Why you should always use SSO

• 24 June 2023
• service management

We've been implementing a SaaS solution over the past few weeks, trying our best to get SSO working. It's perhaps been a little trickier than it needed to be because of our old directory and their expectation that their customers would be a little more cutting edge. But it's definitely worth the extra effort.

The Gartner Glossary says "Single sign-on (SSO) provides the capability to authenticate once, and be subsequently and automatically authenticated when accessing various target systems." It's the reason you can easily access apps once you've logged in on your organisation's laptop. That's great for user experience but it also has plenty of benefits for the Service Desk.

It's much easier to give a user access to an application by adding them to a group in a user directory (such as Active Directory) than it is to find their own credentials for a certain app, dust off the procedure document, add the user and make sure they received a welcome email with an activation link etc etc or whatever the process may be.

When processing a leaver, it's also far easier for them to deny access to all apps if they can disable the user and remove them from all groups with just a couple of clicks.

A Service Desk with fewer procedures and documents to manage and maintain is a happy Service Desk. One can also say it is one with greater integrity.

On the security front it is also easier to combine SSO with Multi Factor Authentication methods such as checking for the presence of a cert that has been securely placed on a device belonging to the organisation. If someone tries to access the solution using a non-organisational device, they will be denied.

Simplicity is great but it does mean you need to be very careful when designing the service. For example, will you authorise access by selecting roles within the app or on the directory? I would argue that for flexible and fine-grained roles that enable different functionality these can be given by a privileged and trusted user, perhaps someone who can sit outside the Service Desk. Where segregation of duty is required (e.g. a user who performs an action must not be able to authorise that action) it is better for that authorisation to take place outside the app on systems that the users don't normally have access to, i.e. the directory.

Finally, here are some best practice considerations for SSO: i) always use a documented naming standard for groups that authorise access to a given application; ii) never re-use a group for a different purpose (for example, a distribution list); iii) never add a distribution list or any other group to an authorising group.

• Previous: Tell the Story
• Next: Net Zero