IAM 101 Series: Single Sign On (SSO)
The What, Why, and How for Those New to Identity and IAM
In recent months, people all over the world have been working, studying, shopping, socializing, even visiting with their doctors online from their homes more than at any other time in history. In fact, a recent Gallup poll found that the number of employed Americans who say they worked from home has doubled since mid-March 2020 to 62%. In terms of socializing and video calls, TechCrunch showcased that Facebook-owned WhatsApp saw a 40% increase in usage in March. And CNBC reports that telehealth visits increased by 50% in March, according to research from Frost and Sullivan.
With this unprecedented number of people requiring access to all sorts of apps, services, and systems remotely from their homes, the question of how to provide easy yet secure access from anywhere at scale is top of mind for organizations. This is no easy undertaking, especially when there are billions of people conducting billions of logins to apps within a single day. And for employers and educational institutions, supporting remote work requires the complex task of ensuring that employees and students have easy, secure access to all the internal work apps, services, and systems they need to do their jobs from home – which, in some cases means providing access even if the employee or student is using their own device, such as a personal computer, tablet, or mobile phone.
What enables easy, secure online access for billions of users across the globe? Identity and access management (IAM) systems. And a core capability of IAM is single sign on (SSO).
So, what is SSO and how does it work? For this SSO 101 post, let’s start from the beginning.
The Origins of SSO
To understand what SSO is and why it’s needed, it’s important to first know how basic, traditional access to apps, services, and systems works and what life was like before SSO.
As you’re well aware, our lives today are filled with using different apps, services, and systems. To gain access to these and all of your personal data and information within them, such as an existing spreadsheet you’ve been working on or what you may have previously placed in your online shopping cart, you must first prove that you are indeed you. In the world of IAM lingo, proving that you are you is called ‘authentication’.
Traditional authentication is done with username and password login credentials. When you enter your username and password, that information gets validated against a repository (such as a database, directory, or even text files) that stores your credentials. If what you typed in matches what’s in the repository, you're in. If not, try again.
When the digital age took flight in the late 1990s and early 2000s, each app, service, and system had its own repository that stored login credentials and user data for authentication. This one-to-one ratio resulted in an enormous number of siloed repositories containing data about a single person. And when developers created a new app, they had to create a new repository along with it to store user credentials for that app — which meant that the number of repositories and silos just kept growing.
From a user experience perspective, because each app, service, and system within an organization had its own separate credential repository, it meant you were required to login with a username and password separately to each for access. This cumbersome process created many problems.
For example, the phrase ‘password fatigue’ was coined because users grew tired of remembering multiple usernames and passwords day in and day out. Organizations had to create policies for employees to not leave passwords written on paper and sticky notes laying out in the open in the office (for real). And every time a user forgot their credentials, they had to call IT to reset them — leading to the creation of full-time IT help desk jobs specific to password resets. Plus, and most importantly, at the time lost or stolen passwords were a top, if not the, leading cause of security breaches.
What was the solution to all of the above? Identity and access management (IAM) systems and single sign on.
What Is SSO and How Does It Work?
Organizations understood the problems that multitudes of usernames and passwords and seperate logins presented. To address the problem, the notion of consolidating the multitudes of individual credential repositories built for each app, service, and system into one repository surfaced. In other words, a multi-to-one ratio — one master repository that stores credential and user data for multiple apps, services, and systems. Identity and access management systems and SSO were thus born.
Identity and access management and SSO solutions have a single identity repository called an identity store that contains user credentials and identity data for multiple apps, services, and systems. This is the underpinning of SSO. Because of this single identity store, users only have to login once in order to gain access to all of the apps, services, and systems associated with that identity store. In other words, SSO enables a user to access multiple applications with one set of login credentials. This means no longer having to remember (or write down) a gazillion passwords and logging into each app separately (yeah!). From this, the world was made more secure, productive, and efficient — and we’ve never looked back.
SSO Evolves to Meet New Trends, Technology, and Risks
An important point to keep in mind here is that the SSO model explained above is its most basic form. At their inception, IAM and SSO were only used internally within a single organization and its security perimeter.
Of course, things have vastly changed since the late 1990s and early 2000s. Technologies like mobile smart devices and IoT, trends like remote working and online shopping, and cybercrime like breaches caused by fraudulent user login tactics have evolved greatly over the decades. To address these, SSO capabilities and sophistication have also evolved.
For example, SSO must now work beyond a single organization’s perimeter to enable remote employees, third-party partners, customers, and even IoT ‘things’ access to apps, services, and systems. This requires technology called ‘federation’ and ‘federated single sign on’. We will discuss federation in our upcoming post IAM 101 Series: Federation and Federated SSO, so stay tuned.
Updating Legacy Single Sign On with Modern SSO Capabilities
Unfortunately, even though the world has greatly changed, most organizations still have large investments in legacy IAM and SSO systems that lack the flexibility to support today’s unique requirements and meet the surge in online demand happening currently. To address this issue, leading organizations have set forth to update their legacy IAM and SSO systems with modern, flexible IAM platforms like the ForgeRock Identity Platform.
For example, a large global retailer with 80,000 internal identities recently had an initiative to modernize their IAM from many legacy and homegrown solutions in order to improve workforce engagement and provide SSO to both on-premises and Software-as-a-Service (SaaS) applications. They also had an aggressive strategy to move 80% to the cloud by the end of 2020. To accomplish all of the above, they needed a state-of-the-art, future-minded IAM platform that could help them achieve their goals. After evaluating five providers, this global retailer selected ForgeRock based on our ability to meet their requirements as well as support their digital transformation and cloud migration initiatives.
With platforms such as ForgeRock, organizations like the retailer above can get all of the new IAM and SSO capabilities they need quickly and cost-effectively without ripping and replacing their legacy IAM systems (such as CA Single Sign-On [SiteMinder], Oracle, IBM, and homegrown solutions). Plus, you can do it within minutes in any cloud environment for millions of identities or as a service.
Again, stay tuned for our IAM 101 Series: Federation and Federated SSO blog post explaining how federation allows external users, such as customers, single sign on access to apps, services, and systems. Until then, learn more about how to connect everyone, anywhere or contact us to get started.