Single sign-on (SSO) is a growing trend among organizations that adopt identity and access management (IAM) solutions to ensure that only the right people have access to IT resources. Protocols such as SSO, and user provisioning, streamline authentication processes both for employees and IT administrators. Using automated methods for SSO and user provisioning further simplifies the process, while providing employees secure, seamless access across multiple applications.
What is single sign-on?
Employees rely on a growing number of applications and other systems to get work done. Managing multiple logins gets tedious, especially if you want employees to follow password best practices, such as using unique, strong, random passwords. SSO eliminates the need for managing multiple credentials by allowing users to authenticate access to different applications and systems with one login.
One of the most-common SSO methods is based on Security Assertion Markup Language (SAML), an open-standard identity management protocol that exchanges authentication and authorization data between an identity provider and a service provider, like a cloud application. SAML-based SSO uses secure tokens rather than a login credential.
SSO does have some disadvantages, such as implementation complexity. Additionally, SSO by itself doesn’t necessarily provide controls that are granular enough for ensuring that only the right people can access specific IT resources.
What is user provisioning?
User provisioning is the process of assigning permissions based on roles and event changes throughout an account’s lifecycle. Provisioning (and deprovisioning) grants, modifies, or revokes access and privileges based on triggers such as:
- New hire.
- Role change.
- A move to a different business unit.
User provisioning can be automated through integration with the user directory, such as Active Directory, and by using a connector tool such as the open-standard System for Cross-domain Identity Management (SCIM), a protocol that synchronizes user data between cloud-based applications and services.
Automation enables provisioning across multiple applications and other network systems all at once. This not only improves the user experience but also enables IT admins to streamline resources. Additionally, auto-provisioning boosts security and minimizes the risk of unauthorized users accessing sensitive data.
How do SSO and user provisioning work together?
Many service providers support the use of SSO and user provisioning together. That means IT admins only need to set up an SSO account, then configure auto-provision for various apps—like Slack, Microsoft Office 365, Freshdesk, Asana, and many others.
For example, SAML-based SSO works with what’s called just-in-time (JIT) provisioning. Both SAML SSO and JIT communicate with the identity provider and the service provider using secure tokens rather than credentials to verify user identity. Once an IT admin sets up SAML SSO and enables JIT provisioning in an application, there’s no need to create user accounts in that application in advance. The first time an employee logs into the app with SSO, an account is automatically created, with the appropriate privileges granted.
While SAML enables IT admins to quickly set up SSO, manual provisioning, which involves uploading CVS files or inputting data by hand for the various apps is still a time-consuming process and can result in errors. Using SSO and user provisioning together:
- Improves the efficiency for the IT team.
- Enables admins to manage access at scale.
- Improves security.
SailPoint’s Identity Platform enables your workforce to be productive from day one while improving your company’s IT efficiency and reducing risk. See how SailPoint integrates with the top access management solutions.
You might also be interested in:
Take control of your cloud platform.
Learn how SailPoint integrates with authentication providers.