Striking the balance in cybersecurity is key. Ironically, the push for stronger security measures can encourage users to adopt weaker digital habits, such as reused and simple passwords. Single Sign-On (SSO) can alleviate these issues by eliminating the need for juggling multiple login credentials. Microsoft Entra offers a range of applications you can use with SSO. This article provides an introduction to setting up Microsoft Entra with Single Sign-On.
What is Single Sign-On? How does it work?
Single Sign-On is an authentication framework that enables users to securely access multiple software applications using a single set of credentials.It works on a trusted relationship between two players
- Identity Provider(IdP)-SSO system (Microsoft Entra ID)
- Service Provider(SP)– Application/website to be accessed
The login flow would look like this:
- The user attempts to access an application that supports SSO (SP).
- The application redirects the user to Microsoft Entra (IdP).
- Entra verifies the user’s identity. This may involve an username/password system or multi factor authorization.
- Upon successful authentication, Entra ID sends back a token to the service provider.
- On receiving the token, the SP validates it according to a preconfigured trust relationship.
- If the token is valid, the user is granted permission.
Why use Microsoft Entra’s SSO?
- Security: Entra leverages Multi Factor Authentication(MFA) along with SSO. This significantly reduces the threat of unauthorized access.
- Efficiency: Eliminating the need for repetitive logins increases productivity and reduces password fatigue. SSO also cuts down on the time spent assisting users with forgotten passwords.
- Centralized authentication: Entra ID acts as a single point of control for user identity management. This makes it easier to enforce stronger password policies and security measures across all connected platforms.
- Flexibility: Entra SSO supports protocols like SAML and OpenID Connect, allowing integration with a wide range of applications.
SSO options
Microsoft Entra offers three approaches to SSO. The choice of SSO depends on the application configuration, your security requirements and your user base.
- Federation: Federated SSO allows multiple IdPs to work together using standardized protocols like SAML or OpenID. As long as the IdPs and applications are federated, users from multiple organizations can use their own IdP credentials to access the applications. Federated SSO is considered the most robust SSO mode due to its flexibility.
- Password Based: During the first login, user credentials are captured on a dedicated Entra ID login page and validated against a directory service (such as Active Directory). Unlike traditional logins, Entra ID stores these credentials securely within its system. Subsequent logins involve generating a temporary security token which allows the application to verify the user’s identity without requiring the actual username and password. Although password based SSO is user friendly, it introduces a single point of failure which could be a potential security concern. Implementing MFA helps mitigate this risk.
- Linked: Linked SSO uses existing login credentials from a linked service (often Azure AD) to authenticate specific applications. Although it is easier to set up than federated SSO, it is limited in scope as it only works for applications that can leverage Azure AD credentials.
How to enable Single Sign-On for an application?
The process for enabling SSO in Microsoft Entra depends on the specific method you’ve chosen (federated, password based, or linked) and the application you’re trying to connect. Here’s a general overview of the process:
- Log in to the Microsoft Entra admin center
- Locate the “Applications” section and navigate to the appropriate sub-section (e.g., “Enterprise applications” for cloud applications).
- Once you’ve located or added the application, browse to Manage >Single Sign On. This will open the Single Sign-On pane.
- Select the appropriate SSO method based on the application’s capabilities (SAML, OIDC, Password Based, Linked SSO).
- If using Federated SSO, you might need to download configuration files from Microsoft Entra. These files will be used to configure the application’s SSO settings.
- Follow the application’s specific documentation to configure its SSO settings.
- Once configured, use the available testing options to verify the SSO functionality before saving the configuration.
Whilst Single Sign-On is often overlooked as a security mechanism, Entra’s SSO goes beyond convenience and user experience. It adds security, improves usability, and delivers a win-win for both users and IT admins. This translates to a more productive workforce and a more secure environment – a powerful combination for any organization.