Single Sign On¶
Single Sign-On (SSO) is an authentication process that allows users to access multiple applications or services with one set of login credentials—typically a username and password. Instead of having to log in separately to each application, users authenticate once through a central identity provider, which then grants access to connected systems. This approach simplifies the user experience by reducing password fatigue and improving productivity, as users no longer need to manage multiple accounts or remember numerous passwords. SSO also enhances security by centralizing authentication and allowing for more robust controls, such as multi-factor authentication and centralized monitoring, thereby reducing the attack surface for potential breaches.
Social vs Enterprise identity¶
Some systems allow you to log on with your Apple, Google or Facebook id. That most certainly is a form of SSO. There is one big caveat though. When you use an enterprise grade solution (like Okta or Entra), you have the ability to set specific policies, like password expiry, MFA, and so on. With the enterprise systems you also have the option to revoke access quickly, whereas with the social login, you may not have that ability.
If the goal is to reduce the number of passwords you have, then using one of the social platforms is a way to go. You are effectively saying that you implicitly trust that platform to provide you with an authentication service.
Where possible, do use an enterprise grade identity system, so you can control who has access, and more importantly, in the event you need to revoke access quickly, you can do it one spot, and the account looses access everywhere.
Why is Xero NOT using SSO?¶
I recently had to perform a security assessment on Xero, a cloud-based accounting software platform designed primarily for small and medium-sized businesses. It offers a range of features to help businesses manage their finances, including invoicing, expense tracking, payroll, bank reconciliation, inventory management, and financial reporting. Xero allows users to access their financial data from anywhere, collaborate with accountants or bookkeepers, and integrate with various third-party apps and services to enhance functionality.
So I was quite surprised to find that tool like Xero does not support SSO. Thas confirmed by the Xero support team and a Product idea was opened to gauge interest. I found this really strange - why is a company like Xero even debating if SSO is needed? It is technically easy to implement.
What I found even more bizarre, is it seems that they had support for Google Workspaces at some point, and decided to remove it.
To SSO or not to SSO, that is the question¶
The technical complexity to implement SSO is quite low. Whether you use OATH2 or SAML, there's a way to get your application authenticating to an identity provider.
I have dealt with engineers who are a lot more confortable just storing a password in a mySQL database than doing the extra work for that added layer of security and offloading the authentication process to an identity provider.
Benefits of using SSO¶
- Only 1 password for the user to remember
- Additional controls like MFA can be hooked up to authentication, automatically protecting all applications using the environment
- Ability to log, track and report any suspicious activity since the authentication is centralised
- Ability to quickly disable the account if the user's account has been compromised
- Changing the password only needs to be done once
Potential impact for not using SSO¶
- The user will likely use the same password on all the applications, increasing the likelihood that a breach on one system will result in an account takeover of another system
- When the password needs to be changed, the user has to log onto all systems to change the passwords. (The use of a password manager can also reduce this risk).
- In the event the user needs to be terminated, it is highly likely that the service desk will neglect to remove the user's access from all systems, allowing the departed employee to still be able to log on.