What is the difference between a password manager and Single Sign On? Does my nonprofit need SSO if we require Multi-factor Authentication (MFA)?
Single sign-on (SSO), password managers, and Multi-factor Authentication (MFA) are often confused, but are very different means of authentication.
Think of SSO as showing your ID at the door. After that, you don’t need to show it to everyone else in the place. They all know you belong there and every door after the first door is open. If your ID is not valid, you can’t come in at all.
With a password manager there is no bouncer at the initial door. The password manager lets you automatically show your ID at every door within. Your password is still required everywhere, but the manager helps you remember which unique and hard-to break password goes with which door as you want to enter them.
Password managers such as Dashlane, Lastpass, or 1password remember your usernames and passwords and paste them into your login at each site they recognize. Password managers tend to be more user-centric. They’re good for individuals. You should use them, because you absolutely shouldn’t be using passwords that you can remember easily, that are easily guessed, or re-using passwords on multiple apps and logins.
Single Sign On (SSO)
Single sign-on is different. With single sign-on, you’re not actually creating or storing passwords at that application, you’re using a single sign-on service to authenticate to a third-party application with a single set of credentials. Your single authentication source manages access to different applications that the single authentication recognizes.
Single sign-on is really good for enterprises and organizations. It helps the folks who work and need access to the same sites and apps everyday streamline their experience and save time. Once you are logged in with your single sign-on, you don’t have to keep logging in to each site you use. Those logins are managed behind the scenes, by the single sign-on platform and your IT department.
Single sign-on systems such as Clever are also common with education tech and online school. Students have a single login to remember. Once logged in, they can access the sites, classrooms, and authorized apps they need to participate in their virtual school, without having to remember passwords for each one. This lowers the barriers to participating, and allows the education platform to control access within the single-sign on, preventing unauthorized apps, users, and hackers to distract or endanger students.
Primarily, single sign-on is:
- designed for businesses and organizations.
- a single authentication source.
Advantages of SSO for the enterprise
Single sign-on services allow automated account provisioning which is very useful if you are a large organization or have frequent staff changes.
You create each user account one time and then through automated provision rules, assign applications to each user.
For example, you don’t have to create their account in your active directory, then create their Office 365, Salesforce, Slack and Box accounts and add them to your HR system. You create the account once and then automatically provision it. SSO can really streamline your account creation and provisioning, saving your time and budget. Likewise, when a user leaves, you can de-provision their account from a centralized platform. Access is then removed from all accounts.
One of the outstanding benefits to SSO security is that you have centralized reporting. You have an organizational view of who’s accessing what applications. How are they getting there? From what locations are those staff accessing applications? SSO gives you a much richer view of how and what applications staff are using at work.
SSO is also a benefit to policy management. For example, your organization may put in place a policy on password requirements. You can set an organization-wide password policy specifying passwords be 12 characters long and complex. You could turn on two factor authentication, but not require that challenge if people are physically in the office. If they’re out of the office you can require the two factor challenge. You can do all of this policy management from a single location, and then that policy is applied to all users.
Many web services or cloud services have slightly different security requirements. In Office 365, your password might only have 16 characters, but in some other applications, you need to have 18 characters and some require certain special characters and others don’t.
You are able to streamline and simplify sign on so users aren’t bombarded with managing accounts at 10 different software as a service applications. They have one network user and password that gets them into everything they need.
Special Concerns with SSO
What happens if a single service sign-on vendor goes down?
SSO vendors invest a tremendous amount of resources into their uptime and availability. The systems are highly resilient and distributed and are designed for a 100% uptime. Obviously, as with anything, blips in service can occur. But in our experience and looking at the marketplace, we feel confident recommending SSO and confident that the benefits outweigh the small risk of work interruption if a vendor experienced a short outage.
Many apps, especially Google apps, allow login info to be saved on the browser. Won’t employees still do that?
Single sign-on doesn’t completely eliminate the case of somebody saving or caching credentials. It does reduce it quite a bit because in most cases, with single sign-on vendors, users aren’t even presented with a username and password authentication challenge.
Employees log in through the single sign-on vendor portal, then access key applications through there.
If needed, you can set policies on certain computers or machines to always re-challenge for an authentication if you observe browsers or applications caching credentials and creating risk.
SSO Options for Nonprofits
AZURE
Microsoft has incorporated single sign-on as part of their Azure Active Directory. If you have an Office 365 account, you have an Azure Active Directory account. The Azure Single Sign On is called “Enterprise Applications” and it uses Azure Active Directory.
You can have access to Salesforce, G Suite, Box, ServiceNow, all integrated in the security credentials passed from your Azure Active Directory.
It also gives you the ability to do password writeback. Password writeback means you can change your password from the cloud which is pretty useful, especially if you have a lot of remote users.
With the use of Azure Active Directory as part of the enterprise mobility suite, you can reset passwords outside of the office. You can write those passwords back to the active directory. If you have an Azure Active Directory joined computer, then the password is updated there as well.
“We’re interested in mobile device management. We want to enforce a pin code and remotely wipe a device.” If those are your two primary requirements, you can do that already if you have Office 365. That’s an out of the box feature that doesn’t require any additional work.
Read more here about what is single sign on from Microsoft.
Okta
There are many other single sign-on vendors out there. Another option that we’ve worked with quite a bit is called Okta. An Okta program called Okta For Good has a fairly easy setup and integration. It’s a very robust product with reliable up time from one of the industry leaders in the space.
If you’re not in the Microsoft world primarily, then Okta would probably be a good place to start. They support G Suite and many other applications.
The IT administrator can provision applications to staff, present and assign them. The employee logs in, then has access to Gmail, GoToMeeting, Zendesk, Tableau, etc. Applications open in another browser tab, then automatically log them in.
Applications are automatically authenticated through the security assertion from Okta – no additional passwords needed.
As an Okta user, you can go in and add other tabs that can be personal. There are work applications that are managed and provided to you, but then you may have some other applications that you use for work. You can have them included instead of having a separate password manager.
Staff can create separate tabs and add their own applications from thousands of applications Okta has.
Any web based service that you log into likely has an integration or pre-built integration already available from one of the big single sign-on providers.
Both Microsoft and Okta have what they call desktop single sign-on where you can pass along your credentials from the desktop all the way through to web based applications and desktop applications as well.
Planning to Implement SSO
Your first step is to identify the current applications that are in use or that you want to use.
There are different ways to figure out what based applications folks are looking at; one is using Cisco Umbrella (formerly open DNS) – a tool used to provide web based security and also provide insight into what websites staff are going to.
Microsoft has a tool called their Cloud App Discovery. You can also look at the firewall; a lot of firewalls now will provide some application reporting.
You May Need to Level Up ($)
This may be one of the gotchas with single sign-on. While most applications include it as part of the service, for some other organizations or other vendors, you have to be at a certain tier.
Box, Slack and Salesforce are all in that case. If you have just the basic subscription version of those applications, they don’t include single sign-on. You have to go up to the enterprise or business level service, which can cost more money.
For most of these big name web applications, single sign-on support is pretty robust and works well out of the box without a whole lot of tweaks.
MFA or multifactor authentication.
MFA is a must have, and it’s easy. With Office 365, you have Microsoft Authenticator which is a two-factor authentication source.
Google has Google Authenticator.
Okta can use Google Authenticator, or can use some other third party multi-factor authentication tools and they also have their own app. It’s a free app for your mobile device. It will send you a push notification. Whenever you log in, your phone buzzes. You can click approve and then you log in.
For more on using MFA at your nonprofit and in your non-work life too, we wrote an article on How to Enroll in MFA.
Implementation of SSO at Your Nonprofit
Vendors have really great resources in terms of templates and checklists to help inform staff. There are Email templates, planning calendars, charts to put up around the office. There’s a lot of great resources that are available. You don’t have to reinvent the wheel.
We always tweak implementing SSO for your organization’s unique requirements and expectations. What we typically do is have some pre-project notification, talk to staff about why we are doing single sign-on.
The primary goals may be for end users to understand and improve security. With all the news about cybersecurity recently, it feels very real and very relevant that improving security is an organization imperative.
We’ve found the best approach is to take a phased approach. Take the easiest application first. So as you go through the discovery process, have a laundry list of applications.
The applications that affect everybody are obviously the ones that are candidates to be migrated first. Get some quick wins and then staff have the experience and understanding of how everything works together.
Plan on making tweaks. The lesson we’ve learned is to do planning and discovery and talk about policy and procedure and how we want things to go. Set it up and when people start using the system expect to hear, “Oh, we don’t want to get multi-factor challenges here,” or, “Hey, can we change this, or can we tweak it?”
Be prepared to adjust as you go along, because the planning is great, but there’s no substitute for actually using the system and the software.
Is there any value to putting just a few services on single sign-on versus all of the cloud services you’re using?
Having a well-articulated and well-implemented security framework is key. There is no reason to just do some and not all applications, unless there are exorbitant costs that are too much to bear to make the integration.
Single sign-on can be an excellent influence on workforce efficiency and management. When staff can go to the web, log into their portal and have secure access to all the applications that they use, that’s going to make the organization more efficient, cohesive and safe.
Ready to support your staff with SSO security and convenience, and reduce your nonprofit cybersecurity risk?
At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to. As a result, cyber damages are all too common. Whether at a third party vendor or a phishing or ransomware attack on your own organization, you need to be prepared for cybersecurity risks and understand your work and personal security options.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. We published our completely revised 2021 Cybersecurity Readiness for Nonprofits: Community IT Innovators Playbook to help our community understand the issues. And we ensure you get the highest value possible by bringing 20 years of expertise in exclusively serving nonprofits to bear in your environment.
We regularly present webinars at Community IT about cybersecurity issues. And you can contact Matt Eshleman, our CTO and nonprofit cybersecurity expert, for an assessment.
If you’re ready to gain peace of mind about your cybersecurity, let’s talk.