Introduction
The world of Single Sign-On (SSO) is undergoing a major transition, a “game changer,” if you will. Successful as it may be, traditional SSO is not optimal. It requires integration, which creates complexity and inhibits adoption. The “SSO Tax” that comes from having to upgrade to higher licensing tiers adds to costs. SSO for software-as-a-service (SaaS) apps can be particularly challenging. Universal SSO rewrites the rules of SSO for SaaS. By enabling SSO without integration, security managers can now achieve seamless access across 100% of SaaS applications. Pervasive SSO eliminates integration complexities, reduces costs, and enhances security and user experience.
Limitations of Traditional SSO for SaaS
It can be a struggle to get traditional SSO to support SaaS. Reasons range from organizational challenges to technical incompatibilities and financial limitations. Organizationally, the sheer number of SaaS apps makes it difficult to implement SSO thoroughly, even if the technology cooperates. With the average organization using 112 SaaS apps, the queue for SSO deployment tends to be so long that it makes full adoption unlikely. “Shadow SaaS,” a common situation where employees set up SaaS accounts outside of standard IT procurement, negates the potential for SSO, as well.
Technological barriers to SSO for SaaS include a fundamental inability of certain SaaS apps to support SSO. Some SaaS vendors write their own code for authenticating users, which can be difficult or impossible to integrate with traditional SSO solutions. Security risks can also result from these one-off integrations, e.g., accidentally revealing users’ private information. The app may maintain its own user store, which may or may not integrate easily with a centralized identity provider (IdP) solution that enables SSO.
Traditional SSO creates a few financial challenges for SaaS. In many cases, a SaaS app will only support SSO in its higher licensing tier, so a costly upgrade may be required to implement SSO. This is known as the “SSO tax.” The integration process can be costly, possibly involving outside consultants or hiring team members with specialized knowledge. Additionally, in some cases, if SSO blocks a user from a SaaS app, that does not automatically deprovision the user from the app. The organization may continue to pay a license fee for a user who cannot access the app. In an organization with a hundred SaaS apps and thousands of employees, it can be hard to catch this kind of error, and the financial losses can add up over time.
Introducing Universal SSO
Universal SSO (uSSO) is a new approach to SSO that solves many of the problems that limit SSO adoption in SaaS. uSSO streamlines secure access to SaaS using a browser extension. Authentication is processed locally within the browser. This architecture eliminates the need for integration between the IdP solution and the SaaS app, which is a core requirement of traditional SSO.
A uSSO solution like Unixi follows in-browser user authentication by creating a unique password formed using a complex blending of cryptographic keys. This process uses concatenation, which combines the keys into a single string, and hashing to combine the user’s base authentication with a company-based key, a system-unique key, and an employee-unique key. The final password is hashed to meet character sets and length requirements from the target system. This approach to password generation greatly bolsters security by not storing them on a centralized server. It also reduces the probability that a malicious actor can steal login credentials by intercepting the message.
Advantages of Universal SSO for SaaS
uSSO has a number of distinct advantages over traditional SSO for SaaS:
- Universal Coverage – uSSO enables universal coverage by avoiding integration with the SaaS app. Rapidly implementing SSO for all SaaS apps becomes possible without allocating significant resources to the work.
- SaaS Visibility – With universal coverage and a centralized point of management for SaaS SSO, admins gain visibility to SaaS access across the entire SaaS ecosystem.
- SaaS Governance and Control – uSSO’s universal SaaS coverage, visibility, and centralized management facilitate improvements in SaaS governance and controls. For example, it becomes easier to track who has access to which SaaS app and stay on top of access grants and revocations in accordance with governance policies.
- Universal MFA – uSSO solutions like Unixi offer universal multi-factor authentication, which is often a desired security policy.
- Elimination of Shadow SaaS – By managing authentication at the browser level, a uSSO solution can detect shadow SaaS when users try to log into unauthorized SaaS apps. The solution can then flag the shadow SaaS instances for remediation.
- Cost Savings – uSSO gets rid of the SSO tax and cuts down on implementation and administrative costs.
Conclusion
Traditional SSO does not work well with SaaS. Integrations can be difficult or costly, if they’re even possible. The SSO tax adds to costs. Even if an organization wants to implement SSO for SaaS, the backlog can lead to long delays. uSSO offers a solution. With authentication at the browser level and the use of passwords based on multiple cryptographic keys, uSSO achieves secure universal SSO for SaaS that gets rid of the SSO tax and high implementation costs. uSSO brings the full SaaS ecosystem under SSO quickly and easily.
