Single Sign-on Setup

Introduction to Single Sign-On (SSO)

With Single Sign-On (SSO) a user can log into multiple apps with just one set of credentials. The user does not need to remember multiple passwords. Using SSO is not only friendlier to users, but also more secure than using multiple passwords.

The best-known on-premise SSO solution is Microsoft Active Directory Federation Services (ADFS) which is part of Microsoft Windows Server. Various third parties provide SSO cloud solutions, such as Microsoft Azure, Google G Suite, and Okta. These cloud solutions often provide other functionalities in addition to SSO.

Pros and cons of per-app access

It is in principle safer to use a very strong password per application, since this would appear to limit the scope of any breaches. This method, however, has several disadvantages:

  • Password management per application involves additional administrative burden. Users often forget their passwords, and the more passwords a user has to maintain, the higher the chance that they are lost.

  • It is difficult for an organization to implement a coherent per-application password policy.

  • It is especially hard to prevent password reuse across applications, which decreases the theoretical advantages offered by having per-app passwords.

  • Monitoring/logging access to individual applications is complex and it’s harder to detect breaches.

Benefits of using SSO

SSO simplifies password management for both administrators and users:

  • A user only needs to remember one password and can always log in to multiple applications.

  • The ability to centrally manage accounts administrative burden with regard to resetting passwords.

  • If a contractor or employee leaves service, all access can be withdrawn at the push of a button.

  • With cloud SSO solutions, it is very easy to provide additional security for accounts with Multi-Factor Authentication (MFA).

  • Cloud SSO solutions often provide an app dashboard. With one click, the user can start any application and is automatically logged in.

  • Most SSO cloud solutions offer good monitoring, so any breach will be quickly detected.

Disadvantages of using SSO

The biggest (practical) disadvantage of using SSO is that one set of credentials (one login name and password) gives access to multiple applications. If a malicious person or organization has access to these, they will have the same level of access as the logged-in user so multiple apps can be compromised at the same time. In principle, it is also possible that a compromised IdP will leak access credentials, but any Identity Provider (e.g. Okta) will allocate resources to prevent this far in excess of what most IT departments can.

Identity Providers (IdP)

SSO works on the basis of an IdP and a service provider (SP). An IdP is the gatekeeper who authenticates the user. An IdP authenticates a user if an application (SP initiated) from an IdP (via an app dashboard) wants to log into an application (IdP initiated). In both cases the application is the SP.

Suppose an SP has an SSO link with an IdP. The SP can only log in the user after the IdP authenticates the user. There is a trust relationship between the IdP and the SP. The SP trusts that the IdP authenticates the user properly and securely. Conversely, the IdP trusts the SP that the authenticated user and not another user is logged in.

The use of SSO in ZIVVER

If an organization sets up an SSO link with ZIVVER, then the organization takes full responsibility for authenticating its users. Namely, the IdP indicates to ZIVVER (the SP) that a specific user is logged into ZIVVER. The organization thereby guarantees that the IdP authenticates the user in a secure manner (if necessary using multiple factors) and that this authentication cannot be circumvented by a malicious person / organization. ZIVVER does not check the SSO login attempt and does not use its own MFA (multi-factor authentication) if SSO is present. By default, all ZIVVER accounts are extra protected with MFA, unless the organization turns off this security layer by using SSO.

Technical support

ZIVVER can set up an SSO link with any IdP, as long as the IdP supports SAML 2.0. Currently the following IdPs are supported "out of the box":

Okta

Contact ZIVVER at enterprise@zivver.com if your organization wants to set up an SSO link with an IdP for which a manual is not yet available.

External access

Not all IdPs can be accessed externally, that is, from outside the company network. An IdP in the cloud can of course be accessed regardless of location. To use ZIVVER, it is important that the IdP can be accessed externally. Users can log in anywhere (at home or on the road) in the WebApp, the Mobile App (for Android/iOS) and the OWA add-in.

Note
If the IdP cannot be accessed externally, users will only be able to log in to ZIVVER internally. This is because password login is not permitted for user accounts while SSO is active. Administrator accounts are permitted to log in externally using a password.

Was this article helpful?

thumb_up thumb_down