With enterprise solutions and consumer technology platforms offering an array of applications, a need arises to securely navigate between different applications within the same product suite, and on role-based access. Single sign-on (SSO) is a solution to implement a centralized authentication system, and maintains an authenticated session to access multiple applications in a product suite without having the need of entering user credentials every time. It is a simple, yet efficient way of increasing accessibility and productivity without compromising security. Facebook, Google, Github, and Enterprise ERP are some of the examples of applications that we use every day that utilize SSO during the login process.
Why Single Sign-On? What are the Benefits?
Single sign-on came into the picture with the rise of cloud infrastructure, credentials fatigue, cloud-based enterprise web applications, and inter-mobility. To address monitoring, management, and security needs in these ever-evolving cloud infrastructure/integrated development environments, SSO provides a firm strategy to increase efficiency on multiple fronts. With a good SSO implementation strategy, you can gain and benefit from the following advantages:
- Scalability. With automated authentication management, your employees or service consumers can navigate across your multi-application suite faster with the necessary security. Not only does it improves the user experience, but it also mitigates the risk factors as your application scales.
- Productivity. SSO eliminates human error factors that come in when accessing apps and have to input credentials every time. This saves time that goes into remembering the password, typing in the credentials, resetting the password, and help desk support, etc., to reduce the downtime and increase their productivity.
- IT monitoring and management. With SSO in place, your IT team can seamlessly onboard people and manage their credentials and access with necessary security protocols. Requests for resources and their approval process are also unified in the multi-path workflow for faster and efficient management.
- Security Control. SSO is made for security and accessibility. Navigation across multiple apps with SSO is a comprehensively secured authentication mechanism. In addition to that, any user can be granted or declined access to enterprise resources from just one place providing you better control and resource protection policy.
Single Sign-On Traffic Movement
- A user request is made to access a protected resource. If the application server finds an already existing authentication cookie, means that the user is already authenticated, there is no need to authenticate again.
- If the application server did not find any existing authentication cookie, it redirects the user to the SSO server with all the details, typically a callback URL, that are necessary to post-authentication flow.
- The existence of an authentication cookie is also checked by the SSO server. If it fails to validate the user,then the user is requested to enter credentials.
- Credentials entered by the user are validated by the SSO server. If successful, a cookie is generated for future authentication for the session.
- The SSO server also fetched some additional user attributes that are based on the implementation strategy.
- Then the SSO server redirects the user with the attributed fetched by it to the application server with the required token mechanism.
Challenges in Monitoring Single Sign-On Traffic
Now, with all that we’ve covered about SSO, you’ll also want to monitor your application with different kind of APM tools. And here it gets tricky and challenging with the SSO-enabled traffic.
- When to initiate authentication check – Usually SSO apps will have multiple apps from multiple vendors in the product suite of an ecosystem. Users are unpredictable, so they will have a complex flows within the ecosystem. They will also have role-based access to some resources and apps. When you monitor such apps using traditional APM tools, it becomes difficult to figure out when you should prompt a credential checkpoint so that you know you are doing it correctly.
- Where to initiate authentication check – With SSO-enabled traffic, you need to establish a clear workflow when moving from one app to another app. These apps can be from the same vendor or different vendors. Apps from different vendors (cross-vendor movement) may require different sets of credentials for their SSO management. This can add another layer of complexity with SSO enabled traffic in a large enterprise infrastructure with multi-vendor SSO apps.
- After login flow – When using SSO, it is important that the application server is passing all the information required to continue with the flow after the login check is passed. When you come across any broken flow, you will need to figure out what caused it – SSO mechanism, a broken URL, expired session cookie, or missed params when the URL is passed.
- User attributes – User attributes are also an important factor in the SSO mechanism that adds complexity to monitoring the apps. Any failure can mean multiple things, from bad user attributes to no fetching at all. If the SSO server is not able to fetch user attributes correctly or pass on correctly after fetching, all subsequent flows will fail. And detecting where it went wrong will be a challenging task.
- Confusing and slow monitoring – Most of the time when using traditional APM tools, it becomes confusing where the actual problem is. If it is with the application itself, it seems like SSO is the culprit and vice-versa. This leads to a slow analysis of the monitoring logs and thus, slow detection of the problems and their resolutions.
So What’s the Solution?
A well thought-out monitoring strategy and implementation can give you a good workaround to avoid downtime and buggy experience – as opposed to the benefits of using single sign-on in the first place. Specialized monitoring solutions and tools are a great choice to deal with these challenges. Let’s see how these tools can help –
- Web application monitoring – Web application monitoring tools give you the capability to script specific transactions in user flow with flexible configurations to incorporate complex paths including such as SSO login flow. This will help you monitor and pinpoint the issues users may be facing, saving you from figuring out what went wrong by yourself, and giving you and your teams adequate time to fix the issue before others are impacted.
- Web page monitoring – With web page monitoring tool, you can effortlessly monitor SSO authentication pages and verify all the necessary information such as redirect URL, user attributes, etc., is being passed, before and after the authentication check. You will be able to proactively detect and correct any issue to avoid downtime caused by SSO enabled traffic.
- Web services monitoring – last but not least, web services monitoring tools will allow you to perform monitoring of specific get/post requests to the SSO servers. You can use this monitoring to identify issues related to individual apps in the SSO implementation strategy so that any individual app doesn’t bog down the whole system.
Keep in mind that SSO technology is also evolving with multi-factor authentication and other security challenges, so make sure you use a monitoring solution that can support the latest web application technologies and authentication protocols, like SSO. Try the web application monitoring solution from Dotcom-Monitor for free.