How many passwords do you have to remember on a daily basis? Think about all the systems, applications and websites that you regularly access – how many different sets of credentials do you need to keep track of to use them all? Then consider this: how many passwords do your customers – internal or external – need to remember to use all the various applications (websites, intranets, extranets) your organisation maintains?
In an increasingly competitive climate, companies in every sector are striving towards smoother user experiences and increased efficiency for staff and clients alike. Securityis paramount, especially for business- critical operations – however, in this instance, “security” usually manifests as another set of credentials for the users of the system. The response to these concerns is Single Sign-On (SSO) – an application that allows companies to manage identity across a range of sites without compromising security.
SSO is a powerful, cost-effective solution that can increase productivity for both your users and your technical staff by improving user experience and reducing the maintenance burden. It’s particularly beneficial to companies with multiple websites/web applications, significantly simplifying the user journey across different sites. In this guide, we will examine how SSO works, what its benefits are, and what risks should be considered before implementing a single-sign on solution for your website. We’ll also look at a few case studies where SSO has created real business value by improving user experience and reducing development and maintenance costs. The guide is limited to web single sign-on (Web SSO), i.e. managing sign-on for web-based applications.
What is it?
Customer-facing web applications and portals are becoming ever more sophisticated. Especially in the B2B world, a key service differentiator is the tooling and added value that your systems can bring to your customers. This usually means increasing integration with multiple back-end systems in order to present a “joined-up” user experience.
As a result of this complexity, authentication can be particularly challenging, as each back- end application may have its own security infrastructure. However, despite the technical complexities that may lie underneath the user interface, our job is to translate new web technology into seamless user experiences. This applies regardless of whether we are serving internal users or external clients.
SSO offers a flexible solution to the problem: it simplifies the work of the developers, and creates a more user- friendly experience for your clients. Users only log in once, with one username and password, and are then granted access to multiple systems with this one login.
Benefits of SSO
It’s easy to see the advantages of SSO from a user’s perspective: fewer passwords to remember usually means fewer passwords forgotten. For external users, this translates into increased user productivity, creating a more positive brand experience and improved customer service.
But just as importantly, your internal team – developers, system administrators, and security professionals – will witness a significant boost in efficiency. Maintaining the SSOas opposed to various different authentication systems means a direct cost reduction.
How long does it take for a new employee to have access to all the systems he or she will need to be effective in their job? And when someone does move on from the organisation, how certain are you that all their accounts have been decommissioned appropriately? SSO brings a central point for identity, making it easy to manage accounts in one go, and giving clear visibility of what is available to whom.
As new technologies come on-stream and your team is launching new sites or apps, these can make use of the SSO, reducing development time and removing the overhead of yet another set of credentials to manage.
SSO is about more than an invisible back-end system; it provides a simple, clear interface to managing identity and permissions across all integrated systems. It allows you to set up roles to cover access rights across multiple systems and multiple user groups.
What are the risks of implementing SSO?
Despite its benefits, there are some potential risks to consider when implementing SSO.
Perhaps most importantly, SSO can be considered as a single point of attack. Maintaining a single, robust solution is of course far more secure than having each web application use its own authentication method. However, implementing SSO without considering the security aspects could mean that should an unwanted third party gain access to one application, they may be able to cause damage across all of the sites. It’s important to select a partner that has experience in implementing SSO in environments where security is a key component.
Before embarking on an SSO project, it is essential to analyse your existing environment and applications: how can these be adapted to seamlessly integrate with the SSO? How many applications need to work with the SSO? The more complex your existing environment, the higher the initial implementation costs. It’s also important to ensure that the SSO is designed to be compatible with your existing corporate security policies.
SSO typically sits within a wider architectural concept referred to as a Service Layer. As the name implies, it is a web layer that provides services – such as SSO – to various apps and sites within your IT environment. By selecting a modern, lightweight service layer solution this makes it easier to fit or retrofit reusable solutions which can evolve and adapt through a long lifetime. The SSO is a best-of-breed application providing a single purpose, and is designed to provide identity as a service even as elements of your IT infrastructure update.
Espresso - open source single sign-on
The only major open source SSO product, up until very recently, has been Sun’s Java Open Source Single Sign- On (formerly Identity Manager). Whilst this has served itspurpose over the years, it is heavyweight, requiring a Java infrastructure and the related hardware investment.
Because of the increasing demand for an enterprise-ready, yet lightweight identity management and single sign-on solution in PHP, Inviqa recently developed espreSSO.
espreSSO is a solution that takes on responsibility for identity management across all offerings of an organisation. It places emphasis on integrating with existing tools of all kinds, and provides centralised identity management as a service. By design, it is a fast and responsive system, which is very important: a bottleneck at this point in a system would cause problems across the board.
Because espreSSO is written using the open source programming language PHP, it is unobtrusive, and sits comfortably within most technology stacks. That means it can beimplemented in most environments without extensive retrofitting.
We’ve open-sourced espreSSO, meaning anyone can use the code to implement a single sign-on solution in their own environment.
Making the selection
When deciding whether SSO will be the right option for you, consider the following points:
- Will the solution your organisation’s long-term goals?
- Is the SSO compatible or easily integrated with your existing technology stack?
- What additional costs are there, for example vendor support or customisation costs for existing applications?
- Will SSO result in added value for users, in terms of a seamless user experience or increased efficiency?
- Can SSO be implemented securely and to comply with your company security policies?
- Does SSO fit well with the roadmap for your organisation’s IT infrastructure?
- What will be the total cost of ownership for the solution?
Single sign-on can be beneficial in most industries, especially in portal-type applications. Here are a few typical situations in which SSO can prove particularly useful.
Broadcasters with a variety of TV shows can allow fans of different shows to use one login for the websites of all their favourite programmes – as opposed to having a separate login for each site. The same applies to publishers with multiple online services (such as subscription management and ecommerce). A large UK broadcaster has used espreSSO to provide its online audiences easy, secure access to multiple websites – a key plank in ensuring a smooth online user experience.When visitors sign up for one of the broadcaster’s websites, they’ll gain immediate access to all the other sites as well. The internal IT team saves valuable time when new sites are launched: no need to rebuild the authentication mechanism from scratch. All that’s needed is to plug in the new site into the espreSSO single sign-on service.
Telecommunications companies especially within the B2B space maintain various systems for fault logging, customer service, and more. By implementing SSO, companies can offer their clients a unified experience, with access to all relevant services with one login. After a series of bold acquisitions, one of the leading telecommunications companies in the UK faced an infrastructure of more than 40 disparate, complex IT systems. Despite this complexity in the back-end, the company wanted to offer its clients access to a single, easy-to-use portal. With espreSSO, customers no longer have to log onto multiple systems to report faults, manage accounts and communicate with the company. The move from a mostly telephone-based service to the new, intuitive online system, the company now estimates 1,500 less calls on a weekly basis, resulting in significant cost savings.
In this guide, we have discussed the concept of Single Sign-On (SSO) by describing its high- level architecture, its benefits and the risks associated with it. We’ve also established the importance of carefully evaluating your current environment, users and internal requirements before embarking on an SSO implementation project. Finally, we’ve looked at a few examples from different industries where SSO has provided a significant boost in productivity and user experience.
Image: © Ginny via Flickr under Creative Commons Attribution-ShareAlike 2.0 Generic