In our latest article, we explore how single sign-on (SSO) works in the cloud for Amazon Web Services (AWS) and Microsoft Azure customers, as well as the pros and cons of using the technology. We also provide guidance for how to succeed with single sign-on in the cloud when implementing this technology for your own business.
Single sign-on (SSO) is a feature of cloud management services which has gained widespread popularity in recent years, due to the fast and convenient access it provides into IT systems in the workplace.
SSO has become an important element in the complex structure of cloud security for businesses today, as modern employees demand a seamless experience when using digital technology to get their work done.
It’s also becoming a valuable form of cloud identity management for IT teams. Unsurprisingly, with the number of devices, applications, remote or mobile users, and third-party integrations requesting access to corporate networks the current digital landscape continues to increase.
Of course, introducing SSO into your cloud environment can also create challenges and security risks that many businesses struggle with. But before we get into that, let’s first take a more detailed look at exactly what SSO is and how it works.
SSO is a type of identity and access management technology that brings a number of separate application log-in processes into one single identity store for your business.
Your users will only enter their log-in details once on a single screen or page with SSO, and once that’s done they’ll have access to all their cloud-based applications and systems during that session.
This removes the need to repeatedly enter log-in details throughout the day in order to use different apps in the workplace, as users in businesses with non-federated identity stores will do.
Think of it like using just one master key to enter your home and every room inside. Once you’re in, you can move around the house freely. You’d very quickly become frustrated if you had to unlock every door with a different key each time you went from room to room.
SSO works in a similar way, granting entry to your company’s cloud-based network just the once, and then allowing your users to move around freely between whichever apps and systems they need.
Today, with so many mission-critical business processes hosted in the cloud, SSO has become an important part of cloud identity management and security. User identity and access management are essential for IT teams today, as they need to maintain close control of which permissions each individual user has.
When someone uses SSO to log in to the corporate network, authentication is verified and a token is created to remember that user has been granted access.
These authentication tokens are digitally stored in either the user's browser, or within the cloud servers, like a custom ID card issued to that user for their session.
Any application the user tries to open will check for the necessary token. If it’s in place then the user will be allowed access, but if the user is yet to log in, they’ll be prompted to do so through the SSO service.
This cloud single sign-on is overseen by IT teams and administrators, allowing them to track and manage all the users’ identities and permissions within the cloud environment at any given time.
The most obvious advantage to having SSO as part of your cloud managed service is that it streamlines workflows for all users, and saves time by removing tedious, repetitive processes.
But in addition to that convenience and speed, SSO is generally considered to improve security in terms of employee habits and behaviour.
For example:
With a number of additional benefits specific to IT teams, and organisations within highly sensitive industries, this useful cloud identity service is an effective way of improving the overall efficiency of your workforce.
If you’re an AWS or Azure cloud customer, these are some questions to consider before you decide to approach an SSO solution:
We won’t go too deep into the technical side of SSO here, but we can provide some insight into what the cloud providers themselves say about the technology available to you.
AWS has its own identity store, meaning your users’ identities and credentials can all be stored natively within the AWS cloud.
AWS explains, “You can create user identities directly in AWS SSO, or you can bring them from your Microsoft Active Directory or a standards-based identity provider, such as Okta Universal Directory or Azure AD. With AWS SSO, you get a unified administration experience to define, customize, and assign fine-grained access. Your workforce users get a user portal to access all of their assigned AWS accounts or cloud applications. AWS SSO can be flexibly configured to run alongside or replace AWS account access management via AWS IAM.
It’s easy to get started with AWS SSO. With just a few clicks in the management console, you can connect AWS SSO to your existing identity source and configure permissions that grant users access to their assigned AWS accounts, cloud applications, and other SAML-based applications that you add to AWS SSO.”
For more information about what’s available from AWS, read on here.
With Azure, you must have identity management implemented elsewhere, and that will have to be synced with your Microsoft cloud.
As written on the Microsoft website, “SSO in Azure AD provides many benefits over traditional sign-on methods. With SSO, users sign-in once with one account to access domain-joined devices, company resources, SaaS applications, and web applications. Then, that user can launch applications from the Office 365 portal or My Apps. Administrators can centralise user account management, and automatically add or remove user access to applications based on group membership."
For more information about what’s available from Azure, read on here.
We appreciate that all these convenient features and benefits of SSO seem very appealing. However, as with any IT product or solution, you must also be cautious that there will be resulting challenges.
While SSO improves ease of access to IT systems for users, and can have some positive impact on security, it also presents a fair share of risks.
SSO brings with it major security risks. If a hacker can find a user’s lone set of log-in credentials, they could gain access to every application and system available to that person.
Many of the benefits discussed earlier in the article also have counter-points which could be viewed as down-sides or notable security weaknesses. These must be managed carefully if you do decide to implement an SSO solution.
For example:
Remember, SSO is only one aspect of managing your users’ identities and access within your cloud environment. To avoid the risk of failure, you should take into account your entire infrastructure, including on-premise technology, cloud deployments, third-party integrations, legacy systems, and everything else involved.
For SSO to work well, it requires the ability to seamlessly bring together all the identities and credentials within your corporate network into one single identity store.
The implications and requirements of an SSO solution are often overlooked by IT teams who haven’t had previous experience with the technology.
It’s important to avoid the common pitfall of setting up the solution, rolling it out, gaining adoption, and only then realising it must be fully integrated with all the necessary applications for identity and authentication. This could prove to be an extremely costly mistake.
SSO can be difficult to get right for many partners due to a lack of expertise, or perhaps a particularly complex existing IT infrastructure.
Some partners or third-party managed service providers will simply be unable to deliver identity management in the cloud. Others may only be able to deliver SSO capabilities by taking short-cuts or using methods which don’t meet security standards.
Therefore, it’s so important to be thorough and selective when searching for a reliable partner you can trust with your entire cloud investment.
There is also a high likelihood of duplicated costs for third-party integrations. For instance, “middleware” to hook your SSO solution on to SaaS applications because there isn't a single provider that supports all your applications.
In cases like these, you may find yourself paying for two different integrations for sub-sets of applications (with maybe some cross-over) simply because one provider doesn't support all the apps you need.
Shadow IT – which is the unsanctioned use of applications or tools not known to the IT administrators – can also cause issues here. It’s common for some business units to be relying on an application their IT is unaware of, which then creates challenges when those users demand SSO is then part of that solution.
If you’ve experienced any of the above security challenges, or if your SSO does fail it’s often because the requirements might not have been considered at the start of an implementation, or you’re dealing with legacy systems.
Over the past year or so, we’ve seen so many businesses that skipped over the foundational aspects of a successful technology implementation with their SSO. Now, they’re trying to retroactively walk through important, complex steps that aren’t easily taken. This is especially apparent with a live application or set of applications where down-time is a real problem for the business.
Because of the unexpected shift to fully remote working brought on by the COVID-19 lockdowns, most businesses were forced to make quick decisions and implement cloud solutions to maintain business continuity.
If you, like many others, rushed to put SSO in place to streamline the identity and access management features of your cloud environment, you’re likely experiencing challenges as well.
This could be with incompatible legacy applications, third-party integrations which are difficult to work with, or perhaps even with maintenance and management of your new identity store.
We suggest conducting a careful review of your cloud investment and usage, comparing from when you implemented new systems at the start of the pandemic against how things are running now.
This will be valuable if emergency costs were accepted, or temporary decisions were made, to get things up and running. But as things are now in more of a steady rhythm, you may be over-spending without realising it.
As people are now also returning to work from furlough, a large increase in the number of licenses may result in costs for SSO to drastically increase. Usage-based costs will need to be carefully reviewed and adjusted to ensure long-term sustainability for your business.
With so much complexity and risk involved with your cloud infrastructure, it’s crucial to take proactive steps in finding an effective cloud management service you can depend on.
Implementations like SSO require dedicated expertise and years of experience to deliver efficiently and effectively, so it’s worth finding a partner you can trust.
For example, leading engineering company IMI Plc. has three separate divisions within its business, and around thirty different business units within each of those, all with geographically-distributed locations, disparate systems, and third-party integrations. Discover how we helped them bring together all their various identity stores with a cloud single sign-on solution by reading the customer success story here.
Here at igroupIG CloudOps, we have over 10 years of success in supporting businesses like yours, helping you to move your critical IT infrastructure to the cloud.
Our team is made up of experts in both AWS and Azure cloud infrastructure, comfortable working with businesses of all sizes, across all sectors, and we have a proven track record of delivering SSO as part of our cloud managed services.