What is the difference between a password manager and Single Sign On? Does my nonprofit need SSO if we require Multi-factor Authentication (MFA)? (Updated July 2024)
Single sign-on (SSO), password managers, and Multi-factor Authentication (MFA) are often confused, but are very different means of authentication.
Think of SSO as showing your ID at the door. After that, you don’t need to show it to everyone else in the place. They all know you belong there and every door after the first door is open. If your ID is not valid, you can’t come in at all.
With a password manager there is no bouncer at the initial door. Your password is still required everywhere, but the manager helps you remember which unique and hard-to break password goes with which door as you want to enter them.
Password managers such as Dashlane or 1password remember your usernames and passwords and paste them into your login at each site they recognize. Google’s Chrome browser also has a built-in Password manager associated with your Google login. Password managers tend to be more user-centric. They’re good for individuals. You should use them, because you absolutely shouldn’t be using passwords that you can remember easily, that are easily guessed, or re-using passwords on multiple apps and logins.
Single Sign On (SSO)
For more information check out this webinar Single Sign On (SSO) for Your Nonprofit Organization.
Single sign-on is different. With single sign-on, you’re not actually creating or storing individual passwords for the applications you log onto. The applications are trusting the single sign-on service. The SSO service says whether you have been properly authenticated or not, so you only log onto it and everything else follows.
Single sign-on is really good for enterprises and organizations. It helps the folks who work and need access to the same sites and apps everyday streamline their experience and save time. Once you are logged in with your single sign-on, you don’t have to keep logging in to each site you use.
Organizations can set up a stand-alone SSO service like Okta or use an existing service that provides the functionality as an option, like Microsoft 365 or Google Workspace.
If you already use Microsoft 365 or Google Workspace, you already have part of the tools you need to implement SSO. It is still a process, because you have to integrate every app that you want to include under your SSO umbrella individually, and you will have to manage the change management for your staff to follow a new login process for each app that is under your SSO.
If you do not implement SSO for every app – you can find more about the reasons you may not want to include some apps in SSO in this webinar – that also needs to be included in your training and change management communication with your staff.
Single sign-on systems such as Clever are also common with education tech and online school. Students have a single login to remember. Once logged in, they can access the sites, classrooms, and authorized apps they need to participate in their virtual school, without having to remember passwords for each one. This lowers the barriers to participating, and allows the education platform to control access within the single-sign on, preventing unauthorized apps, users, and hackers to distract or endanger students.
Advantages of SSO for the enterprise
Single sign-on services allow automated account provisioning which is very useful if you are a large organization or have frequent staff changes.
You create each user account one time and then through automated provision rules, assign applications to each user.
For example, you don’t have to create their account in your active directory, then create their Office 365, Salesforce, Slack and Box accounts and add them to your HR system. You create the account once and then automatically provision it. SSO can really streamline your account creation and provisioning, saving your time and budget. Likewise, when a user leaves, you can de-provision their account from a centralized platform. Access is then removed from all accounts.
One of the outstanding benefits to SSO security is that you have centralized reporting. You have an organizational view of who’s accessing what applications. How are they getting there? From what locations are those staff accessing applications? SSO gives you a much richer view of how and what applications staff are using at work.
SSO is also a benefit to policy management. For example, your organization may put in place a policy on password requirements. You can set an organization-wide password policy specifying passwords be 12 characters long and complex. You could turn on two factor authentication, but not require that challenge if people are physically in the office. If they’re out of the office you can require the two factor challenge. Such policy only needs to be applied to logging into the SSO provider, since all SSO-integrated applications are accessed through that logon.
Special Concerns with SSO
What happens if a single service sign-on vendor goes down?
SSO vendors invest a tremendous amount of resources into their uptime and availability. The systems are highly resilient and distributed and are designed for a 100% uptime. Obviously, as with anything, blips in service can occur. But in our experience and looking at the marketplace, we feel confident recommending SSO and confident that the benefits outweigh the small risk of work interruption if a vendor experienced a short outage.
What happens if my logon to my SSO system gets compromised?
Your SSO logon needs to be protected with appropriate MFA, backed up with cybersecurity training on keeping logons secure.
A benefit of SSO is that once you realize your SSO logon has been compromised, it should be easier for your IT department to kick out the intruder, update access to your apps, and restore a secure SSO logon for you than it would be to update all the apps individually without SSO.
Many apps, especially Google apps, allow login info to be saved on the browser. Won’t employees still do that?
Single sign-on doesn’t completely eliminate the case of somebody saving or caching credentials. It does reduce it quite a bit because in most cases, with single sign-on vendors, users aren’t even presented with a username and password authentication challenge.
If needed, you can set policies on certain computers or machines to always re-challenge for an authentication if you observe browsers or applications caching credentials and creating risk.
The Chrome browser saving login information is acting more like a password manager than a SSO but the prompts and the concepts can become confusing to your users.
SSO Options for Nonprofits
Entra ID
Microsoft has incorporated single sign-on as part of Microsoft 365. If you have an Office 365 account, you have an Entra ID account.
You can have access to Salesforce, G Suite, Box, ServiceNow, all integrated in the security credentials passed from your Entra ID.
With the use of Entra ID as part of the enterprise mobility suite, you can synchronize Entra ID passwords back to the Active Directory accounts. If you have an Active Directory joined computer, then the password is updated there as well. This can be a particular benefit for remote users who used to struggle to update computer passwords when in the office.
Read more here about what is single sign on from Microsoft.
Google Workspace
Google Workspace also incorporates SSO within its tools available to users. If you are using Google Workspace you can set up SSO with Google as your service provider in a number of ways, depending on your organization’s needs. SSO profiles, which contain the settings for your IdP, give you the flexibility to apply different SSO settings to different users in your organization.
Google also includes a popular option to save passwords/logins to your Chrome browser if you are logged into your Google account. This is NOT Single Sign On, because it does not give you the granular controls that an SSO gives the administrator. The Chrome browser acts more like a password manager. You can learn more about using Chrome to store and remember your passwords here.
Okta
There are many other third-party single sign-on vendors out there. One that we’ve worked with quite a bit is called Okta. An Okta program called Okta For Good has a fairly easy setup and integration and provides discounted licenses to nonprofits. Okta’s SSO is a very robust product with reliable up time from one of the industry leaders in the space.
If you’re not in the Microsoft world primarily, then Okta would probably be a good place to start. They support Microsoft, Google, and many other applications.
As an Okta user, you can go in and add other tabs that can be personal. There are work applications that are managed and provided to you, but then you may have some other applications that you use for work. You can have them included instead of having a separate password manager.
Staff can create separate tabs and add their own applications from thousands of applications Okta has.
Any web based service that you log into likely has an integration or pre-built integration already available from one of the big single sign-on providers. If it doesn’t, that isn’t the end of the world – you can often find documentation on how to integrate most apps to the big SSO providers.
Planning to Implement SSO
Your first step is to identify the current applications that are in use or that you want to use.
There are different ways to figure out what based applications folks are looking at; one is using Cisco Umbrella (formerly open DNS) – a tool used to provide web based security and also provide insight into what websites staff are going to.
Microsoft has a tool called their Cloud App Discovery. You can also look at the firewall; a lot of firewalls now will provide some application reporting.
You May Need to Level Up ($)
This may be one of the gotchas with single sign-on. While most applications include it as part of the service, for others you have to be at a certain tier.
Box, Slack and Salesforce are all applications that don’t include single sign-on for the basic tier price. You have to go up to the enterprise or business level service to sign on with SSO, which can cost more money.
For most of these big name web applications, single sign-on support is pretty robust and works well out of the box without a whole lot of tweaks.
MFA or multifactor authentication.
MFA is a must have, and it’s easy. With Office 365, you have Microsoft Authenticator which is a two-factor authentication source.
Google has Google Authenticator.
Okta can use Google Authenticator, or can use some other third party multi-factor authentication tools and they also have their own app. It’s a free app for your mobile device. It will send you a push notification. Whenever you log in, your phone buzzes. You can click approve and then you log in.
For more on using MFA at your nonprofit and in your non-work life too, we wrote an article on How to Enroll in MFA.
You may have heard of new cyber attacks that can compromise MFA. Community IT still recommends a robust MFA with cybersecurity training for all your staff. For staff members who are at particular risk (finance, executives) or for organizations with particular risks for the work that you do or the countries where you work, you probably have already upgraded your MFA to use physical keys with stronger authentication protections. For most nonprofits and most staff, MFA is still a very adequate and necessary protection, and a must-have, particularly on your important single sign on logon.
Implementation of SSO at Your Nonprofit
SSO providers often have really great resources in terms of templates and checklists to help inform staff. There are Email templates, planning calendars, charts to put up around the office. There’s a lot of great resources that are available. You don’t have to reinvent the wheel.
We always tweak implementing SSO for your organization’s unique requirements and expectations. What we typically do is have some pre-project notification, talk to staff about why we are doing single sign-on.
The primary goals may be for end users to understand and improve security. With all the news about cybersecurity recently, it feels very real and very relevant that improving security is an organization imperative.
We’ve found the best approach is to take a phased approach. Take the easiest application first. So as you go through the discovery process, have a laundry list of applications.
The applications that affect everybody are obviously the ones that are candidates to be migrated first. Get some quick wins and then staff have the experience and understanding of how everything works together.
Plan on making tweaks. The lesson we’ve learned is to do planning and discovery and talk about policy and procedure and how we want things to go. Set it up and when people start using the system expect to hear, “Oh, we don’t want to get multi-factor challenges here,” or, “Hey, can we change this, or can we tweak it?”
Be prepared to adjust as you go along, because the planning is great, but there’s no substitute for actually using the system and the software.
Is there any value to putting just a few services on single sign-on versus all of the cloud services you’re using?
Having a well-articulated and well-implemented security framework is key. There may be good reasons to just do some and not all applications, as long as you have clearly articulated reasons. For example, an app that is particularly difficult to integrate into your SSO, or that is used by only a few staff who have good training on security. You may have budgetary reasons to skip apps that require more costly licenses to integrate with your SSO.
Don’t lose track of the reason to implement SSO: greater security, along with convenience. If you are working to increase security and better manage security widely at your organization, if you have had security incidents, or if you are particularly at risk, you may decide to integrate all (or none, or some) of your apps into an SSO. Community IT would recommend that this be an intentional and documented decision, not an ad hoc or undocumented one. Your next IT Director and Executive Director will want to know the reasons for your decisions.
Single sign-on can be an excellent influence on workforce efficiency and management. When staff can go to the web, log into their portal and have secure access to all the applications that they use, that’s going to make the organization more efficient, cohesive and safe.
Ready to support your staff with SSO security and convenience, and reduce your nonprofit cybersecurity risk?
At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to. As a result, cyber damages are all too common. Whether at a third party vendor or a phishing or ransomware attack on your own organization, you need to be prepared for cybersecurity risks and understand your work and personal security options.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. We published our completely revised 2021 Cybersecurity Readiness for Nonprofits: Community IT Innovators Playbook to help our community understand the issues. And we ensure you get the highest value possible by bringing 20 years of expertise in exclusively serving nonprofits to bear in your environment.
We regularly present webinars at Community IT about cybersecurity issues. And you can contact Matt Eshleman, our CTO and nonprofit cybersecurity expert, for an assessment.
If you’re ready to gain peace of mind about your cybersecurity, let’s talk.