One of the most rapid developments within the IT world is Single-Sign On. Or in plain terms, one login to all corporate resources such as Email, Sharepoint and calendars. Where SSO extends beyond traditional cert-based authentication (Ex. Kerberos), is the ability to hook into external services such as Salesforce, Dropbox, or other external applications that your organization uses.
From an end-user perspective, it can significantly enhance the experience as users are no longer required to enter and remember passwords for their various services – it’s all being handled through an SSO. This can significantly reduce help-desk tickets regarding forgotten passwords, or general account issues.
From a security perspective however, accommodations are usually made in order to meet security demands. As an example, a more security-centric organization may require the use of Multi-Factor Authentication (MFA), an authentication method with two verifications. Usually the first authentication is something such as a password or credential that is given to a user (Ex: Smart Card or PIV-Derived credential). The second authentication usually is a device code that is either sent via SMS or email, or is present on the device (Ex. Applications such as on the users mobile device that have a revolving code). This authentication can be configured at different intervals depending on security and user experience concerns.
One important observation that should be highlighted is that in cases where the password is being replaced with an MFA solution implementing a credential and revolving code, this can actually improve security. The common attack vectors regarding simple passcodes, brute forcing and social engineering, become much more difficult to achieve. From a security and productivity standpoint can create significant improvements.
IT Departments then are responsible for migrating their users towards these SSO solutions in a smooth fashion. IT Departments must also recognize that SSO does not come without it’s challenges. In implementing SSO, an IT organization must have adequate planning as well as technical capability in performing the cutover from passwords. The most common pitfalls PaRaBaL has seen can be avoided through cautious, but deliberate action. Communication amongst all teams is imperative. The Executive team must be briefed on the changes that will occur as well as costs. The users need to understand how to enable SSO appropriately and the security changes needed for a MFA. The IT staff most of all, need to know all components affected, and technical resources required in order to implement the changes.
Amongst the various SSO vendors, the industry leaders primarily point towards, Okta, Microsoft ADFS and Centrify. All three provide basic SSO functionality between corporate infrastructure and devices. If all vendors provide basic SSO functionality (they do), what differentiates these vendors from each other?
As an IT Administrator, one could simply go with what “Product Shop” you are currently with. Wouldn’t that be the most effective path? Well, in some cases, yes – actually. From PaRaBaL’s standpoint, we found issues when attempting to implement O365 with a third-party SSO. In some instances, specific attributes stored within their Azure Active Directory weren’t syncing with the SSO. This eventually resulted in their SSO into Office 365 products being limited, and caused the client second-guessing their 3rd-Party SSO solution. As a result, the client was technically forced onto the Vendor’s SSO solution. The other obvious consideration was cost-savings as the SSO components can be bundled with other software purchased from the manufacturer.
In short, the effects of SSO can be seen as a natural evolution of the certificate-based authentication that occurs with Exchange to services such as Dropbox, or the Office 365 suite. Mobile IT administrators must be cognizant of the challenges in moving off a password-based system and onto a SSO system involving many 3rd-Party systems that require configuration and testing. Only planning, testing, and effective communication can successfully implement SSO into an existing environment. In doing so, a Mobile IT administrator can significantly improve their infrastructure and user experience. This obviously results in a much more successful program and adoption of the software.
For now, questions regarding past experiences or discussions regarding the content of this blog, please feel free to contact PaRaBaL at 1(866) 630-1893