Introducing Altoura Single-Sign On (SSO) – Altoura Blog

Every business application requires users to be authenticated before they are given access to a resource. That means that every application requires the user to provide a separate set of credentials, which results in a poor user experience, failed sign-ins as a result of forgotten credentials, inconsistent access control policies, and higher cost to support these applications. SSO simplifies the sign in process and lets users access their apps with one set of credentials.

Ensuring security and compliance is a critical requirement for our enterprise customers. Because we work closely with many of the world’s most successful and innovative brands, we’ve seen firsthand how these organizations rely on technology solutions to improve productivity workflows, such as immersive training and collaborative visualization. To meet their needs for secure solutions, paired with an easy-to-use authentication system for their users, we’ve built SSO capability into the Altoura platform.

What is SSO?

Single sign-on (SSO) is an identification system that allows applications to use trusted systems to verify users. An SSO system works like an ID card that validates your identity. With SSO, your app doesn’t make you prove your identity by checking within itself. Instead, it checks with an SSO provider (such as LinkedIn, Microsoft, or Google) to see if it can verify your identity. If it can, the app takes their word for it.

Here the app itself is not storing the user’s credentials but redirecting the user to LinkedIn, Microsoft, or Google page/app and letting the user enter the credentials there. Once the user is authenticated, LinkedIn/Microsoft/Google sends the app an authentication token that helps verify the authenticity of the user. From there on the app that the user is trying to access presents the required information to the user. Here LinkedIn/Microsoft/Google play the role of an identity provider that authenticates the user and provides the app information about the user.

Altoura’s enterprise-grade SSO works in a similar manner. Instead of Altoura storing user IDs and passwords, the user is redirected to the organization’s authentication site. Once the right credentials are entered, the organization’s authentication system will pass the user information back to Altoura and then Altoura can present the user with the right Experiences.

Why use SSO?

Using SSO has many benefits:

• Improved security
  SSO helps organizations reduce security risks surrounding user data and streamline IT management and login processes. It enables them to manage their employee credentials in a secure manner. For example, if an employee leaves the organization, the IT team must turn off the user information in their authentication system. Once that is done, Service Providers like Altoura will not let the user login since the identity provider will not authenticate the user information. Without SSO, the IT team would have to ensure that all vendors are notified to remove the user from their system. Similarly, IT teams can set password complexity rules, or MFA on their system, and Altoura would then use the same rules as it uses the organization’s authentication system.
• Ease of use
  SSO allows users to work with just one set of credentials. The same login ID and password that is used to log in to the corporate system can be used to log in to Altoura. One of the biggest reasons for security breaches is that users often reuse the same password across applications to avoid having to manage multiple passwords. If a hacker gets access to a poorly secured sites/applications, they get access to all the other apps as well. By integrating SSO, Altoura eliminates this risk for its customers.
• Better compliance and regulatory support.
  A lot of standards require audit information around user access. By using SSO, IT teams can audit when users are logging in to Altoura and record that data for compliance and regulatory needs. Another common regulatory need is to enable automatic logoff of users. IT teams can achieve that using SSO as they control the authentication system used by SSO-enabled apps.
• Lower IT costs
  By not storing a separate set of credentials, SSO helps reduce IT support tickets around password resets. If every app stored its own set of credentials, users would forget some of them and keep asking for reset instructions as each app would have its own reset instructions. By having a single authentication system control access to all apps, this problem is eliminated, and users do not need to remember many passwords and the process for resetting them is the same.

Altoura SSO
To support SSO, Altoura uses an authentication protocol called Security Assertion Markup Language (SAML). SAML is an open standard for exchanging authentication data between an identity provider and a service provider.

SAML uses digitally signed XML documents to transfer information between the service provider (Altoura) and the identity provider (the authentication system used by the organization). Nearly all authentication systems support SAML; therefore, Altoura can provide SSO capabilities to nearly all our customers. Here is a simple flow diagram indicating how SSO works with SAML.

1. User opens the Altoura app or the web portal and is presented with a login page.
2. User enters the email and clicks on the Submit button.
3. Based on the email domain, the user origin is identified and redirected to the respective Identity Provider for authentication.
4. The Identity Provider builds the authentication response in the form of an XML document and posts this information to Altoura’s callback URL.
5. After the authentication response is received, the user is redirected to Altoura’s Dashboard page where information is presented using Altoura’s role-based access system.

As Altoura customers deploy solutions to drive productivity gains—and their users’ experience expectations go up—they can leverage SSO to gain real advantages. With SSO they can improve security by reducing the number of required passwords, decrease IT costs associated with password management, and provide a seamless experience.