The rules are changing when it comes to managing a corporate technology. The advent of Web Applications and various Cloud services has simplified a lot but also complicated matters in other areas. Specifically, managing the access and applying policy to Web Applications is a challenge without a little help. This blog describes how Single Sign On and Active Directory complement each other to help overcome this challenge.
The Modern Business
If you started a business today and wanted email, you would sign up with Microsoft or Google for hosted email services. You certainly would not buy a server, license Exchange (and server Lic/CALs), and manage the solution by yourself. The Email Web App provides incredible value to a new business. The same thing goes with any piece of software, it’s easier to just subscribe to web applications, also referred to as Software as a Services (SaaS).
Almost all software being developed today is web based, and that includes major business applications such as:
- Office/Microsoft 365
- GSuite/Google Workspace
- Salesforce
- Hubspot
- Slack
- Zoom
- Docusign
- Workday
- ADP
- Etc….
All of these applications are web hosted on 3rd party networks, each with their own unique directory systems. The directories are simply used to allow users access; passwords and usernames to authenticate the account. If users have multiple SaaS applications, they will need to log into each one uniquely and the admins who are in charge of the security protocols have minimal visibility.
Let us take a quick look at how multiple Domains can be managed with a platform that facilitates Single Sign On functionality across multiple directories and networks.
Identity Controls
Identity controls are now becoming a huge factor in developing a sound security practice for your business. Single Sign On (SSO) is a technology that is quickly becoming embraced because it helps consolidate management and improves user operability. This is particularly beneficial for businesses that primarily leverage SaaS (web-based applications) and must maintain multiple credentials.
Within a corporate network, a Domain helps regulate security, permissions, and access to hosted applications. Client Server Architecture can be set up to authenticate this way, but it’s not so easy for web apps which can be accessed from anywhere with a browser. SSO is a marketed technology that unifies this gap by using protocols that would be challenging to engineer together. To simplify, SSO is a technology layer that bridges Domain and the web applications. This allows administrators to manage users’ permissions to the applications and centralizes the access with a single authentication that is tied into the network. Simply said, one login for everything.
Domains and Active Directory
Almost all mature businesses deploy some level of directory service to manage their Domain. The most common system used today is Microsoft’s Active Directory. Active Directory (Or AD) is based on Linux’s LDAP system, and there are now many Cloud based systems that can delivery similar Directory solutions.
A server that is running Active Directory is called a Domain Controller and this acts as a central control panel for the entire network. At its core, it authenticates and authorizes user’s computers to connect with software that is installed within the company’s network. Directory Admins can set policies for access and passwords to connect them, helping strengthen their security posture. SaaS/Web applications that are hosted externally from the network operate differently, so it’s much harder for Admins to control their access.
SAML (Security Assertion Markup Language)
SAML is an open standard that allows security credentials to be shared by multiple computers across a network. Its core functions are focused on User Authentication and Authorization. The latest version (SAML 2.0) enables web-based, cross domain, single sign-on to communicate with Directories and enforce unified policy. Security products, based on this technology, have been developed to deliver a platform so admins can integrate this layer of management across various domains.
Benefits of a Single Sign On system:
Password Policy – Normally Admins would have no control over Web App passwords, so they cannot conform with character/length policies already defined within the organization. With SSO, a uniform policy can be enforced.
Simplified User Experience – A single identity tied to Active Directory launches any and all applications on the desktop. This is great for users that struggle to remember multiple complex passwords.
Worker Efficiency – The time spent to launch applications is significantly reduced. Plus, they can safely authenticate from other devices.
From a business perspective, there are also benefits of rolling out SSO:
Risk Mitigation – Admins have more control and can enforce policy across all applications.
IT Cost Reduction – Helpdesks are constantly tasked to help re-set and manage passwords for users. With an SSO tool in place, operations are streamlined, and response times become minimized, enabling help desks to be more efficient.
Worker Efficiency and Revenue – Applications are leveraged to make a business money. Enabling an efficient delivery of systems and applications from anywhere allows workers to focus their time on the business.
Multi-Factor Authentication (MFA)
MFA is an authentication practice to help validate credentials. If implemented, a user will be prompted to enter a token that will be sent to their phone or email after they enter their password. With threats around every corner, this is a tactic that is highly recommended for all users.
Many apps are now starting to natively include an MFA function into their software. This is a great feature, but it would become frustrating to perform an MFA Authentication multiple times a day for your web applications.
SSO platforms simplify this process by integrating MFA into SSO. So, a user simply signs in once and validates with their MFA token. With this, everyone’s life is simplified, and security is greatly enhanced.
Single Sign On Products for Business
The SSO business has been unbelievably valuable, so it has generated a lot of solutions in the market. The concepts are not new, neither is the technology. There are open source solutions (ADFS) and someone with time can craft a custom solution for their network. However, most people don’t want to spend all that time setting it up and continuing to manage it. Luckily, there are SaaS apps that will do that for us with minimal costs.
We choose not to make any specific recommendations, as there are many offerings, and each may have different values depending on how it is leveraged. Subscriptions are going to run between $5-$15/user depending on what complimentary features you would like to tag on. The following vendors all provide SSO solutions:
- Okta
- OneLogIn
- Avatier
- Citrix
- Microsoft
- SAP
- VMWare
- Rippling
- Microfocus
- Pingidentity
- Lemondap
- Imprivata
- Authanvil
- Helpsystems
How Mindcentric leverages SSO
Mindcentric does not have a preference, it depends on your unique requirements and even brand loyalty. For the most part, the technology across platforms works the same. Our team of engineers will work with you to manage legacy SSO systems or to select a vendor and engineer the right solution for you.
We believe that if you are running web apps, then you should have SSO and MFA to help enforce policy and simplify the user experience. Our goals is to manage infrastructure and thoroughly protect you from outside threats. SSO and MFA are just components of a total security practice, we can help you put those pieces together.
Mindcentric has served small businesses to the enterprise for 20+ years and have implemented numerous cyber security solutions. Our team provided 24x7x365 management of critical systems and cater to businesses globally.