Praecipio Consulting has partnered with our friends at resolution, an Atlassian Gold Marketplace Partner based in Germany that specializes in software development and network security, to bring you a series of blog posts about how to successfully implement single sign-on (SSO) with Atlassian tools. With more than 7 million users from 58 countries, resolution is the market leader for Atlassian Enterprise User Management Apps.
The password syndrome
Passwords are the weakest link in tech: we use them every hour, we forget them every day and ask for recovery emails constantly. We replace passwords with less complex alternatives so often that we have assumed it's fine to let them degrade: in the end, the only problem I have to deal with as a user is not gaining access to my accounts. Who would ever want to exploit my accounts?
Single sign-on kills password fatigue by killing passwords- in plural. But oftentimes, many business stakeholders still view SSO as a nice-to-have supplement that eliminates user friction, failing to recognize the web of security risks that it solves.
An overview of the symptoms of password fatigue for the different corporate ranks can help technical leaders kickstart the journey to onboard a suitable SSO solution. Having a solid case can also make them more persuasive security evangelists.
Pain points for users
Many employees will just reuse the same memorable password in order to maintain access to their accounts. Many others will not access certain applications if an unwanted login blocks their way. User fatigue will then result in low tech adoption for applications that are not central to the employee's job description, with compliance and open enrollment software as two front runners in this race to oblivion.
When business processes are not followed, information will be lost or remain siloed, and business productivity and collaboration will suffer. Employees whose performance relies on the compliance and open enrollment software everybody has dropped will have a very hard time completing their job. Many companies using Jira Core to support these types of processes fail to recognize the threat that login friction poses to the general adoption of the mandated tool.
Pain points for security officers
In the long run, poor password hygiene results in infections. How long until someone loses the paper notebook where her passwords are written? How long until it's found by the wrong hands on a plane or at a workshop outside the office?
Security officers have many reasons to panic in a culture of security last with no SSO. Besides the password leaks, outdated user accounts can easily expose classified information to roles that lack the required clearance. Or disgruntled employees may discover they can still access the company's code repository on Bitbucket.
Pain points for administrators
A very revealing symptom that a company is in urgent need of an SSO solution is buried in the recurring tasks of system administrators. Discontinuing accounts of leavers in a timely manner or adjusting the permissions of an employee who has moved to a different department are extremely difficult tasks without a centralized user management function.
Besides eating up the available seats in your licenses, lacking an automated method for provisioning users into applications has serious repercussions. For starters, new users will have to wait in a queue until an administrator is available.
Administrators must also enforce security measures when credentials are compromised, often at the cost of major productivity setbacks. Have you ever had to set new credentials for all your accounts? Yes, it feels pretty much like your first day at the job again.
Pain points for Help Desks
Password frustration is a more visible phenomenon on the user side. But make the experiment of asking a Help Desk agent working at a large corporation without SSO in place how many password recovery calls he must attend every day. And how that work ranks in his important vs urgent matrix.
High volumes of password replacement calls are among the key factors associated with low productivity of Help Desks. In ITIL jargon, they are technically requests, but in practice they're just a manifestation of the recurring problem: the dire need for an SSO. With an SSO in place, password recovery requests will be rare. They will still happen, particularly if you still have a password expiration policy (and there's a reason why Microsoft has abandoned that recommendation). But ownership will be much more effective, and you will have a maximum of 1 request per user.
A single source of truth
As much as single sign-on solves the password management problem, it's important to remind stakeholders that it also has the important benefit of centralizing employee accounts for all mandated enterprise software. Admittedly, one immediate effect of that centralization is that users will have only one master key to all their applications. But the other side of the story is even more important: single sign-on connects user management for individual applications to a single source of truth, maintaining tight enforcement over access rights that eliminates the need for IT heroics.
The good news is that many enterprises already have the necessary infrastructure in place to easily set up an SSO solution. Customers of Office 365, for example, can enable their central directory on Azure AD for free. A continuation to this article will offer a practical overview of your available options. It will detail what kind of identity resources are necessary to set up a single sign-on, what are the most common configurations of centralized user directories for Atlassian applications, and what tricks can get you a leading Identity Provider at an affordable price.