News
Paul Baas, Tools4server: The future of Single Sign On, Facebook as Identity Provider?
May 2014 by Paul Baas, French Country Manager for Tools4ever
Not so long ago, applications were always managed on-site. The IT department dominated the company network and kept it safe against the outside world by means of firewalls and virus scanners. Implementing a Single Sign On (SSO) solution in the network used to be relatively easy. After all, each employee’s workstation formed part of the network, as did the applications to which employees needed access. Users authenticated themselves by having their user names and passwords checked against Active Directory, and thanks to the LDAP standard they could benefit from the advantages of Single Sign On. This meant that for each application they subsequently launched, they no longer needed to enter a user name and password.
SSO and the cloud
With the advent of cloud applications, the implementation of Single Sign On in the company network has become a lot more complex. Many applications are now hosted in another technical domain, namely the cloud. This means that the relationship between the user and the application, i.e. the network and Active Directory, has disappeared. Besides the advent of cloud applications, organizations are faced with another trend that complicates the implementation of Single Sign On, and that is Bring Your Own Device (BYOD). End users now have the freedom to use their favorite device to log in. This can be a PC, but also a smartphone or tablet. On top of that, employees want to have access to applications irrespective of their location. This makes the implementation of Single Sign On much less straightforward for the IT organization.
OpenID and SAML
Single Sign On basically means that users authenticate themselves against a trusted source. If they are successfully authenticated, they will receive a token which can then be used to automatically authenticate themselves with other resources. When applications are hosted in the cloud, there is no longer a trusted source against which users can authenticate themselves to gain access to business applications — this would typically be Active Directory.
Organizations try to solve this problem using decentralized authentication mechanisms such as OpenID and SAML. However, the problem is that, as an organization, you are dependent on cloud application vendors. Let’s say that your organization has selected OpenID as an authentication mechanism to enable Single Sign On. This means you will run into problems if the required cloud application only supports SAML. Unfortunately, cloud application vendors pay little attention to the login process. Their focus lies on developing new features for their applications.
Enterprise SSO
Our recommendation to organizations would be to select a model that does not make them dependent on interfaces and vendors. There are various suppliers of what are known as Enterprise Single Sign On solutions, where the SSO client is hosted on any random device belonging to the employee, thus supporting BYOD. When an employee launches an application hosted on site or in the cloud, the software will recognize the application’s login screen and automatically enter the right credentials. These login details are stored in encrypted form in a SSO database in the network.
100 per cent SSO
This model is based on the recognition of login screens rather than relying on the authentication mechanism supported by the vendor, which makes it a highly powerful solution. The main advantage is that it works for any application, independent of the type (web, java, client/server, telnet, mainframe, Unix, Windows, etc.), for any hosting location (LAN, datacenter, cloud, etc.), from any device (Windows PC, Android, tablet, smartphone, iOS, etc.) and from any user location (work, home, on the road, abroad, unconnected laptop etc.). In other words, it is possible to offer end users (100%) SSO for any scenario.
In the consumer market, social media accounts such as Facebook and Google accounts are often used as Identity Providers. Once users have logged in to Facebook, they can also automatically log in to other applications, without the need to enter their user name and password. For instance, if a user has logged in to Facebook, they can automatically gain access to Spotify if these accounts have been linked. Or in another scenario, Facebook photos can be automatically stored in Picasa.
People typically feel more involved with their Facebook account than with the Active Directory account with their employer. Added to which, they are far less likely to jot down the login credentials for their social media accounts on a sticky note. Conversely, this often happens when business applications are concerned.
Bring Your Own Identity
Since employees are highly attached to their social media account, one may wonder whether their accounts might not also serve as Identity Provider for Single Sign On access to company data. When employees have logged in to their Facebook account, they can be automatically given (SSO) access to company data stored on on-site and in the cloud. This is called BYOI (Bring Your Own Identity). Particularly at a time when social media providers are investing heavily in authentication means (such as location-based services), I am of the opinion that in the future, social media can be put to good use as Identity Providers for business applications and company data. Before it to that, IT managers will still have to refresh their mindset and gain more trust in these social identity providers.
