1

Single Sign On in a company means that you have one set of credentials for all the services the company uses / provides to their employees.

Logically, these credentials might also be usable for Wifi.

  • Benefits for the employee: Only one password to remember
  • Benefits for the company: Wifi access can be revoked on a per-user basis. Administration is centralized.

Are there real-world examples and guidelines how to deal with the fact that Android smartphones store Wifi passwords on Google servers by default? Doesn't this give Google access to the full digital identity of an employee and access to the company's internal services?

  1. Asking users to turn this feature off on their phones seems to be error-prone and might be forgotten. Especially after a smartphone change.
  2. Prohibiting users to log in the company Wifi from their own devices is impractical and will probably even be ignored.
  3. Only company-managed phones are also no option, because of point 2.

Is SSO a bad idea concerning Wifi? How do large enterprises, universities, ... but also small companies with less "enforceable" rules handle this?

PhilLab
  • 205
  • 1
  • 6
  • 2
    This is what Bruce Schneier refers to as 'Feudal Security'. He coined this term back in 2012 (https://www.schneier.com/blog/archives/2012/12/feudal_sec.html). To quote, 'Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones... These vendors are becoming our feudal lords, and we are becoming their vassals... we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm...'. – mti2935 Mar 28 '20 at 15:06

1 Answers1

2

Single Sign On in a company means that you have one set of credentials for all the services the company uses

That is not correct.

Single signon means an employee only has to sign on once, with a single identity provider or authentication service. That signon creates an SSO session, along with a token or artifact. Other services and web sites can use the token/artifact to verify the identity of the user. They are able to do this only because they trust the single signon provider.

This mechanism does NOT mean that the user has the same credentials for all the services. In fact it is designed to avoid that scenario, because it is a very problematic practice.

Logically, these credentials might also be usable for Wifi.

No. Again, you should not re-use credentials.

SSO for Wifi isn't really possible, because the Wifi connection is usually required in order to be able to access the SSO provider, creating a chicken-and-the-egg scenario. You need to establish a network connection first.

It's possible you've seen situations that looked like an SSO for Wifi, but it was probably more of a captive portal situation, where the Wifi itself is open to the public but the wireless access point restricts the ability to access the network until you authenticate with one of its pages.

John Wu
  • 9,101
  • 1
  • 28
  • 39
  • Or they used 802.1x network security. Meaning you only get access to the sso from the wifi (network) until the login. (Like with RADIUS) rare and highly complex to setup. But possible instead of a captive portal. – LvB Nov 25 '20 at 10:03
  • This answer definitively boosted my understanding of SSO, thanks for that! Now I understand that the main aspect is logging in on a trusted, company-provided portal which then communicates a session token to whatever service you want to use. This also explains why SSO _can_ be more secure for an end-user. The way how Wifi is handled by corporations and universitys alike seems to not adhere to the true principles of SSO – PhilLab Jan 18 '21 at 15:41