Single sign-on

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, single sign-off is the property whereby a single action of signing out terminates access to multiple software systems.

As different applications and resources support different authentication mechanisms, single sign-on must internally translate and store credentials for the different mechanisms, from the credential used for initial authentication.


Benefits of using single sign-on include:

  • Reducing password fatigue from different user name and password combinations
  • Reducing time spent re-entering passwords for the same identity
  • Reducing IT costs due to lower number of IT help desk calls about passwords
  • Increases security of third party accounts because long and complicated passwords can be set without needing to remember them. Moreover,a user will not be subjected to phishing or man-in-the-middle attack by entering login credentials at the wrong website.[1]
  • Helps in achieving Bring Your Own Device because multiple accounts (personal, business) can be accessed from anywhere, anytime.[2]

SSO shares centralized authentication servers that all other applications and systems use for authentication purposes and combines this with techniques to ensure that users do not have to actively enter their credentials more than once.


The term enterprise reduced sign-on is preferred by some authors[who?] who believe single sign-on to be impossible in real use cases.

As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle") it increases the negative impact in case the credentials are available to other persons and misused. Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods like smart cards and one-time password tokens.

Single sign-on also makes the authentication systems highly critical; a loss of their availability can result in denial of access to all systems unified under the SSO. SSO can thus be undesirable for systems to which access must be guaranteed at all times, such as security or plant-floor systems.


In March, 2012, a research paper[3] reported an extensive study on the security of social login mechanisms. The authors found 8 serious logic flaws in high-profile ID providers and relying party websites, such as OpenID (including Google ID and PayPal Access), Facebook, Janrain, Freelancer, FarmVille, and Because the researchers informed ID providers and relying party websites prior to public announcement of the discovery of the flaws, the vulnerabilities were corrected, and there have been no security breaches reported. [4]

The problem we see now is that many websites are adopting Facebook’s “Connect” and OpenID to allow for one-click logins to access a website. You sometimes don’t even have the choice of making a separate account on that site, meaning you can’t “opt out” of these SSOs. Sure, your information stays safe with that site, but it’s also stored within a central database under Facebook’s control. While there’s nothing wrong with this, there’s just too much risk involved in putting all your sensitive data from all over the web into one massive identity bubble.

Single Sign-On applications are considered dangerous because access to multiple accounts of a user can be gained through a single set of login credentials. To combat this problem many Single Sign-On applications provide two-factor or multi-factor authentication.

Common configurations[edit]

Kerberos based[edit]

  • Initial sign-on prompts the user for credentials, and gets a Kerberos ticket-granting ticket (TGT).
  • Additional software applications requiring authentication, such as email clients, wikis, revision control systems, etc., use the ticket-granting ticket to acquire service tickets, proving the user's identity to the mailserver / wiki server / etc. without prompting the user to re-enter credentials.

Windows environment - Windows login fetches TGT. Active Directory-aware applications fetch service tickets, so user is not prompted to re-authenticate.

Unix/Linux environment - Login via Kerberos PAM modules fetches TGT. Kerberized client applications such as Evolution, Firefox, and SVN use service tickets, so user is not prompted to re-authenticate.

Smart card based[edit]

Initial sign-on prompts the user for the smart card. Additional software applications also use the smart card, without prompting the user to re-enter credentials. Smart card-based single sign-on can either use certificates or passwords stored on the smart card.

OTP token[edit]

Also referred to as one-time password token. Two-factor authentication with OTP tokens[5] follows industry best practices for authenticating users.[6] This OTP token method is more secure and effective at prohibiting unauthorized access than other authentication methods.[7]

Integrated Windows Authentication[edit]

Integrated Windows Authentication is a term associated with Microsoft products and refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is most commonly used to refer to the automatically authenticated connections between Microsoft Internet Information Services and Internet Explorer. Cross-platform Active Directory integration vendors have extended the Integrated Windows Authentication paradigm to Unix, Linux and Mac systems.

Security Assertion Markup Language[edit]

Security Assertion Markup Language (SAML) is an XML-based solution for exchanging user security information between an enterprise and a service provider. It supports W3C XML encryption and service provider initiated web browser single sign-on exchanges. A user wielding a user agent (usually a web browser) is called the subject in the SAML-based single sign-on. The user requests a web resource protected by a SAML service provider. The service provider, wishing to know the identity of the requesting user, issues an authentication request to a SAML identity provider through the user agent. The identity provider is the one that provides the user credentials. The service provider trusts the identity provider of the user information, to provide access to its services or resources.

Shared authentication schemes which are not single sign-on[edit]

Single sign-on requires that users sign in only once to establish their credentials. Systems which require the user to log in multiple times to the same identity are by definition not single sign-on. For example, an environment where users are prompted to log into their desktop, then log into their email using the same credentials, is not single sign-on.

A newer variation of shared authentication has been developed using mobile devices as access controllers. Users' mobile devices can be used to automatically log them onto multiple systems, such as building access control systems and computer systems, but since access is granted each time, these systems are not technically considered single sign-on.[8]

See also[edit]


  1. ^ Dr. Ken Giuliani. "Smart Single Sign-On". 
  2. ^ Dr. Ken Giuliani. "Smart Single Sign-On". 
  3. ^ Rui Wang, Shuo Chen, and XiaoFeng Wang. "Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services". 
  4. ^ "OpenID: Vulnerability report, Data confusion" - OpenID Foundation, March 14, 2012
  5. ^ Examples are tokens by RSA Data Security, Vasco, Actividentity or Aladdin
  6. ^ OTP use meets the guidelines in DOE Order 205.1 as well
  7. ^ FAQ on OTP Tokens - One Time Password Tokens
  8. ^ "MicroStrategy’s office of the future includes mobile identity and cybersecurity". Washington Post. 2014-04-14. Retrieved 2014-03-30. 

External links[edit]