How to Succeed with
Single Sign-On in the AWS & Azure Cloud
In our latest article, we explore how single sign-on (SSO) works in the cloud for Amazon Web Services (AWS) and Microsoft Azure customers, as well as the pros and cons of using the technology. We also provide guidance for how to succeed with single sign-on in the cloud when implementing this technology for your own business.
Single sign-on (SSO) is a feature of cloud management services which has gained widespread popularity in recent years, due to the fast and convenient access it provides into IT systems in the workplace.
SSO has become an important element in the complex structure of cloud security for businesses today, as modern employees demand a seamless experience when using digital technology to get their work done.
It’s also becoming a valuable form of cloud identity management for IT teams. Unsurprisingly, with the number of devices, applications, remote or mobile users, and third-party integrations requesting access to corporate networks the current digital landscape continues to increase.
Of course, introducing SSO into your cloud environment can also create challenges and security risks that many businesses struggle with. But before we get into that, let’s first take a more detailed look at exactly what SSO is and how it works.
So, what Exactly is SSO?
SSO is a type of identity and access management technology that brings a number of separate application log-in processes into one single identity store for your business.
Your users will only enter their log-in details once on a single screen or page with SSO, and once that’s done they’ll have access to all their cloud-based applications and systems during that session.
This removes the need to repeatedly enter log-in details throughout the day in order to use different apps in the workplace, as users in businesses with non-federated identity stores will do.
Think of it like using just one master key to enter your home and every room inside. Once you’re in, you can move around the house freely. You’d very quickly become frustrated if you had to unlock every door with a different key each time you went from room to room.
SSO works in a similar way, granting entry to your company’s cloud-based network just the once, and then allowing your users to move around freely between whichever apps and systems they need.
Today, with so many mission-critical business processes hosted in the cloud, SSO has become an important part of cloud identity management and security. User identity and access management are essential for IT teams today, as they need to maintain close control of which permissions each individual user has.
How Does SSO Work?
When someone uses SSO to log in to the corporate network, authentication is verified and a token is created to remember that user has been granted access.
These authentication tokens are digitally stored in either the user's browser, or within the cloud servers, like a custom ID card issued to that user for their session.
Any application the user tries to open will check for the necessary token. If it’s in place then the user will be allowed access, but if the user is yet to log in, they’ll be prompted to do so through the SSO service.
This cloud single sign-on is overseen by IT teams and administrators, allowing them to track and manage all the users’ identities and permissions within the cloud environment at any given time.
The Benefits and Advantages of SSO
The most obvious advantage to having SSO as part of your cloud managed service is that it streamlines workflows for all users, and saves time by removing tedious, repetitive processes.
But in addition to that convenience and speed, SSO is generally considered to improve security in terms of employee habits and behaviour.
- SSO makes it easier to use and remember stronger passwords than usual, as only one is required
- SSO enables IT teams to enforce password policies more easily, such as asking users to update with a new one every month or so
- SSO removes the security risk of users having the same password across multiple apps and systems
- SSO makes implementing multi-factor authentication far easier and less time-consuming, as the authentication only needs to be completed once for all applications
- SSO reduces time spent on lost, or compromised, password recovery
- SSO reduces the time and cost of a busy IT help-desk
- SSO enables simple, consolidated storage and management of user credentials.
With a number of additional benefits specific to IT teams, and organisations within highly sensitive industries, this useful cloud identity service is an effective way of improving the overall efficiency of your workforce.
What’s on Offer in AWS and Azure?
If you’re an AWS or Azure cloud customer, these are some questions to consider before you decide to approach an SSO solution:
- What identity stores do you have for your users?
- Where are they hosted?
- How do they sync with the cloud?
- Do you need to link multiple sources of identity together?
We won’t go too deep into the technical side of SSO here, but we can provide some insight into what the cloud providers themselves say about the technology available to you.
AWS Single Sign-On
AWS has its own identity store, meaning your users’ identities and credentials can all be stored natively within the AWS cloud.
AWS explains, “You can create user identities directly in AWS SSO, or you can bring them from your Microsoft Active Directory or a standards-based identity provider, such as Okta Universal Directory or Azure AD. With AWS SSO, you get a unified administration experience to define, customize, and assign fine-grained access. Your workforce users get a user portal to access all of their assigned AWS accounts or cloud applications. AWS SSO can be flexibly configured to run alongside or replace AWS account access management via AWS IAM.
It’s easy to get started with AWS SSO. With just a few clicks in the management console, you can connect AWS SSO to your existing identity source and configure permissions that grant users access to their assigned AWS accounts, cloud applications, and other SAML-based applications that you add to AWS SSO.”
Microsoft Azure Single Sign-On
With Azure, you must have identity management implemented elsewhere, and that will have to be synced with your Microsoft cloud.
As written on the Microsoft website, “SSO in Azure AD provides many benefits over traditional sign-on methods. With SSO, users sign-in once with one account to access domain-joined devices, company resources, SaaS applications, and web applications. Then, that user can launch applications from the Office 365 portal or My Apps. Administrators can centralise user account management, and automatically add or remove user access to applications based on group membership."
Managing the Challenges and Potential Pitfalls
We appreciate that all these convenient features and benefits of SSO seem very appealing. However, as with any IT product or solution, you must also be cautious that there will be resulting challenges.
While SSO improves ease of access to IT systems for users, and can have some positive impact on security, it also presents a fair share of risks.
SSO brings with it major security risks. If a hacker can find a user’s lone set of log-in credentials, they could gain access to every application and system available to that person.
Many of the benefits discussed earlier in the article also have counter-points which could be viewed as down-sides or notable security weaknesses. These must be managed carefully if you do decide to implement an SSO solution.
- SSO requires extra-strong passwords, and can leave you vulnerable if there are weak passwords in place
- If your SSO stops working, all your related sites and applications will be unavailable to your users, which can have a damaging impact on business continuity
- If your SSO provider is hacked, all your systems and applications will be highly vulnerable
- SSO can lock users out of every application in one go if a password is lost, forgotten, or compromised.
Partner Limitations and Risks
SSO can be difficult to get right for many partners due to a lack of expertise, or perhaps a particularly complex existing IT infrastructure.
Some partners or third-party managed service providers will simply be unable to deliver identity management in the cloud. Others may only be able to deliver SSO capabilities by taking short-cuts or using methods which don’t meet security standards.
Therefore, it’s so important to be thorough and selective when searching for a reliable partner you can trust with your entire cloud investment.
Risk of Failure
Remember, SSO is only one aspect of managing your users’ identities and access within your cloud environment. To avoid the risk of failure, you should take into account your entire infrastructure, including on-premise technology, cloud deployments, third-party integrations, legacy systems, and everything else involved.
For SSO to work well, it requires the ability to seamlessly bring together all the identities and credentials within your corporate network into one single identity store.
The implications and requirements of an SSO solution are often overlooked by IT teams who haven’t had previous experience with the technology.
It’s important to avoid the common pitfall of setting up the solution, rolling it out, gaining adoption, and only then realising it must be fully integrated with all the necessary applications for identity and authentication. This could prove to be an extremely costly mistake.
There is also a high likelihood of duplicated costs for third-party integrations. For instance, “middleware” to hook your SSO solution on to SaaS applications because there isn't a single provider that supports all your applications.
In cases like these, you may find yourself paying for two different integrations for sub-sets of applications (with maybe some cross-over) simply because one provider doesn't support all the apps you need.
Shadow IT – which is the unsanctioned use of applications or tools not known to the IT administrators – can also cause issues here. It’s common for some business units to be relying on an application their IT is unaware of, which then creates challenges when those users demand SSO is then part of that solution.
If you’ve experienced any of the above security challenges, or if your SSO does fail it’s often because the requirements might not have been considered at the start of an implementation, or you’re dealing with legacy systems.
Over the past year or so, we’ve seen so many businesses that skipped over the foundational aspects of a successful technology implementation with their SSO. Now, they’re trying to retroactively walk through important, complex steps that aren’t easily taken. This is especially apparent with a live application or set of applications where down-time is a real problem for the business.
Because of the unexpected shift to fully remote working brought on by the COVID-19 lockdowns, most businesses were forced to make quick decisions and implement cloud solutions to maintain business continuity.
If you, like many others, rushed to put SSO in place to streamline the identity and access management features of your cloud environment, you’re likely experiencing challenges as well.
This could be with incompatible legacy applications, third-party integrations which are difficult to work with, or perhaps even with maintenance and management of your new identity store.
We suggest conducting a careful review of your cloud investment and usage, comparing from when you implemented new systems at the start of the pandemic against how things are running now.
This will be valuable if emergency costs were accepted, or temporary decisions were made, to get things up and running. But as things are now in more of a steady rhythm, you may be over-spending without realising it.
As people are now also returning to work from furlough, a large increase in the number of licenses may result in costs for SSO to drastically increase. Usage-based costs will need to be carefully reviewed and adjusted to ensure long-term sustainability for your business.
With so much complexity and risk involved with your cloud infrastructure, it’s crucial to take proactive steps in finding an effective cloud management service you can depend on.
Implementations like SSO require dedicated expertise and years of experience to deliver efficiently and effectively, so it’s worth finding a partner you can trust.
For example, leading engineering company IMI Plc. has three separate divisions within its business, and around thirty different business units within each of those, all with geographically-distributed locations, disparate systems, and third-party integrations. Discover how we helped them bring together all their various identity stores with a cloud single sign-on solution by reading the customer success story here.
Here at igroupIG CloudOps, we have over 10 years of success in supporting businesses like yours, helping you to move your critical IT infrastructure to the cloud.
Our team is made up of experts in both AWS and Azure cloud infrastructure, comfortable working with businesses of all sizes, across all sectors, and we have a proven track record of delivering SSO as part of our cloud managed services.
IG CloudOps is Here to Help
If you’re experiencing any of the challenges explored here, or need to gain greater visibility and control of your cloud implementation, please do get in touch with us and a member of our team will be happy to talk through your needs.