Modern SSO is shit and doesn’t deserve to be called SSO.
True SSO is what Kerberos and/or Active Directory has where all the auth is handled out of band and you never ever see a login pop up.
SAML/OIDC is a kluge that offers a worse experience than a password manager and in practice means you’ll be interacting with login forms a lot more frequently.
Password manager flow:
- Open website’s login page, manually, from bookmarks or even the password manager to begin with
- login form has username & password field on the same page which the password manager fills and submits
- you are logged in
“SSO” flow:
- Open website’s login page
- login form has only email/username, can’t really use a password manager because there’s no password and you don’t want to interfere with the flow (by using a dummy password) because you’ll need your PW manager for the next step and you don’t want the manager stuck on waiting for a password field to appear to fill in that dummy password
- wait for (at least one, but typically several) redirects which take a couple seconds (and much worse on flaky mobile connections)
- now you fill in your actual SSO credentials - this is where you use your PW manager.
- now click through whatever upsells your SSO provider has such as nagging you to use their proprietary 2FA app (another one!) instead of your standard TOTP client
- finally go through a few more redirects and end up back on the original site
Since the SSO-integrated website has no way to actively tell when your SSO session has expired, it usually defaults to a conservative value which means you need to go through this crap every 12 hours or so.
The password manager flow is much much faster. IMO unless you’re able to do proper, real (Kerberos/AD) SSO, just give your employees a good password manager.
I understand the technical reasons behind why things are the way they are, but IMO as an industry we should do better and not expose implementation details to the user in such an annoying way. Security shouldn’t be at the detriment of user experience.
True SSO is what Kerberos and/or Active Directory has where all the auth is handled out of band and you never ever see a login pop up.
SAML/OIDC is a kluge that offers a worse experience than a password manager and in practice means you’ll be interacting with login forms a lot more frequently.
Password manager flow:
- Open website’s login page, manually, from bookmarks or even the password manager to begin with
- login form has username & password field on the same page which the password manager fills and submits
- you are logged in
“SSO” flow:
- Open website’s login page
- login form has only email/username, can’t really use a password manager because there’s no password and you don’t want to interfere with the flow (by using a dummy password) because you’ll need your PW manager for the next step and you don’t want the manager stuck on waiting for a password field to appear to fill in that dummy password
- wait for (at least one, but typically several) redirects which take a couple seconds (and much worse on flaky mobile connections)
- now you fill in your actual SSO credentials - this is where you use your PW manager.
- now click through whatever upsells your SSO provider has such as nagging you to use their proprietary 2FA app (another one!) instead of your standard TOTP client
- finally go through a few more redirects and end up back on the original site
Since the SSO-integrated website has no way to actively tell when your SSO session has expired, it usually defaults to a conservative value which means you need to go through this crap every 12 hours or so.
The password manager flow is much much faster. IMO unless you’re able to do proper, real (Kerberos/AD) SSO, just give your employees a good password manager.
I understand the technical reasons behind why things are the way they are, but IMO as an industry we should do better and not expose implementation details to the user in such an annoying way. Security shouldn’t be at the detriment of user experience.