Today I am going to use Office 365 as a good example of what many other service providers are doing. As you know the cloud as an idea is more pervasive than 1 single company, and it’s highly likely that they company you are working for or with has more interests than Office 365. You might be using a subscription service to manage stocks, a Canadian account company to manage your accounting practice in the cloud. Whichever case you are considering, logins should be a major consideration for your company.
Why? They’re just logins?
Are they just simply logins though? The adage stands in this situation, what you do today has an impact on the future.
Let’s talk about a few things first. This provider you will choose, you will have to choose someway to login to them and the ability to define your security policy to some extent. The provider may have some guidelines in place, but ultimately security needs to rest with you or your company if your data is going to reside somewhere else. Recognize that and use it as a condition of your cloud/service provider. Then you have a decision to make, or should have a decision to make to maintain your brand and not confuse your users in the cloud.
Do you want to use Same Sign On or Single Sign on? Let’s talk about both of these concepts and discuss why if you choose same sign on or some rendition of it what you can do to save some pain should you decide to change your mind later on.
Same Sign on
With Same Sign On, you are essentially duplicating your username and possibly your passwords (in some form) to your partners site, this way you can use some familiar sign on that you’re used to that follows a company standard, but the security component solely rests with your service provider. Typically you’d use some kind of sync tool or LDAP tool to copy accounts over. With modern browsers and session maintenance, you’d typically have to log onto the service minimally.
With Office 365, same sign on is what the directory sync with password sync mechanism gives you (now know as Azure Active Directory Connect). In a nutshell this software copies your desired accounts and password hashes (note that these are not your actual passwords), when a password changes on Active Directory there is a mechanism in place to replicate the password hash.
In this scenario, Office 365 or whatever other provider you may be using is responsible for the authentication aspect of the login, but the credentials come from you.
Single Sign On
With Single Sign on, you still have to replicate your accounts to your service provider so they know about the accounts, but the security mechanism changes. When you hit an application that is single sign on enabled, your request will redirect to your Federation Services server where a request for logon/authentication will occur, if that authentication passes you will be redirected back to your site with a valid login. There is more to it behind the scenes, but to differentiate the two this should suffice.
- Both are valid types and there really isn’t a wrong choice. It just depends on where you want security or authentication to occur.
- From a users point of view, the most seamless login will occur with Single Sign on. They will simply just hit the site and the authentication happens in the back ground. IF they are already logged on to the Active Directory domain.
- From a setup point of view, both can be complex. It depends on the mechanism. I find single sign on to give the unifying experience as everyone will be setup in the same environment. For Same Sign On, different companies might have different LDAP requirements to replicate accounts.
- If you have selected Same Sign on, make sure what you negotiate as a password can work with ADFS. Take note of the types of logins and attributes you can use in your Active Directory. This will save you the pain of having to do some fancy regex and custom rules for ADFS later on.
- Always remember and I can’t stress this enough, don’t be too quick to outsource your security. Always take an active role. Your data is your company.
As always, have fun and stay thirsty friends.