UserLock Single Sign-On (SSO) provides federated authentication to cloud applications, using on-premise Active Directory (AD) identities. With one set of AD credentials to access all resources, it puts the organization firmly in control of user access.
Extending Active Directory SSO
Adopting an SSO solution should be a key initiative for any company, regardless of size. It allows end-users to authenticate one time to get access to all corporate resources. Active Directory (AD) is a fine example of an SSO solution. All domain resources within the AD can be accessed without the need for additional authentication.
With UserLock SSO, organizations can extend this AD single sign-on to secure Microsoft 365 and other cloud applications that are beyond the boundaries of a company’s domain. Combined with a granular multi-factor authentication, UserLock SSO allows employees to continue using their existing, on-premise AD credentials to access multiple cloud applications. It’s a simple solution that doesn’t require creating or managing separate external or centralized identity providers. UserLock SSO seamlessly works within an existing security framework without the need for changes in access security for resources and applications in the company network.
There are four key advantages for organizations providing SSO using Windows AD accounts:
1. All users have a single set of login credentials
Cloud applications provide the ability to access resources through federated authentication. It provides a secure way to pass the authentication process to a separate, trusted authentication system to verify the user’s access, using a separate directory (identity provider).
UserLock SSO is one example of a trusted authentication system. It enables organizations to use their own corporate identity repository, like on-premise AD credentials, for the federated authentication of cloud applications.
Security Assertion Markup Language is the open standard that implements this secure method of passing user authentications and authorizations between the identity provider (Active Directory) and the service providers (cloud applications). SAML has been widely adopted because it’s standardized, secure and provides an excellent user experience.
UserLock supports SAML 2.0 protocol to provide federated authentication of cloud applications. Here’s how it works:
The user goes to a cloud application they’d like to log into
The cloud application (SAML service provider) redirects users to UserLock SSO with a SAML request message
Users are then authenticated (on premise) with their existing Active Directory credentials
UserLock may prompt users for a second authentication factor, if it’s enabled
If the authentication process is completed successfully, users can then access the cloud application
UserLock SSO ensures all users have one set of credentials they can use to access everything, from Office 365 to CRM software. This helps stop the sprawl of different usernames and passwords, which came about through the rise in SaaS cloud-based applications, while reducing successful phishing attempts. Finally, creating single, centralized identities for users ensures accurate entitlement, where users are only allowed to access resources they need to do their jobs.
2. SSO is incorporated easily by retaining Active Directory as the identity provider
Let’s say an organization wants to adopt Office 365, Box and Slack. If they use each service individually, they’ll have to create a separate login and password for each one. In this situation, UserLock SSO becomes an important tool for an organization looking to adopt multiple cloud solutions. UserLock simplifies SSO by retaining Active Directory as the authoritative identity provider, while extending it to work with cloud-based solutions.
However, SSO needs to connect to more than just web applications. It must also enable end users to access their physical and virtual file servers and legacy and web applications. It must do this whether users are in the office or working remotely, and it has to allow them access from multiple machines and devices.
With UserLock SSO, organizations can continue to use Microsoft Active Directory, which streamlines all account management. It continues to be the central place to create and configure an employee’s roles and services. It’s also where employees can be removed and have their permissions modified.
With UserLock SSO, organizations can benefit from a non-disruptive SSO solution that leverages their existing investment in Active Directory to secure user access to the corporate network and cloud applications. Some of the key benefits include:
Retaining existing identity directories and passwords
Managing users, legacy applications and cloud solutions through Active Directory, without needing to change user authentication
Ongoing enforcement of accounts, services, roles and group policies
Continuing on-premise authentication for maximum security
Onboarding to new SaaS applications more quickly and easily
Avoiding the development of “shadow IT” because secure cloud access is readily available.
3. It ensures secure SSO access when combined with granular MFA
SSO improves security as there is less password sprawl and fewer user credentials at risk. However, SSO can be vulnerable because it relies on a single set of credentials. If those credentials are not protected and are compromised, then an attacker can gain access to every application the login credentials allow.
UserLock makes it easy to combine SSO with its own granular MFA to combat this single password vulnerability. The requirements for MFA can be customized to ensure protection without unnecessarily impeding employees’ productivity. MFA can be prompted – and access granted – on remote machines disconnected from the corporate network and on machines with no internet connection within the corporate network.
Supporting both authenticator applications and one-click programmable tokens such as YubiKey and Token2, UserLock can protect SSO by enabling MFA from the following connection types:
Devices with Active Directory membership and standalone terminal servers
Remote desktop protocol logons, including remote desktop gateway connections
Virtual private network connections that support RADIUS servers or use Microsoft routing and remote access service
Microsoft Internet Information Services for Windows Servers to protect Outlook on the web or remote desktop web access
Virtual desktop infrastructures, such as Microsoft, Citrix and VMWare
4. Employee productivity improves both on site and remotely
A key benefit of SSO is the ease of use for end-users. By removing different cloud application credentials and eliminating re-authentication, each user spends less time accessing applications and more time working with them.
With UserLock SSO, users don’t need to authenticate every time they want to access a cloud application. And, it works seamlessly with most browsers, including Internet Explorer, Chrome and Edge. Once a user authenticates to the corporate network, they’ll no longer be prompted for login credentials.
In certain instances, a second authentication factor may be required. However, the ability to combine SSO with granular MFA allows administrators to balance security with productivity by specifying when users should be prompted for additional authentication.
Often, users work from devices and locations outside of a company’s network control. UserLock SSO enables users to securely access cloud applications wherever they are, on whatever device they are using.
With UserLock SSO, you can:
Grant immediate access to users who are already authenticated to the Windows network
UserLock SSO asserts and authenticates the user’s identity to the cloud application without the user having to log in to the application directly. This is the same no matter where a user is working, whether they’re in the office or remote.
Provide access for users who are not authenticated to the Windows network
If a user is not authenticated to the Windows network, it’s simple to provide them with access. The user starts by entering their corporate email address in a cloud application to login. UserLock SSO will prompt the user for Windows domain login credentials and may request a second authentication factor, if enabled.
Once the user completes a successful login, they’re redirected back to the application. This straightforward process works the same everywhere, from a smartphone browser to a mobile app.
With UserLock SSO, once the server has allowed a user to connect to a specific cloud application, the SaaS application creates an “authorization” cookie that is used for each request. This cookie is automatically refreshed, so there is no need to re-authenticate.
Automatically grant access to different cloud applications
Once a user has successfully authenticated, they’ll receive immediate access to any other apps they need. For added security, the administrator may request MFA for each logon.