How Does Single Sign-On Work?

The reliance on unique usernames and passwords for every application is a common scenario that results in password fatigue and increased security risks. Single Sign-On (SSO) is the solution to this problem: a smart method that drastically simplifies the login process by granting access to multiple applications after just one login. This also benefits IT administrators and Chief Information Security Officers (CISO) in terms of management and compliance in information security. This article will dive deeper into how SSO works and the benefits it provides, and highlight how an Identity Access Management tool like Topicus KeyHub puts this technology into practice. 

How Single Sign-On Works 

The principle behind SSO is relatively simple. A user logs into a central application, also known as an Identity Provider (IdP). This service verifies the user's identity. The user can then log into different target applications (Service Providers, or SPs) based on the previous login to the central application. The target applications redirect the user to the central application, which, after verification, sends the user back with the necessary information. This verification happens quickly and, if the user is already logged in, often goes unnoticed in the browser. This process is secure and reliable because all traffic runs over encrypted connections and the identification is digitally signed. 

Several protocols support this process. The two most commonly used are SAML 2 (Security Assertion Markup Language) and OpenID Connect (OIDC), a variant of OAuth 2.0. Each has its own specifications, but the core functionality remains the same: one-time authentication for multiple services. 

Requirements for SSO Implementation 

Successful SSO implementation requires a few key elements: 

• Identity Provider (IdP): A central IdP is needed to handle user authentication. This can be an existing directory service, such as Active Directory, or a cloud-based solution. 

• Application Compatibility: For an application (Service Provider) to be connected, it must support the SSO protocol. 

• Centralized Management: A central platform is needed to manage users, groups, and access to applications. This is where Identity and Access Management (IAM) comes in. 

Benefits of Single Sign-On (in Practice) 

SSO offers benefits for both users and administrators. Users only need to remember one account and its login credentials, and typically only have to log in once per day, which significantly increases user-friendliness. For administrators, this means fewer forgotten passwords and less manual account management across different applications. 

Additionally, SSO enhances security and efficiency. When an employee leaves the company or their rights change, their account only needs to be adjusted or disabled in the central application (the main application). This automatically revokes access to all target applications, making the chance of unintended active accounts nonexistent. Moreover, the central application gives security officers an overview of which users are logging into which target applications, which centralizes access monitoring. 

Forms of SSO and Their Application 

There are various protocols to manage Single Sign-On (SSO). The three most common methods each serve a different purpose. 

• OpenID Connect (OIDC): The modern, lighter standard for SSO. It's an extension of OAuth 2.0 that adds authentication, allowing it to both verify identity and manage access. It's perfect for consumer apps and new web and mobile applications. 

• SAML (Security Assertion Markup Language): An older but robust protocol for browser-based SSO in enterprise environments. Ideal for connecting on-premise systems and cloud applications where strong security and digital signing are required. 
• OAuth 2.0 (Open Authorization): An authorization protocol used to grant third-party applications access to resources without sharing the user's login credentials. Strictly speaking, OAuth 2.0 is not SSO, but the flow is similar and can be almost indistinguishable from SSO for the user. It is widely used by large platforms and for mobile and desktop apps.
  
   

How Single Sign-On Works with Topicus KeyHub 

Topicus KeyHub is a Dutch Identity & Access Management (IAM) platform. Simply put, it helps organizations gain control over digital access and make information security demonstrable, which helps with audits and compliance. 

The most common way Single Sign-On works is through the OIDC flow, with Topicus KeyHub acting as the central Identity Provider (IdP). 

KeyHub as the Central Identity Provider 

Topicus KeyHub serves as the central Identity Provider (IdP) in the SSO landscape. This means it is the primary source of truth for user identity. Instead of logging into each individual application, employees log into KeyHub once. This always happens with Two-Factor Authentication (2FA), which adds an extra layer of security to every connected application.  

The Benefits of SSO 

By integrating SSO with Topicus KeyHub, you, as an IT administrator and security officer, benefit from the following advantages: 

• Increased Security: Because the login always goes through KeyHub, every connected application is protected by KeyHub's 2FA. Furthermore, users have fewer passwords to remember, which reduces the chance of weak passwords or password reuse. You also gain central control: not only through the audit log, but also because all access management takes place in KeyHub. You can see in real-time who has access to which applications and use auditing to demonstrate that this access is periodically reviewed. This is how KeyHub maintains a living authorization matrix. 

• Improved User-Friendliness: Employees only need to log in once per workday and get immediate access to all necessary applications. This saves time and reduces friction in daily work processes. 

• Automated Management: The assignment of access rights is no longer a manual process. When an employee is added to a group in KeyHub, they immediately get the correct access rights to the associated applications. The same applies when an employee is removed from a group: their access rights are immediately revoked. 

• Extensive Control and Audit: KeyHub maintains a detailed audit log of which employee requested access to which application and when. This ensures transparency and makes it easier to comply with compliance requirements like ISO 27001 and BIO 2.0. 

Group Memberships Determine Access 

The power of KeyHub's SSO functionality lies in the concept of group-based access. After a successful login to KeyHub, an employee's authorizations are not managed individually but are determined by the groups they belong to. This means that if an employee is a member of the "Financial Administration" group, they automatically get access to all applications linked to that group. 

When an employee visits an application linked to KeyHub via SSO, the following process takes place: 

1. The application (the Service Provider) recognizes that the user is not logged in. 
2. The application redirects the user to Topicus KeyHub for authentication. 
3. The user is already logged in to KeyHub (with 2FA) and shares a secure token with the application. 
4. KeyHub confirms the user's identity and provides authorizations based on their group memberships. 
5. The application grants access to the user without needing a new password. 

This entire process is seamless and lightning-fast, thanks to the use of well-known protocols like SAML and OIDC. 

Want to Know More? 

Want to learn more about Single Sign-On? Feel free to contact us.