Single Sign-On: What it is and how it works

What is SSO?

Single sign-on is a session and user authentication service that allows the user to use a single set of login credentials – namely, a username and password – to access multiple websites or applications. Put plainly, SSO allows users to sign up and access a variety of online accounts with a single username and password, thus making things a lot easier for the everyday user. SSO's primary use is as an identification system that permits websites and apps to use the data of other trusted sites to verify a user upon login or sign-up.

Essentially, SSO puts an end to the days of remembering and entering multiple passwords. An added bonus is that SSO gets users out of the vicious password reset loops.

Additionally, SSO can be great for business, as it improves productivity, security control, and management. With a single security token (a username and password), IT professionals can enable or disable a user’s access to multiple systems, which in some cases mitigates cybersecurity risks.

So, how does the magical service work?

How does SSO work?

Single sign-on is a component of a centralized electronic identity known as federated identity management (FIM). FIM, or Identity Federation, is a system that enables users to use the same verification method to access multiple applications and other resources on the web. FIM is responsible for a few essential processes:

• Authentication

• Authorization

• User attributes exchange

• User management

When we talk about SSO, it is important to understand that it is primarily related to the authentication part of the FIM system. It's concerned with establishing the user's identity and then sharing that information with each platform that requires that data.

Fancy jargon aside, here are the basic operational processes of single sign-on:

• You enter a website.

• You click “Sign In with Apple” or any other service.

• The site opens Apple's account login page.

• If you're already logged in, then it gives the site your data.

• You are logged in to your Apple account.

• Apple's site verifies that you are authorized to access the site.

• If you're authorized, the site creates a session for you and logs you in.

In technical terms, when the user first signs in via an SSO service, the service creates an authentication cookie that remembers that the user is verified. An authentication cookie is a piece of code stored in the user's browser or the SSO service's servers. Next time the user logs in to that same app or website using SSO, the service then transfers the user's authentication cookie to that platform, and the user is allowed to access it. It's important to highlight that an SSO service doesn't identify the exact user since it does not store user identities.

What is an SSO Token?

An SSO token is a digital unit that contains data about a particular user such as their email address. The token is used to transfer user information from one system to another during the single sign-on process. For the recipient to verify that the token comes from a trusted source, it has to be signed digitally.

The SSO service creates a token whenever a user signs in to it. The token works like a temporary ID card which helps identify an already verified user. This means that when the user tries to access a given app, the SSO service will need to pass the user’s authentication token to that app so they can be allowed in.

Is single sign-on secure?

Yes. An SSO protocol is secure when implemented and managed properly and used alongside other cybersecurity tools.

The main benefit introduced by single-sign on with regard to cybersecurity is that, because it allows using a single set of credentials for multiple services, there are fewer login details to be lost or stolen. As long as the server is secure and an organization's access control policies are established, a malicious user or an attacker will have little to no chance to do any damage.

However, this benefit could also pose a certain kind of risk. Since SSO provides instant access to multiple accounts via a single endpoint, if a hacker gains access to an authenticated SSO account, they will also gain access to all the linked applications, websites, platforms, and other online environments.

This issue can be easily mitigated by implementing an additional layer of security known as Multi-Factor Authentication. Combining SSO with MFA allows service providers to verify users' identity while giving them easy access to applications or online platforms.

Top single sign-on solutions

Some SSO services are more popular and trusted than others, and many can be used to log in to various platforms, including NordPass. Let’s explore the most commonly used SSO options, see if they can be set up for NordPass, and explain how to configure them.

Microsoft Entra ID

Microsoft Entra ID, Microsoft’s cloud-based identity and access management solution, has built-in support for SSO. Additionally, it offers reporting, security analytics, and multi-factor authentication (MFA) to keep your organization secure. So, whether you're a small business or a large enterprise, MS Entra ID is a flexible solution for a company using the Microsoft Azure cloud.

NordPass supports Microsoft Entra ID SSO, allowing your organization’s members to quickly and securely log in using their MS Azure credentials. To enable this SSO option, simply configure it in the Admin Panel. If you need help, check out our Help Center article for step-by-step instructions.

Google Workspace

Google Workspace offers one of the most popular SSO services, thanks to its smooth integration with a wide range of applications and its ability to help IT teams easily manage user access and permissions. Being a Google product, it naturally makes it super easy for users to access popular Google tools like Gmail, Google Drive, and Google Meet—but it also makes logging in to third-party apps really smooth.

A good example is NordPass, which fully supports the Google Workspace SSO method. Therefore, if your company uses both Google Workspace and NordPass, you can configure it so employees can sign in to NordPass using their Google credentials. For detailed instructions on how to do this, please refer to our Help Center article.

Okta Identity Cloud

Okta is well-established in the world of SSO solutions and is one of the leaders in open-source SSO due to its flexibility and ease of use. It offers real-time, customizable open identity management based on business needs, as well as two-factor authentication and password reset functionality. Okta can serve the needs of various industries, from education and nonprofits to financial services and government.

NordPass provides support for Okta SSO, meaning your team can use their Okta credentials to log in to NordPass smoothly, without needing a user password. Check out our Help Center article to see how to quickly set up this SSO option for all members of your organization.

Other solutions

Aside from the widely used SSO solutions like Google Workspace, Okta, and MS Azure, there are a few other options available. While they offer strong security features, some of them may lack the extensive integrations that these major solutions provide. Here are a few:

OneLogin Unified Access Management Platform: OneLogin is an open-source SSO provider that is often used for employee access to the company's cloud-based applications. OneLogin is suited for a variety of IT administrator needs since it is designed to enforce IT policies in real time. It can also be updated according to specific needs if any changes occur, such as an employee leaving.

Idaptive Application Services: Idaptive is primarily suited for small to medium-sized businesses. Idaptive can provide support to many users at once, thanks to their new cloud architecture. The company also offers adaptive MFA, enterprise mobility management (EMM), and user behavior analytics (UBA), all in a single solution.

Ping Intelligent Identity Platform: Ping offers services for large enterprises. The solution can serve anywhere between a few hundred to a few million users. Ping provides both on-premises and cloud options for deploying their solution. Additionally, the service comes with multi-factor authentication.

The benefits of SSO

Reduced password fatigue

With SSO in place, users only have to remember one password, making life a lot easier. Password fatigue is real and dangerous. SSO encourages users to come up with a single strong password rather than using a simple one for each account separately. It also helps users escape the vicious cycle of password reset loops.

Increased employee and IT productivity

When deployed in a business setting, SSO can be a real time saver. According to a recent report, people waste 16.3 billion hours a year trying to remember, type, or reset passwords. In a business environment, every minute counts. Thanks to SSO, users don't need to hop between multiple login URLs or reset passwords and can focus on the tasks at hand.

Enhanced user experience

One of the most valuable benefits of SSO is an improved user experience. Because repeated logins are not required, users can enjoy a digital experience with less hassle. This means that users will be less hesitant to use the service. For any commercial web-based service, SSO is an essential part of their user experience.

Centralized control of user access

SSO offers organizations centralized control over who has access to their systems. In a business setting, you can use SSO to grant new employees specific levels of access to different systems. You can also provide employees with a single set of credentials (username and passwords) to access all company systems.

Single-Sign-On Costs

Because many of the SSO solutions currently available on the market are cloud-based, most of them are offered in a monthly subscription model. The price of a cloud-driven SSO solution designed for small and mid-sized businesses can range from $1 to $10 per user per month.

However, those that want to get an SSO solution designed for a big enterprise will need to either pay more each month or make an entry fee. Enterprise-grade solutions are usually more wide-ranging and require vendors to customize them to each of their client’s needs and requirements. Hence, the price difference.

Is it good to use SSO for a password manager?

If your company uses a secure and reliable SSO solution like Google Workspace, Okta, or Microsoft Azure, logging in to a password manager such as NordPass with the same credentials you use for your business account can be really helpful.

First off, it saves you from having to remember and type in your account password every time you want to access your password manager. And since you don’t have to remember that password, you have fewer passwords to juggle overall, making it less likely that you'll end up using a weak or reused password for your password manager or other accounts. So that's a win.

For IT admins, SSO makes managing user access and permissions a lot easier, which helps ensure that the company’s security policies and regulations are followed. So, if you’re thinking about using SSO with a password manager like NordPass—provided everything is set up properly— we think it’s a solid choice.