One of the common questions I receive is, “What is the difference between single sign-on and same sign-on?”
Single sign-on is the ability to sign-in or log into the platform once and be able to use different applications in the platform or suite without having to enter in your credentials several different times which is certainly a benefit to the user.
On the other hand, single sign-on requires more overhead because of hardware and software requirements. Same sign-on requires you to log into each application, using the same userID and password to logon which helps end-users by reducing the number of userID and passwords to remember.
Same sign-on requires the use of a tool which can synchronize passwords between on premise environments and the cloud by using a free tool from Microsoft called DirSync.
There are four factors to consider when looking into the option best suited for your company.
- Are you requiring Multi-factor Authentication?
- The strength of credentials is a topic growing in interest lately. Your organization may be having discussions which consider RSA within your environment. Multi-factor authentication usually provides that ability for a second authentication to be required from your mobile phone which provides added security. This approach does require you to consider Entra ID Federation Services.
- Is there an existing environment that supports email and messaging?
- Many environments include a variety of technologies such as: Lotus, Exchange, Lync, Office Communicator, 3rd party solutions for email or messaging, which are in use in your current environment. As the complexity of the environment goes up, the requirement to discuss the pros and cons of each approach also requires more time.
- Are there any other applications that can use a single sign-on scenario?
- Within every customer environment, there are other applications that might benefit from the use of single sign-on.
- User experience
- Different sign-on scenarios can change the way a user logs into Office 365. It is my desire to ensure that the end-user is considered in either approach to maximize security and minimize the impact upon the end-user.
As was mentioned earlier, single sign-on is the ability to sign-in or log into the platform once and be able to use different applications in the platform or suite without having to enter in your credentials again. This is a huge benefit to the end-user in terms of ease of use and efficiency.
The option for single sign-on implementation does require that Entra ID Federation Services (ADFS) which I’ll talk about later. When Office 365 first came out this was the standard as there were no services through Microsoft that allowed for password synchronization. ADFS also had other uses that could be leveraged and used in different scenarios. If you have implemented or are currently implementing ADFS then using ADFS for Office 365 is a good option. It is a good option because:
- Users only have a single username and password
- Users aren’t prompted for credentials when accessing Office 365 services if they are logged into the domain
- Administrators control the password policy from a single place
- Multifactor Authentication is possible.
If you don’t have the need for ADFS it can be costly to introduce into your environment because, ADFS requires servers (physical or virtual) to handle the requests and provide for redundancy of the system usually expected due to the criticality of ADFS for business continuity. Additionally, ADFS can be a complex install as it connects to Entra ID and has to be able to communicate both internally and externally of your environment.
Maintenance and administration is also required with Which brings up the third disadvantage, if your Entra ID or EIDFS servers go down or fails for any reason you would be unable to use ADFS which means your end-users will be unable to authenticate and connect to the applications they require. This is important to evaluate as it puts pressure on your redundant infrastructure and internet connectivity.
The same sign-on is the option that synchronizes user ids and passwords to the various places where authentication might occur. Same sign-on does require the use of a tool like DirSync with Password Replication. DirSync is free from Microsoft and has an added feature that allows you to replicate on premise passwords with passwords for users Office 365 accounts. There are several advantages to using this method:
- Users maintain their existing AD passwords which allows a more seamless transition when moving to Office 365.
- Password policies are maintained on premise by administrators.
- Even if AD servers suffer a loss or failure you can still get into Office 365.
- Password Sync works outside the normal DirSync schedule of 3 hours and is reduced to just minutes.
When using Password Sync it is strongly recommended that you create or modify your existing password policies on premise to reflect that in Office 365. All password policies on premise will override the policies in the cloud, but if a user is created in the cloud the Office 365 policies will be directly applied to the account. The Office 365 default policies are 90 days for expiring passwords and a complexity of 8 characters using numbers, letters, and accepted characters. It is also important to understand the frequency of the sync process; if you have users that need to have access terminated in a time sensitive workflow, same sign-on might require additional consideration or work.
With same sign on, the same userID and password would be used for multiple applications, but the end-user would be prompted to log into each application.
Considering user experience is one of the biggest factors in making the decision for proceeding with any new options. With that in mind the only difference that a user will experience will be depend upon if they are on an internal network on a domain joined machine, i.e. User A is logged into xyz.com on to workstation Win7.xyz.com. In this scenario User A would only need to login once and the credentials would apply for everything. For any other scenario between machines and networks the user experience will be the same for ADFS and same sign-on, a couple examples would be:
- User A logged in at home on their home PC.
- User A is at a conference and logs into Win7.xyz.com but accesses company resources through a different network.
In these types of scenarios User A would be prompted for credentials the first time and as long as User A checks the checkbox to remember credentials User A would not be prompted again.
When going to a sign-on solution it is good to weigh your options and pick the choice best suited for your business needs. Whichever implementation path you take remember three points; plan, test, and follow up. Please seek assistance if you have questions about your solution or if you need help developing a roadmap with your single sign-on scenario.