Sign up to save your podcasts
Or
Share Single Sign-On Best Practices: How Organisations can Implement SSO with Keith Uber, Ubisecure
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Single Sign-On Best Practices: How Organisations can Implement SSO with Keith Uber, Ubisecure
Let's talk about digital identity with Keith Uber, VP in charge of Sales Engineering at Ubisecure.
In episode 94, Keith joins Oscar to delve into Single Sign-On (SSO) best practises and how organisations can implement SSO – including technical aspects, how it used in practise and the advantages of SSO.
[Transcript below]
"The best type of single sign-on is where the user doesn't notice it."
Keith is VP Customer Success at Ubisecure. As an Identity and Access Management product expert, he leads the Sales Engineering team and is involved in many stages in the planning and design of demanding customer implementation projects. Keith is active in various industry organisations and has a keen interest particularly in government mandated digital identity systems. He holds a bachelor’s degree in I.T. and a master’s degree in Economics, specialising in software business.
Check out Keith’s SSO video series.
Connect with Keith on LinkedIn.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 94.
Podcast transcript
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. Single Sign-On is one thing that, today we take it for granted. So, it's even hard for us to remember when was the first time we have used it. Today, we'll go a bit deeper into that and in which direction Single Sign-On is going. And for that we have a special guest, who is Keith Uber, VP at Ubisecure. Hello, Keith.
Keith Uber: Hi, Oscar.
Oscar: Thank you for joining us for the second time. So, you have been – two years ago. Two years ago, you've been here before talking about mergers and acquisitions. So happy to have you back here.
Keith: It’s a pleasure. Thank you for the invite to come back.
Oscar: Yeah, nice to have you, Keith. And we'd like to hit a few things about yourself. So, you can tell us about your journey to the world of digital identity.
Keith: Yeah. So, my entry into the world of identity probably began around the year 2000 when I had just moved to Finland from Australia. I was working for telco provider, who was in the – around the dot-com boom era had been acquiring lots of small businesses. Lots of startups, they had their own projects and all of these have many different types of identity systems and lobbying systems. And my introduction to that process was – my job was to evaluate different solutions to their problem and ultimately, take part in a commercial pilot to implement a product to solve that problem.
Oscar: Excellent. And I already can imagine that a single sign-on had some role on that. Just guessing that yes, single sign-on is something that. I was really trying to remember when was the first time that I used it and it's quite difficult. Because it has been coming in different, in different flavours I would say.
Probably the first time I used was in one of my first jobs when, you know, you go to the office - people used to go to the office every day, and today is not, not for everyone at least. And then you sit down, and you login to your computer. You login to the domain and then suddenly, you can access some of the internal applications without logging in again. So that is one of the ways. And then later it came, what we see more often today is the web single sign-on, right? So, several applications.
So, in order to start with the basics, how you define single sign-on in a nutshell?
Keith: Yeah. Single Sign-On is maybe a more technical term that the industry understands. But for the end users, they don't really understand what the single sign-on means. But they do understand that they don't want to have to sign in again and again to different parts of the same website or different sections of the same company. So single sign-on is the ability to sign-on once using any form and use that same session information across many different services. For the end user, that's great. That means that's one less username and password, or many, many less username and passwords, or many less authentication methods for the user to manage.
And you mentioned the internet, or the web-based applications has a kind of thing they sort of came along. So, a long time ago, we all used to have desktop machines, and we would have PAT [personal access token] client-based applications and we’d even have to sign into those. Early on, there were different solutions for remembering and replaying the usernames and passwords across different PAT client applications. And that's what we call enterprise single sign-on.
That's very much faded away as the world has moved to web browser-based applications where people are spending most of their time in a browser or signing into applications based on browser-based technologies.
Oscar: Thinking of we, as normal user, like majority of users, we are using without noticing, right? You might ask people what is single sign-on and not sure or maybe they try to find meaning from the name itself, but it's everywhere.
So, if you can tell us a bit more how people are using single sign-on, SSO, in practice? So, what are the - how many ways, what are the scenarios? How many scenarios? Or just mention of a few of the most common ones.
Keith: Yeah. So single sign-on in essence is the reduction in the number of times that you have to sign-in to the different services. So instead of signing into different parts of the same website that might be based on different technologies, you only have to sign in once. And then when you transfer to a different section of the website or a different application within an organisation. You're already logged in, your name appears, and your information appears.
And a lot of what's happening, or the technology behind that is happening behind the scenes. It's mainly invisible to the user and that sometimes makes demonstrating single sign-on, for example, quite a boring demo. Because you're actually removing a lot of the things which you don't want to see, and the end result is you see nothing. So, the best type of single sign-on is where the user doesn't notice it.
But there are other advantages. For example, in order to create an account, you only have to create that account once. So, the user registration process is also simplified with a single sign-on. Without single sign-on, you would have to have a registration process for every individual user application. Or at least some way to authorise your account to be used on other applications. So that makes it easier.
And then password reset, or credential management is then simplified. Because instead of having to reset your password in different services, you can reset your password in one spot, and it’s the same password used for many different services.
Oscar: Yeah, indeed, that illustrates the advantages that as you also said is the users don't notice. It’s well, in a way, invisible once it’s set up.
So, going deeper into, what are the nuts and bolts of single sign-on? I'm sure there are many technicalities behind, but what are the main standards that make single sign-on possible?
Keith: Yeah. So single sign-on doesn't have to be done using standards. But of course, standards simplify the implementation process and simplify the management of the solution. There's basically two main standards which are in use today. The older standard is called SAML 2.0. And this is an XML-based standard. A way to transfer information about the user and the login session between different services using public key-based technology. In more recent years, and the more modern technology is what we call OpenID Connect, which is based on OAuth 2.0. Different workflows use different parts of those two standards.
And that's a JSON-based, REST JSON-based protocol. It implements most of the same use cases, most of the same user flows. But of course, as technology has developed, new use cases have come, now OpenID Connect is what we call the gold standard. Even though it’s the gold standard, there’s still a lot of software systems and products which are based on the SAML 2.0 standard.
So, to truly implement SSO in a - as wide range of target applications as possible, the best thing is to have a solution that supports multiple standards. And there's ways to bridge between these two standards. So that some applications can use SAML 2.0, and other applications we use OpenID Connect and you don't have to do a lot of your own development work. Because if the products and the servers support those standards, it's pretty much plug and play.
Oscar: Yeah, indeed, as you said, two main standards, even though there are other ways, but then two main standards is SAML 2.0 and OpenID Connect. Yeah, even though there are two main standards, there are a lot of software that can make single sign-on happen. We know because from experience being talking with customers, organisations in different sizes. And even though we feel as user that single sign-on is almost ubiquitous. There are still many organisations, companies that don't have single sign-on or don't have single sign-on, at least for all the applications.
So, it's common that there might be in an organisation, let's say 20 applications and a portion of them, let's say four of them, which have some similarity, they have single sign-on. But all the rest are disconnected, different identities for that.
So, there is still some technicalities behind putting that in practice from an organisation perspective. So, if you can tell us how organisations can implement SSO. The main step, let's say, for setting up single sign-on.
Keith: Yeah. What you described is a common scenario that even a company that's implemented SSO in their environment.
View all episodes
By Ubisecure
5
11 ratings
Let's talk about digital identity with Keith Uber, VP in charge of Sales Engineering at Ubisecure.
In episode 94, Keith joins Oscar to delve into Single Sign-On (SSO) best practises and how organisations can implement SSO – including technical aspects, how it used in practise and the advantages of SSO.
[Transcript below]
"The best type of single sign-on is where the user doesn't notice it."
Keith is VP Customer Success at Ubisecure. As an Identity and Access Management product expert, he leads the Sales Engineering team and is involved in many stages in the planning and design of demanding customer implementation projects. Keith is active in various industry organisations and has a keen interest particularly in government mandated digital identity systems. He holds a bachelor’s degree in I.T. and a master’s degree in Economics, specialising in software business.
Check out Keith’s SSO video series.
Connect with Keith on LinkedIn.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Go to @Ubisecure on YouTube to watch the video transcript for episode 94.
Podcast transcript
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. Single Sign-On is one thing that, today we take it for granted. So, it's even hard for us to remember when was the first time we have used it. Today, we'll go a bit deeper into that and in which direction Single Sign-On is going. And for that we have a special guest, who is Keith Uber, VP at Ubisecure. Hello, Keith.
Keith Uber: Hi, Oscar.
Oscar: Thank you for joining us for the second time. So, you have been – two years ago. Two years ago, you've been here before talking about mergers and acquisitions. So happy to have you back here.
Keith: It’s a pleasure. Thank you for the invite to come back.
Oscar: Yeah, nice to have you, Keith. And we'd like to hit a few things about yourself. So, you can tell us about your journey to the world of digital identity.
Keith: Yeah. So, my entry into the world of identity probably began around the year 2000 when I had just moved to Finland from Australia. I was working for telco provider, who was in the – around the dot-com boom era had been acquiring lots of small businesses. Lots of startups, they had their own projects and all of these have many different types of identity systems and lobbying systems. And my introduction to that process was – my job was to evaluate different solutions to their problem and ultimately, take part in a commercial pilot to implement a product to solve that problem.
Oscar: Excellent. And I already can imagine that a single sign-on had some role on that. Just guessing that yes, single sign-on is something that. I was really trying to remember when was the first time that I used it and it's quite difficult. Because it has been coming in different, in different flavours I would say.
Probably the first time I used was in one of my first jobs when, you know, you go to the office - people used to go to the office every day, and today is not, not for everyone at least. And then you sit down, and you login to your computer. You login to the domain and then suddenly, you can access some of the internal applications without logging in again. So that is one of the ways. And then later it came, what we see more often today is the web single sign-on, right? So, several applications.
So, in order to start with the basics, how you define single sign-on in a nutshell?
Keith: Yeah. Single Sign-On is maybe a more technical term that the industry understands. But for the end users, they don't really understand what the single sign-on means. But they do understand that they don't want to have to sign in again and again to different parts of the same website or different sections of the same company. So single sign-on is the ability to sign-on once using any form and use that same session information across many different services. For the end user, that's great. That means that's one less username and password, or many, many less username and passwords, or many less authentication methods for the user to manage.
And you mentioned the internet, or the web-based applications has a kind of thing they sort of came along. So, a long time ago, we all used to have desktop machines, and we would have PAT [personal access token] client-based applications and we’d even have to sign into those. Early on, there were different solutions for remembering and replaying the usernames and passwords across different PAT client applications. And that's what we call enterprise single sign-on.
That's very much faded away as the world has moved to web browser-based applications where people are spending most of their time in a browser or signing into applications based on browser-based technologies.
Oscar: Thinking of we, as normal user, like majority of users, we are using without noticing, right? You might ask people what is single sign-on and not sure or maybe they try to find meaning from the name itself, but it's everywhere.
So, if you can tell us a bit more how people are using single sign-on, SSO, in practice? So, what are the - how many ways, what are the scenarios? How many scenarios? Or just mention of a few of the most common ones.
Keith: Yeah. So single sign-on in essence is the reduction in the number of times that you have to sign-in to the different services. So instead of signing into different parts of the same website that might be based on different technologies, you only have to sign in once. And then when you transfer to a different section of the website or a different application within an organisation. You're already logged in, your name appears, and your information appears.
And a lot of what's happening, or the technology behind that is happening behind the scenes. It's mainly invisible to the user and that sometimes makes demonstrating single sign-on, for example, quite a boring demo. Because you're actually removing a lot of the things which you don't want to see, and the end result is you see nothing. So, the best type of single sign-on is where the user doesn't notice it.
But there are other advantages. For example, in order to create an account, you only have to create that account once. So, the user registration process is also simplified with a single sign-on. Without single sign-on, you would have to have a registration process for every individual user application. Or at least some way to authorise your account to be used on other applications. So that makes it easier.
And then password reset, or credential management is then simplified. Because instead of having to reset your password in different services, you can reset your password in one spot, and it’s the same password used for many different services.
Oscar: Yeah, indeed, that illustrates the advantages that as you also said is the users don't notice. It’s well, in a way, invisible once it’s set up.
So, going deeper into, what are the nuts and bolts of single sign-on? I'm sure there are many technicalities behind, but what are the main standards that make single sign-on possible?
Keith: Yeah. So single sign-on doesn't have to be done using standards. But of course, standards simplify the implementation process and simplify the management of the solution. There's basically two main standards which are in use today. The older standard is called SAML 2.0. And this is an XML-based standard. A way to transfer information about the user and the login session between different services using public key-based technology. In more recent years, and the more modern technology is what we call OpenID Connect, which is based on OAuth 2.0. Different workflows use different parts of those two standards.
And that's a JSON-based, REST JSON-based protocol. It implements most of the same use cases, most of the same user flows. But of course, as technology has developed, new use cases have come, now OpenID Connect is what we call the gold standard. Even though it’s the gold standard, there’s still a lot of software systems and products which are based on the SAML 2.0 standard.
So, to truly implement SSO in a - as wide range of target applications as possible, the best thing is to have a solution that supports multiple standards. And there's ways to bridge between these two standards. So that some applications can use SAML 2.0, and other applications we use OpenID Connect and you don't have to do a lot of your own development work. Because if the products and the servers support those standards, it's pretty much plug and play.
Oscar: Yeah, indeed, as you said, two main standards, even though there are other ways, but then two main standards is SAML 2.0 and OpenID Connect. Yeah, even though there are two main standards, there are a lot of software that can make single sign-on happen. We know because from experience being talking with customers, organisations in different sizes. And even though we feel as user that single sign-on is almost ubiquitous. There are still many organisations, companies that don't have single sign-on or don't have single sign-on, at least for all the applications.
So, it's common that there might be in an organisation, let's say 20 applications and a portion of them, let's say four of them, which have some similarity, they have single sign-on. But all the rest are disconnected, different identities for that.
So, there is still some technicalities behind putting that in practice from an organisation perspective. So, if you can tell us how organisations can implement SSO. The main step, let's say, for setting up single sign-on.
Keith: Yeah. What you described is a common scenario that even a company that's implemented SSO in their environment.