What is SSO (Single Sign-On)?

SSO (Single Sign-On) is a mechanism that allows a central service (Identity Provider, IdP) to establish a trusted relationship with multiple services (Service Provider, SP), so that logging into the IdP enables users to log into all SPs simultaneously.

YubiOn Portal has an optional SSO function that works as an IdP, which together with the main function of two-factor authentication for PCs, enables integrated management of company accounts and service use.
By implementing SSO, the following benefits can be obtained.

Before SSO introduction After SSO introduction
Security Depends on each service Secure authentication can be applied to all services1
It is necessary to check the security of the authentication method for each service. All registered services can be made to require YubiOn Portal’s authentication.2
As the number of IDs and passwords to be managed increase, the management tends to get more sloppy and the risk of password leakage also increases. Only YubiOn Portal login information is required for safe and secure operation.
When using a new service, you will be required to check the security at each step. When using a new service, simply register it for the SSO feature through the YubiOn Portal for safe and secure use.3
Administrative Usage Need to individually manage each service Centralized management via YubiOn Portal
Each service requires the appropriate management method to be identified and to be implemented. By setting up the SSO, centralized management of all services through the YubiOn Portal is possible.
When an employee leaves the company, it will be necessary to suspend their accounts for each service used. When an employee leaves the company, the YubiOn Portal can be used to suspend the employee’s access to all services and the system.
When services are changed due to employee transfers, etc., each service must be managed by either individually suspending them or setting them up. When services are changed due to employee transfers, etc,. the services can be changed in batches by reassigning members to the appropriate groups.
General business Need to log in for each service Only login to the YubiOn Portal is required
The user needs to find the bookmark of the login screen, etc. for each service. SSO App login screen has all the necessary services.
IDs and passwords for each service need to be memorized. IDs and passwords for each service are not required.

Improved security when using each service

When using multiple services without SSO, it is necessary to configure IDs, passwords, and other authentication settings for each service.
While some services may require two-factor authentication, for most, these settings are left up to each member of the organization.
Further, it is realistically not easy to for the individuals to manage their various IDs and passwords, and organizations may use easy-to-understand IDs and password for shared accounts.
There have also been reports of incidents wherein IDs and passwords have been accidentally leaked, resulting in compromise of confidential information of the service whose ID and password were leaked but also of other services that shared the login credentials.
Using YubiOn Portal’s SSO function, access to each service is protected by SAML, a mechanism for sharing authentication information between web services, making it far more secure than just ID and password authentication.
In addition, YubiOn Portal requires two-factor authentication during login, making it difficult for hackers to gain access to sensitive information even if the ID and password have been leaked.

Centralized management of services used

It is becoming increasingly common for organizations to use a variety of services to conduct business, however there are significant costs associated with tracking which services are being used by which member.
The YubiOn Portal’s SSO function addresses this by providing integrated management at a low cost.
By categorizing members into groups, it is easy to identify and set up which services which will be used by which groups and departments.
Of course, individual members can also be set up to use the service, making it easy for a specific member to use a service used by another department for temporary support.
Service availability can be easily changed by configuring the YubiOn Portal to suspend or change access to certain services upon employees being transferred to different departments or leaving the organization.

Improving efficiency of general operations

By using multiple services without the SSO, users will be required to login to each service individually.
This causes a decrease in productive work time as employees are busy looking for login pages and memorizing IDs and passwords.
However, through use of YubiOn Portal’s SSO functionality, companies can reduce this unproductive time and instead improve the overall efficieny of operations.

  1. The service must support single sign-on for SAML 2.0. [return]
  2. Some services may not support single sign-on, instead requiring login via the ID and password. [return]
  3. If the service does not support JIT provisioning (the ability to automatically add users when accessing from an IdP), it may be necessary to add accounts on the service side as well. [return]