Is Single Sign-On (SSO) and Identity and Access Management (IAM) the same? How do password resets differ when using SSO? What is best: a specialised SSO solution combined with a specialised IAM solution, or a “one-size-fits-all” solution?
SSO vs IAM
SSO and IAM are two different ingredients for managing identities and system access in general. SSO provides a single login so that users only need to sign in once for access to multiple resources, while IAM provides a unified way to control access to individual resources, both working across all connected systems and software. You can easily have SSO without IAM, and IAM without SSO; the responsible IT department will have both. SSO and IAM provide the greatest protection when they work together.
A major concern when it comes to identities is how to deal with passwords, especially when they need to be provided, replaced, or reset. When resetting a password, a randomized password or login key will be supplied. The password policy on the individual system will then decide if the new password or key can be kept, or if the user needs to change it directly upon their first login after the reset.
When resetting a password via an SSO solution, the SSO platform (1) handles passwords according to the local security or password policy (2) synchronizes the new password with all available platforms and (3) ensures that once you’re logged in, no further login is required even when you change from system to system. In addition to the three basic tasks, a specialised SSO platform will conform exactly to your specific security requirements and be able to handle things like two-factor authentication, biometrics, chip cards, SMS codes, picture puzzles, etc. The greater capabilities of a specialised solution built by specialists in the field help to ensure the highest level of security from any device on your infrastructure!
The Best Solution
Which is best: an all-in-one solution, or separate, specialized solutions? Well, it all depends. [:-)] But you knew that, right?
Personally, I find that I get the highest quality and standard of service by going to the specialists and utilizing specialized tools where available. I really like the freedom of being able to, at any given time, replace a part of my infrastructure with the “modern standard” for the future, or to flexibly comply with new legislation, new compliance demands, or new customer demands without changing out a whole suite with one that suits the new functionality. And, when it comes to SSO, it is such a crucial and fundamental part of my basic infrastructure that I want the best; then I want an IAM solution that both integrates seamlessly with my infrastructure and can match the quality level and security that I have decided on.
What does that all mean? It means that choosing an SSO tool will not solve your challenges with regards to Identity and Access Management. It means that choosing an IAM tool will not fully cover your password security policy. (At least I hope not… If so, I suggest you aim higher.) But together they provide you the best possible control over your users, their access rights, passwords, support, self-service, and much more.
So, choose an SSO solution that fits your security standards (and then some), and make sure they provide a useful API so that there is a means of integrating with it. And, choose an IAM / IDM tool that integrates with any SSO vendor you can think of (including your vendor of choice)—one that smoothly enables your colleagues to handle self-service tasks regarding access rights management, password resets, and so on.