Right now there is a strong movement towards implementing a SSO solution at Aarhus University. Is that good or bad?

29.04.2013 | Ole Boulund Knudsen

The IT department at Aarhus University is working on implementing SSO at the University’s IT-systems. SSO introduces a lot of benefits for the end user especially compared to the setup we have today. Somewhere in a not too distant future, a student or employee will only have to remember a single username and password to access the majority of all it-systems related to the University. This will mean easier access to the relevant systems, eliminate the need for post-it’s with username/passwords and probably reduce the helpdesk load concerning password resets. All those things will help Employees and Students to be more productive. SSO can also make it easier to decommission user-rights to the IT-systems. Once your account is disabled, access to all systems is terminated immediately.

On the other hand, SSO potentially does introduce some new security risks. Depending on the implementation, the lowest common denominator determinates the password security. Therefore, you might not be able to implement a strong password policy. In addition, IT-systems have different vulnerabilities, in both numbers and severity, and potentially the system with the most critical vulnerabilities determines the overall risk surface. Also, if a user account is compromised, the impact will be much higher with SSO. With SSO, a criminal will have access to all the information and services that the user can access instead of only a few.

Does these risks’s mean that SSO should not be implemented? The answer of course is no. SSO gives great benefits, but the implementation must be done right and extra security such as two-factor authentication should be implemented on critical systems to reduce the likelihood of misuse. If done right, SSO can be a great business opportunity, if done wrong it can be a great security risk.