All articles

Everything you need to know about passbolt’s new SSO feature

4 min. read

Shelby Lee Neubeck

Shelby Lee Neubeck

27 January, 2023

Introducing SSO to passbolt

As a password manager, passbolt understands the importance of keeping online accounts secure and convenient. We’re pleased to announce the addition of Single Sign-On (SSO) to the platform. The SSO feature is currently in alpha and we’re working hard to make sure it’s the best it can be. Think of it like a fine wine, it only gets better with age.

Here’s a glimpse of what’s to come, and it’s game-changing (joke, we don’t like that kind of exaggeration, but it’s pretty useful). Streamlined access to all kinds of services with passbolt is just around the corner!

What exactly is SSO?

SSO is an authentication method that allows users to access multiple applications and services with a single set of credentials. This optimises the login process, improves security and increases productivity. There are several types of SSO, each with their own unique benefits and challenges.

Identity Provider (IdP) SSO

IdP acts as a gatekeeper, verifying your identity and granting you access to the accounts you want. But, with great power comes great responsibility, and the IdP is responsible for ensuring the person trying to access the account is who they say they are.

Federated SSO

In the case of federated SSO, instead of one central IdP, there are multiple IdPs that you can use to authenticate. This allows for more flexibility and choice in terms of the IdP used, but it also adds complexity in terms of managing the different IdPs.

Password manager vs. SSO: Do I need both?

People often compare password managers and SSO as if they were two peas in a pod, but they’re not. Think of it like this: a password manager is like a trusty lock on your front door, while an SSO is more like a handy keyless entry system.

Both aren’t necessary, but we encourage it. Each of them solves a different set of problems. For example, some systems may not have support for certain SSO providers and still require a password. Also, you can use a password manager to hold non-password secrets, like certificates, SSH keys, or credit card information. Having both is certainly useful, and enabling SSO in your password manager can help to make it easier to get started.

Introducing SSO with passbolt

Passbolt used IdP SSO, leveraging Azure OAuth2/OpenID on top of the existing challenge-based authentication. It’s like a secret handshake, but with less awkwardness and more security. And don’t worry, we’re not limiting you to one identity provider; we plan to expand the options in future releases.

Authenticate with Microsoft (Azure)
Fig. Authenticate with Microsoft (Azure)

Here’s how it works: The user logs in to Microsoft Azure. This unlocks a symmetric key that is stored server-side. This key is needed to decrypt the twice-encrypted secret key passphrase stored in the browser extension’s local storage, on the client-side. The passphrase is indeed double-encrypted. And it needs to be decrypted again with a non-extractable symmetric key managed by the browser’s subtle crypto API.

SSO Passbolt Crypto Scheme Flowchart
Fig. SSO Passbolt Crypto Scheme — Secret Key Decryption (BROWSER)

This design ensures that an attacker with access to the server or the local storage cannot decrypt the secrets. An attacker would have to access both, which is difficult to achieve in practice.

Benefits to SSO

The benefits of SSO are clear: increased security, ease of use, and productivity. With SSO, you only need to remember one set of login credentials, reducing the risk of forgotten passwords and increasing the security of your accounts. It also saves time by eliminating the need to constantly switch back and forth between multiple accounts and remember different sets of credentials.

The introduction of SSO is passbolt’s way of improving the user experience and giving users the best of both worlds: the convenience of SSO and the security of a password manager.

Challenges with SSO

While there are many benefits to using SSO, it’s not without its challenges, including the complexity of setting up the IdP and potential security risks if the IdP is compromised. Using SSO on a shared or public device can be a bit of a risk. Passbolt has addressed these challenges and has implemented solutions.

SSO settings in the administration workspace.
Fig. SSO settings in the administration workspace.

There are detailed instructions and a responsive support team to make the setup and experience as smooth as possible. The latest security protocols are used and passbolt source code is rigorous auditing by security experts. Passbolt’s security model eliminates single points of failure and protects users from any third-party threats. In addition, an option for Multi-Factor Authentication (MFA) is available to add an extra layer of security for users accessing passbolt from public or shared devices.

By addressing these challenges, passbolt makes the SSO feature more secure and easier to use for all users.

Getting started

While the SSO feature is still in alpha, passbolt welcomes you to give it a spin. There are detailed instructions on how to set up and use the SSO feature on the help site. If you have any questions or need support, please visit the passbolt community.

Please remember: The SSO features are currently considered relatively stable as. But, SSO being an alpha feature means it’s not a good idea to deploy it in a production environment without testing first.

Be on the lookout for updates on the new SSO feature.