research found that those tickets cost your company, on average, a whopping $70 each. Here are some other ways your business benefits from SSO:
SAML Based SSO
SAML based SSO begins with a user accessing an application, also called the service provider (SP), and requesting a resource requiring authorization. The application checks to see if the user has been identified (i.e. authenticated). If so, it begins the authorization process to determine if the user is permitted to access the requested resource. If the identity has not been determined, the SP beings the authentication process through the Identity Provider (IdP). Upon successful completion of authentication with the IdP, the user's identity is established and the authorization process proceeds.
oAuth technically only applies to authorization in an SSO solution. While SAML is designed to support both authentication and authorization, oAuth is only intended to support authorization component of SSO. It is commonly used when an application (i.e. Consumer) needs to retrieve information from another application (i.e. Service Provider) on behalf of a user that has already been authenticated to the Consumer application by another means. There are SSO solutions, though, that rely entirely on oAuth by trusting that if the user has a valid oAuth token from the other application, the user is valid. In this case, the Consumer application will create a user account based on uniquely identifying information pulled from the other application.
Custom SSO is any SSO implementation not based on accepted industry standard protocols. These types of solutions often follow similar design patterns to SAML-based and oAuth-based SSO but data transferred between the client, identity provider, and service provider is not transferred via published standard protocols. While custom SSO solutions are not inherently less secure than industry standard solutions, they tend to be more limiting, requiring additional implementation and maintenance effort to integrate with other systems. For this reason, it tends to be more cost effective to choose service and identity providers that support industry standard SSO protocols.
Identity and Service Providers
Service providers can be virtually any software application that supports SSO, and there are literally thousands of applications that support industry standard protocols, including Titan CMS, so I won't even attempt to list examples. Identity providers are likely almost as limitless. There are a number of well known identity providers used for SSO solutions. One of the best known is Microsoft's Azure Active Directory. Other popular products are Okta Identity Management, OneLogin, Salesforce Identity, Facebook, and Google. Most support SAML and/or oAuth standards. Which provider is right for your organization depends on your organization's applications (SPs), how many users you need to support, technology stack preferences/in-house expertise, user experience requirements, and, of course, budget.
Should My Business Use Single Sign-on?
Frankly, yes. If your company is larger than a few employees, implementing SSO is well worth the effort. A big advantage to SSO is centralizing user management with a single Identity Provider. Here are a few:
- Accounts managed from a single Identity Provider save time and improve security by:
- Eliminating extra IT time spent learning and managing a plethora of disparate systems
- Centralizing monitoring and control of account usage
- Reducing need for employee to use a personal password vault (you can implement a policy preventing use ... without creating push-back)
- Increase employee productivity (not to mention morale) by eliminating the activites that lead to "password fatigue"!
Many organizations are already using Microsoft Azure Active Directory or other common identity providers. If you're one of these organizations, be sure to take SSO integration capability into account when selecting applications to support your business. Look for products that support standards compliant SSO protocols such as SAML 2.0 and oAuth 2.0.
Can I Use Single Sign-on with Titan CMS?
Yes, you can! Titan CMS supports standards-based oAuth and SAML Identity Providers through the Titan CMS Single Sign-on Block. As with most standards, there are allowances for variations and differences in standards interpretations. W3C has standards, but we all know that each browser vendor picks and chooses what to follow and implement support for. It is no different with IdP and SP vendors.
The good news is that Titan CMS already supports several major identity providers, including Azure Active Directory, OneLogin, SalesForce Identity, and VMWare Identity. Even better is that, like everything in Titan, we've designed our SSO block to be extensible, allowing us to add support for any (e.g. SAML, oAuth, or Custom) Identity Provider protocol.
Contact Northwoods to learn more about integrating Titan CMS with your Identity Provider.
Related Blog Posts
Choosing the perfect images for your website is half the battle. The other half involves optimizing those images to give users the best possible experience.
Browsers have recently raised the visibility of websites' security status. But soon, they'll be kicking it up a notch, and users will quickly become wary of providing contact information on sites labeled "non secure." Switching carefully to HTTPS can help.
Site search on a website can improve usability and make it easier to for you visitors to find exactly what they're looking for. Learn how to improve site search on your site.
View All Blog Posts