Why Single Signal on Sucks

Why SSO Sucks

A month ago I tweeted about my annoyance with SSO or Single Signal On. While single is in the title, I’m required to “single signal on” multiple times a day. I’m no longer the totally one; the tweet went viral with over 25ample likes and 2 Million impressions. The tongue-in-check tweet created a number of fun responses and extra rage against SSO user skills than I anticipated. SSO used to be intended to solve password fatigue however we bought one thing worse.

Why is it called Single Sign On?

To provide an instance, that is what it appears to be devour on a day-to-day foundation if I are looking to login to Github.

Throughout this drift, I first login to Github, Tap my 2FA Token, then I’m required to login again the use of Okta, faucet my MFA token, enter my password and then I’m into Github.

Since Teleport uses Okta as an identification provider, there could be a further step for most apps. As new workers be a half of Teleport, they are added to our HR gadget, which pushes employee attributes to Okta for use in Attribute Primarily primarily based Entry Controls (ABAC). Okta then acts as our identification and entry management map to give federated entry to all techniques. Dynamic directory teams are veteran to provision entry to apps in accordance with an workers feature. This creates a undoubtedly atmosphere apt onboarding route of and an worthy extra swift offboarding. The offboarding map is so atmosphere apt that there could be minute trade to ship essentially the most engrossing goodbye message, as all of our Okta Record is automatic the use of Terraform.

Why enact we now absorb to SSO 43 times a day?

In an supreme world, I would log into the computer, login to my SSO solution, and then creep about my day’s work, having access to multiple apps without a need to stare a login in finding or doing a redirect dance again.

There are a number of problems that mean that this isn’t a fact. The tl;dr is that because each app controls the login route of, and varied apps absorb varied architectures, having a standardized drift that works all the absolute most practical way by all apps is extremely tense. There are some present solutions to accommodate this, however all absorb their shortcomings.

To admire why SSO is this form of danger at a deeper level, we to admire how an utility integrates with identification-suppliers (IdPs), to originate the one signal-on drift. Utility builders absorb to integrate the use of SAML or OIDC, for Authentication or AuthN. It’s then up to the app to settle what to enact with the user identification and ensuing token, and that is the set apart apart it will get reasonably extra advanced…reckoning on the use case.

SSO Authentication for Net apps: Server & client facet classes

For passe net functions, authentication common sense occurs on the server. For a Rails app, as an instance, devs can use the devise_saml_authenticatable that can even simply originate a session cookie that’ll closing one browser session with a defined timeout, with some extra client-facet common sense to repair for long client timeouts.

SSO Authentication Net apps: JavaScript apps / SPAs

Single Net page Purposes (SPAs) are net functions that dynamically rewrite the page whereas getting recordsdata from the catch server. A ‘real’ page refresh never occurs since all HTML, JavaScript and CSS is loaded in a single page load*. Adding authentication and session management comes with a myriad of client-facet problems. While it’s that it’s possible you’ll perhaps well believe to originate cookie with credentials, this have to be refrained from attributable to the total potentialities of CSRF Assaults. Briefly, Gruesome-Residing Effect a matter to Forgery (CSRF) assaults allow an attacker to forge and put up requests as a logged-in user to a net utility; this insist could well also additionally be fastened by at the side of tokens and limiting identical-situation cookies. What does this mean for our SSO app? Due to the the mechanisms, you’ll have to re-auth if logging in from a varied browser, or again if your session has expired.

SSO Authentication for CLI apps

The following class of ‘functions’ are CLI instruments. For me, Heroku pioneered the idea of mainly interacting with the product by the terminal. The heroku cli used to be the app; heroku.com real offered a kindly dashboard and designate breakdown for dynos. As with any varied products and services, that CLI instrument has to in finding credentials. Once SSO is enabled, builders shall be greeted by an skills equivalent to the image beneath. You’ll login, and a SSO authorization page will pop up, once authenticated. I can cease my browser since the credentials are truly out there locally. For AWS that is in ~/. aws/sso/cache however as with all caches, these credentials are legitimate from 1hr to 12hrs.

Why SSO Sucks

SSO Authentication for Cell apps

Cell apps are almost the identical as net apps however can present a number of advantages and some challenges. A pro of cell apps is the skill to pass to passwordless by leveraging biometrics, FaceID as an instance. The difficulty often faced is when making an strive to integrate with a hardware token, you prefer to recollect to could well also simply absorb an NFC Yubikey to use the token for each desktop and net apps.

An ‘obliging level out’ for cell app SSO is QR Login, which makes it super simple to rapidly login to discord on a bunch of machines. This lets me rapidly entry discord on a Work Mac, Linux Field and Home windows Machine seamlessly.

SSO Authentication for Net app with multiple orgs. E.g. AWS Console

At Teleport we apply essentially the most easy observe of the use of more than a number of AWS organizations to give isolation of environments. Right here is a simplest observe for secure entry to aws, and we quilt it intimately in Episode 12 of Entry Adjust with LVH.

The main reason in the wait on of the multiple accounts thing is that because we chanced on that, in many instances, it be undoubtedly no longer easy to in finding of us to enact a extensive job at managing AWS IAM, devour of us real write a selected permission. It be super extensive, and they real withhold at the side of infrastructure and infrastructure and infrastructure. And earlier than you imprint it, that skill to read from every S3 bucket is all straight away a long way extra horrible than it used to be have to you agreed to it … Since you’re already fascinated by issues devour, “Am I —” confidently you’re fascinated by whether you’re in dev or prod earlier than you tumble the tables. So that you’re already fascinated by that. So as that worthy of a further — it be a number of extra mental bandwidth that is being requested for. But then on the flip facet, from a security standpoint, I undoubtedly absorb an extremely strong guarantee that issues are going to end separate. And in the same way, if an auditor comes and asks, then we are able to exclaim, “We assemble no longer absorb to talk. We assemble no longer absorb to use hours talking about AWS IAM insurance policies.” We can real exclaim, “Yeah, separate accounts,” devour fully separate off domains. Plenty of AWS accounts is this form of no brainer.

In observe, the UX could well also additionally be reasonably jarring. Within the occasion you originate a session on an AWS memoir, that tab becomes logged out while you login to a new memoir. I would file this UX as each a worm and a characteristic, however it completely’s darn anxious while you’re doing a number of work all the absolute most practical way by accounts.

SSO Alternate solutions and Improvements ?

While I devour a factual rant, I hope that in 2-5 years most of this weblog put up shall be irrelevant, and that’s the reason.

Browser-primarily primarily based solutions

Google has offered an enticing hack to the session dance. As an illustration I’m in a position to end logged into each my Work and Non-public Gmail by the use of more than a number of profiles. There could be minute knowledge on the characteristic rather than this transient page and whereas it does carve wait on a number of of my re-login dance, it’s simple to be cynical and grasp it’s real to better observe my work vs inner most lifestyles.

Chrome Profiles

Machine-primarily primarily based solutions

For organizations that truly need tightly locked gadgets, issuing Chromebooks for work purposes would be essentially the most easy for security, and when blended with Developed Security that enforces multi-component authentication has turn out to be the de-facto for serving to secure elections, however this doesn’t fix the login once and don’t SSO again. The trade has made some progress with unsuitable-tool believe with AirDrop, and some copy-and-paste functionality with Universal Adjust however these solutions are provider-particular and restricted in what they’ll enact.


Passwordless authentication is a capacity that lets a user log into a computer without a need to bear in mind a password or one other recordsdata-primarily primarily based secret. It uses a aggregate of Possession Components (one thing the user has) and Inherence Components (one thing the user is). As an illustration, I would also additionally be in possession of a hardware token (one thing I undoubtedly absorb) and absorb my fingerprint (one thing I’m) to in finding entry to a gadget. The branding of passwordless is advanced, and it doesn’t mean the death of passwords or password managers real yet.

Just a few examples of this are Touch ID, the use of the secure-enclave blended with a fingerprint. Microsoft’s Home windows Hi there, the use of a Relied on Platform Module (TPM) blended with facial recognition. Home windows Hi there requires a webcam with an IR sensor to let it work in all prerequisites. One good thing about Facial recognition is the consolation of authentication, however this could perhaps absorb detrimental penalties while you don’t know the intent of the program.

Ample of the buzzwords — how does this fix SSO?

Before diving into the decisions, let me interpret what my supreme UX would seek devour.

I originate my work with a SINGLE signal-on to my Identity Provider, assuming I’m peaceable employed, and I carried out my passwordless login with my Hardware Token, I don’t absorb to faucet that thing for one other week*. I’m in a position to entry all core functions and CLI instruments without a need to enact the SSO dance again. I can entry my dashboards, CI server and AWS credentials without a need to stare a login redirect page again.

*sudo-mode – sudo-mode is a nifty characteristic veteran by Github, or some could well exclaim ‘zero-believe gate’ that requires customers to re-authenticate again for sudo-protected motion; such as updating an electronic mail deal with or at the side of new public keys. This characteristic is a extensive anti-phishing measure when blended with a resounding 2FA and all evaluates an motion to one thing that is obligatory / doubtlessly harmful.

To break SSO nirvana, we now absorb to evaluate commence air the browser sandbox, which is often changing into extra restrictive in accordance with the advertising and marketing world abusing cookies, and present some level of believe at the OS level.

At Teleport we judge the secret lies with certificate authorities and client certificates. Certificates in finding it simple to encode each identification and session duration into the certificate, that technique no need for cookies of never-ending redirects. A client certificate can then be offered to the functions to in finding entry, however there could be a take. The UX and tech for PKI Infrastructure isn’t extensive, and the client UX sucks. We hope to trade it this 365 days. At the same time as you would devour to uncover a preview, signal up for to our e-newsletter, the set apart apart I raise identical security and DevOps rambles into your inbox on a bi-weekly foundation.

Every varied week we’ll ship a e-newsletter with essentially the most novel cybersecurity
data and Teleport updates.

Linked Posts



Read More



β€œSimplicity, patience, compassion.
These three are your greatest treasures.
Simple in actions and thoughts, you return to the source of being.
Patient with both friends and enemies,
you accord with the way things are.
Compassionate toward yourself,
you reconcile all beings in the world.”
― Lao Tzu, Tao Te Ching