Word Notes 9.5.23
Ep 157 | 9.5.23

Single sign-on (SSO) (noun)


Rick Howard: The word is: SSO

Rick Howard: Spelled: S for single and S O for sign-on

Rick Howard: Definition: A session and user authentication Zero Trust tactic that allows a user to access multiple applications with one set of login credentials.

Rick Howard: Example sentence: In a basic web SSO service, an agent module on the application server retrieves the specific authentication credentials for an individual user from a dedicated SSO policy server while authenticating the user against a user repository such as a lightweight directory access protocol directory. 

Rick Howard: Origin and context: In the 1960s when computers started to become an essential tool for big business and government, the late great Dr Fernando Corbató, one of Computing's founding fathers, introduced the idea of using passwords to gain access. Unbeknownst to him, Corbató provided a long list of cyber ne’er-do-wells a never-ending attack vector to break into computer systems. In fairness though, passwords didn't start to really break down as an authentication system until the internet started humming for online transactions circa the mid 1990s as the internet scaled passwords just didn't cut it anymore. But before a single sign-on pre two thousands, identity and access management was simply the handshake process of a user or application, sending credentials to a workload in order to gain access.

Rick Howard: The workload would verify the persona by checking that the user ID and password stored locally matched what the network entity presented and grant access. Users repeated this process for every application and network that they wanted to get access to. That meant that these same users were expected to keep track of many different passwords. Security leadership blamed them if they couldn't come up with good ones or use the same ones over and over and over again. We still publicly shame those users in annual reports of the most common and lame passwords used by everybody on the internet. Mostly some combination of 12345 and password. This is essentially victim blaming and falts people for being exceptionally bad at using a stop-gap identity system invented in the early 1960s, that doesn't seem right.

Rick Howard: At a conceptual level, SSO is the idea that a user or application can assert their identity once to a trusted source. When that same user needs access to some other workload elsewhere, the user directs the workload and the trusted source to work out if the request is valid. The good news is that users have to remember only one password. The bad news is that they can still use an easily guessable password like 12345, two-factor authentication can improve that situation, and Word Notes has another episode that describes that. In the early two thousands, two technologies emerge that would allow SSO capability SAML and the OpenID/OAuth pair. SAML spelled SAML stands for security assertion markup language, and refers to a heavyweight XML variant language that facilitates one computer to perform both authentication and authorization on behalf of other computers.

Rick Howard: The OpenID/OAuth pair is a set of competing technologies to SAML that have a crazy and confusing history of internet drama. Don't worry if this all sounds confusing, it is. For example, OAuth stands for open authentication, the crazy thing is that OAuth doesn't authenticate anything. It's simply authorizes a machine to log into another machine. On behalf of a human OpenID does the authentication, but by 2014, this had all settled down. Today, according to CSO Magazine, most network operators use SAML for enterprise applications and OAuth for open internet solutions. The bottom line is that SSO greatly simplifies the identity and access management process, although it has taken us 50 years to get here since Dr. Corbató invented the password idea in the early sixties.

Rick Howard: Nerd reference: On the YouTube channel Eye on tech, in 2020, Jen English gave an overview of SSO 

Jen English: When navigating an app or website, you've probably seen the option to log in with Facebook or log in with Google, and next thing you know, you're magically signed into the third party site without even making an account. It's not magic. It's single sign-on. Single sign-on or SSO is a session and user authentication service that lets a user use one set of login credentials, like a username and password for multiple applications. Single sign-on is a federated identity management arrangement, and using such a system is sometimes called identity federation. OAuth is the framework that allows account information to be used by third party services like Facebook without exposing the user's password. 

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliot Peltzman. We're privileged that N2K and podcasts, like Word Notes, are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent in intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, people. We make you smarter about your team while making your team smarter. Learn more at N2K.com and thanks for listening.