HOME

TheInfoList



OR:

Single sign-on (SSO) is an authentication scheme that allows a user to
log in In computer security, logging in (or logging on, signing in, or signing on) is the process by which an individual gains access to a computer system A computer is a machine that can be programmed to carry out sequences of arithmetic o ...
with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors. It should not be confused with same-sign on (Directory Server Authentication), often accomplished by using the
Lightweight Directory Access Protocol The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory servi ...
(LDAP) and stored LDAP databases on (directory) servers. A simple version of single sign-on can be achieved over IP networks using
cookies A cookie is a baked or cooked snack or dessert that is typically small, flat and sweet. It usually contains flour, sugar, egg, and some type of oil, fat, or butter. It may include other ingredients such as raisins, oats, chocolate chips, nuts ...
but only if the sites share a common DNS parent domain. For clarity, a distinction is made between Directory Server Authentication (same-sign on) and single sign-on: Directory Server Authentication refers to systems requiring authentication for each application but using the same credentials from a directory server, whereas single sign-on refers to systems where a single authentication provides access to multiple applications by passing the authentication token seamlessly to configured applications. Conversely, single sign-off or single log-out (SLO) is the property whereby a single action of signing out terminates access to multiple software systems. As different applications and resources support different
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
mechanisms, single sign-on must internally store the credentials used for initial authentication and translate them to the credentials required for the different mechanisms. Other shared authentication schemes, such as
OpenID OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider ...
and
OpenID Connect OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provide ...
, offer other services that may require users to make choices during a sign-on to a resource, but can be configured for single sign-on if those other services (such as user consent) are disabled. An increasing number of federated social logons, like
Facebook Connect The Facebook Platform is the set of services, tools, and products provided by the social networking service Facebook for third-party developers to create their own applications and services that access data in Facebook. The current Facebook ...
, do require the user to enter consent choices upon first registration with a new resource, and so are not always single sign-on in the strictest sense.


Benefits

Benefits of using single sign-on include: * Mitigate risk for access to 3rd-party sites ("federated authentication") because user passwords are not stored or managed externally * Reduce
password fatigue Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automat ...
from different username and password combinations * Reduce time spent re-entering passwords for the same identity * Reduce IT costs due to lower number of IT
help desk A help desk is a department or person that provides assistance and information usually for electronic or computer problems. In the mid-1990s, research by Iain Middleton of Robert Gordon University studied the value of an organization's help desks ...
calls about passwords * Simpler administration. SSO-related tasks are performed transparently as part of normal maintenance, using the same tools that are used for other administrative tasks. * Better administrative control. All network management information is stored in a single repository. This means that there is a single, authoritative listing of each user’s rights and privileges. This allows the administrator to change a user’s privileges and know that the results will propagate network wide. * Improved user productivity. Users are no longer bogged down by multiple logons, nor are they required to remember multiple passwords in order to access network resources. This is also a benefit to Help desk personnel, who need to field fewer requests for forgotten passwords. * Better network security. Eliminating multiple passwords also reduces a common source of security breaches—users writing down their passwords. Finally, because of the consolidation of network management information, the administrator can know with certainty that when he disables a user’s account, the account is fully disabled. * Consolidation of heterogeneous networks. By joining disparate networks, administrative efforts can be consolidated, ensuring that administrative best practices and corporate security policies are being consistently enforced. SSO shares centralized
authentication server An authentication server provides a network service that applications use to authentication, authenticate the credentials, usually account names and passwords, of their users. When a client submits a valid set of credentials, it receives a cryptogr ...
s that all other applications and systems use for authentication purposes and combines this with techniques to ensure that users do not have to actively enter their credentials more than once.


Criticism

The term ''reduced sign-on'' (RSO) has been used by some to reflect the fact that ''single sign-on'' is impractical in addressing the need for different levels of secure access in the enterprise, and as such more than one authentication server may be necessary. As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle"), it increases the negative impact in case the credentials are available to other people and misused. Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods like
smart card A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...
s and
one-time password A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid seve ...
tokens. Single sign-on also makes the authentication systems highly critical; a loss of their availability can result in denial of access to all systems unified under the SSO. SSO can be configured with session failover capabilities in order to maintain the system operation. Nonetheless, the risk of system failure may make single sign-on undesirable for systems to which access must be guaranteed at all times, such as security or plant-floor systems. Furthermore, the use of single-sign-on techniques utilizing
social networking service A social networking service or SNS (sometimes called a social networking site) is an online platform which people use to build social networks or social relationships with other people who share similar personal or career content, interests, act ...
s such as
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
may render third party websites unusable within libraries, schools, or workplaces that block social media sites for productivity reasons. It can also cause difficulties in countries with active
censorship Censorship is the suppression of speech, public communication, or other information. This may be done on the basis that such material is considered objectionable, harmful, sensitive, or "inconvenient". Censorship can be conducted by governments ...
regimes, such as
China China, officially the People's Republic of China (PRC), is a country in East Asia. It is the world's most populous country, with a population exceeding 1.4 billion, slightly ahead of India. China spans the equivalent of five time zones and ...
and its "
Golden Shield Project The Golden Shield Project (), also named National Public Security Work Informational Project, is the Chinese nationwide network-security fundamental constructional project by the e-government of the People's Republic of China. This project i ...
," where the third party website may not be actively censored, but is effectively blocked if a user's social login is blocked.


Security

In March, 2012, a research paper reported an extensive study on the security of
social login Social login is a form of single sign-on using existing information from a social networking service such as Facebook, Twitter or Google, to sign into a third party website instead of creating a new login account specifically for that website. It ...
mechanisms. The authors found 8 serious logic flaws in high-profile ID providers and relying party websites, such as
OpenID OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider ...
(including Google ID and PayPal Access),
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
,
Janrain Janrain, sometimes styled as JanRain, is a customer profile and identity management (CIAM) software provider based in Portland, Oregon, United States. It was established in 2002. Akamai acquired Janrain in January 2019. History Janrain was fou ...
,
Freelancer ''Freelance'' (sometimes spelled ''free-lance'' or ''free lance''), ''freelancer'', or ''freelance worker'', are terms commonly used for a person who is self-employed and not necessarily committed to a particular employer long-term. Freelance w ...
,
FarmVille ''FarmVille'' is a series of agriculture-simulation social network game developed and published by Zynga in 2009. It is similar to ''Happy Farm'' and ''Farm Town''. Its gameplay involves various aspects of farmland management, such as plowing l ...
, and
Sears.com Sears, Roebuck and Co. ( ), commonly known as Sears, is an American chain of department stores founded in 1892 by Richard Warren Sears and Alvah Curtis Roebuck and reincorporated in 1906 by Richard Sears and Julius Rosenwald, with what began a ...
. Because the researchers informed ID providers and relying party websites prior to public announcement of the discovery of the flaws, the vulnerabilities were corrected, and there have been no security breaches reported. In May 2014, a vulnerability named
Covert Redirect Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
was disclosed. It was first reported "Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID" by its discoverer Wang Jing, a Mathematical PhD student from Nanyang Technological University, Singapore. In fact, almost all Single sign-on protocols are affected. Covert Redirect takes advantage of third-party clients susceptible to an XSS or Open Redirect. In December 2020, flaws in federated authentication systems were discovered to have been utilized by attackers during the 2020 United States federal government data breach. Due to how single sign-on works, by sending a request to the logged-in website to get a SSO token and sending a request with the token to the logged-out website, the token cannot be protected with the
HttpOnly HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's ...
cookie flag and thus can be stolen by an attacker if there is an XSS vulnerability on the logged-out website, in order to do
session hijacking In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a '' session key''—to gain unauthorized access to information or services in a computer sy ...
. Another security issue is that if the session used for SSO is stolen (which can be protected with the HttpOnly cookie flag unlike the SSO token), the attacker can access all the websites that are using the SSO system.


Privacy

As originally implemented in Kerberos and SAML, single sign-on did not give users any choices about releasing their personal information to each new resource that the user visited. This worked well enough within a single enterprise, like MIT where Kerberos was invented, or major corporations where all of the resources were internal sites. However, as federated services like Active Directory Federation Services proliferated, the user's private information was sent out to affiliated sites not under control of the enterprise that collected the data from the user. Since privacy regulations are now tightening with legislation like the
GDPR The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in parti ...
, the newer methods like
OpenID Connect OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provide ...
have started to become more attractive; for example MIT, the originator of Kerberos, now supports
OpenID Connect OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provide ...
.


Email address

Single sign-on in theory can work without revealing identifying information such as email addresses to the relying party (credential consumer), but many credential providers do not allow users to configure what information is passed on to the credential consumer. As of 2019, Google and Facebook sign-in do not require users to share email addresses with the credential consumer. '
Sign in with Apple Sign in with Apple is a single sign-on provider operated by Apple Inc., introduced on June 3, 2019 at Apple's 2019 Worldwide Developers Conference (WWDC) in iOS 13. It is designed to allow users to create accounts for third-party services with ...
' introduced in
iOS 13 iOS 13 is the thirteenth major release of the iOS mobile operating system developed by Apple Inc. for their iPhone, iPod Touch, and HomePod lines. The successor to iOS 12 on those devices, it was announced at the company's Worldwide Develop ...
allows a user to request a unique relay email address each time the user signs up for a new service, thus reducing the likelihood of account linking by the credential consumer.


Common configurations


Kerberos-based

* Initial sign-on prompts the user for credentials, and gets a Kerberos
ticket-granting ticket In some computer security systems, a Ticket Granting Ticket or Ticket to Get Tickets (TGT) is a small, encryption, encrypted identification file with a limited validity period. After authentication, this file is granted to a user for data traffic ...
(TGT). * Additional software applications requiring authentication, such as
email client An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email. A web application which provides message management, composition, and reception functio ...
s,
wiki A wiki ( ) is an online hypertext publication collaboratively edited and managed by its own audience, using a web browser. A typical wiki contains multiple pages for the subjects or scope of the project, and could be either open to the pu ...
s, and revision-control systems, use the ticket-granting ticket to acquire service tickets, proving the user's identity to the mail-server / wiki server / etc. without prompting the user to re-enter credentials.
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
environment - Windows login fetches TGT.
Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralize ...
-aware applications fetch service tickets, so the user is not prompted to re-authenticate.
Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
/
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
environment - Login via Kerberos PAM modules fetches TGT. Kerberized client applications such as
Evolution Evolution is change in the heritable characteristics of biological populations over successive generations. These characteristics are the expressions of genes, which are passed on from parent to offspring during reproduction. Variation ...
,
Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current ...
, and SVN use service tickets, so the user is not prompted to re-authenticate.


Smart-card-based

Initial sign-on prompts the user for the
smart card A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...
. Additional software applications also use the smart card, without prompting the user to re-enter credentials. Smart-card-based single sign-on can either use certificates or passwords stored on the smart card.


Integrated Windows Authentication

''
Integrated Windows Authentication Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included ...
'' is a term associated with
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
products and refers to the
SPNEGO Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants ...
, Kerberos, and
NTLMSSP NTLMSSP ( NT LAN Manager (NTLM) Security Support Provider) is a binary messaging protocol used by the Microsoft Security Support Provider Interface (SSPI) to facilitate NTLM challenge-response authentication and to negotiate integrity and confide ...
authentication protocols with respect to SSPI functionality introduced with Microsoft
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...
and included with later
Windows NT Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system. The first version of Win ...
-based operating systems. The term is most commonly used to refer to the automatically authenticated connections between Microsoft
Internet Information Services Internet Information Services (IIS-pronounced 2S, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NN ...
and
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical web browsers developed by Microsoft which was used in the Windows line of operating systems ( ...
. Cross-platform
Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralize ...
integration vendors have extended the Integrated Windows Authentication paradigm to Unix (including Mac) and Linux systems.


Security Assertion Markup Language

Security Assertion Markup Language (SAML) is an
XML Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable ...
-based method for exchanging user security information between an SAML identity provider and a SAML service provider.
SAML 2.0 Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens conta ...
supports
W3C The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...
XML encryption and service-provider–initiated web browser single sign-on exchanges. A user wielding a user agent (usually a web browser) is called the subject in SAML-based single sign-on. The user requests a web resource protected by a SAML service provider. The service provider, wishing to know the identity of the user, issues an authentication request to a SAML identity provider through the user agent. The identity provider is the one that provides the user credentials. The service provider trusts the
user information User information is information transferred across the functional interface between a source user and a telecommunications system for delivery to a destination user. In telecommunications systems, user information includes user overhead informat ...
from the identity provider to provide access to its services or resources.


Emerging configurations


Mobile devices as access credentials

A newer variation of single-sign-on authentication has been developed using mobile devices as access credentials. Users' mobile devices can be used to automatically log them onto multiple systems, such as building-access-control systems and computer systems, through the use of authentication methods which include
OpenID Connect OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provide ...
and SAML, in conjunction with an
X.509 In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secu ...
ITU-T The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors (divisions or units) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Comm ...
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
certificate used to identify the mobile device to an access server. A mobile device is "something you have," as opposed to a password which is "something you know," or biometrics (fingerprint, retinal scan, facial recognition, etc.) which is "something you are." Security experts recommend using at least two out of these three factors (
multi-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
) for best protection.


See also

*
Account pre-hijacking Account pre-hijacking attacks are a class of security exploit related to Online service provider, online services. They involve anticipating a user signing up for an online service and signing up to the service in their name, and then taking over t ...
* Central Authentication Service * Identity management * Identity management systems *
List of single sign-on implementations These are some of the notable Single Sign-On (SSO) implementations available: {, class="wikitable sortable" style="text-align: center;" ! Product Name ! Project/Vendor ! License ! Identity management platform ! Description , - , Accounts & SS ...
*
Password manager A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...
* Security Assertion Markup Language *
Usability of web authentication systems Usability of web authentication systems refers to the efficiency and user acceptance of online authentication systems. Examples of web authentication systems are passwords, federated identity systems (e.g. Google oAuth 2.0, Facebook connect, Mozill ...


References


External links


Single sign-on intro with diagrams
{{DEFAULTSORT:Single Sign-On Password authentication Federated identity Computer access control