JagNet SSO (Single Sign-On)
JagNet SSO (Single Sign-On) builds on top of JagNet authentication. Not all web services using JagNet are SSO, but all JagNet SSO services use JagNet authentication
What SSO does for you
Once you log into any JagNet SSO service through a Login page (either Student Logins or Faculty and Staff Logins ) , you will not need to provide a password again to use other JagNet SSO services during your browser session
What protective steps should I take when using SSO?
- Ensure that your JagNet password is unique - do not use it anywhere else.
- When using publicly accessible computers - in fact, when using any computer on which you do not have a unique, personal login or security code - be sure to close any browser sessions once you are done. Even that might not be enough; you may need to clear out browser memory or take other steps. The public facility your are using should have guidance on steps to remove your personal data.
- Finally, but of equal importance, take advantage of multifactor authentication (aka 2-step, 2-factor, dual factor, etc.). wherever available. This provides the best protection of your data in the event of a compromised password. Here's the link to apply this for JagMail: JagMail 2 Factor Authentication
Is this really safe?
Paradoxically, SSO actually improves security over a bunch of separate passwords on different servers.
- None of these web services stores your password. You are not providing your password to these servers at all: you provide your password to our SSO processor, which communicates behind the scenes with the web service you are accessing to authenticate you.
- Because the password exchange only occurs between your browser session and our SSO processor, we can ensure that adequate security controls and encrypted communication channels are used.
- You can quickly change your password if you have reason to believe it has been compromised (these days, this is most likely because someone fell prey to a "phishing" scheme and simply gave the password away)
- In fact, the SSO processor itself does not have possession of your password. It just asks our separate back-end directory system to confirm the password you provided. Even in the directory system, your password is not stored in a retrievable, human readable form; we save it in a non-reversible encrypted format generated whenever you set or change it. (for those interested in details, it's a Secure Salted Hash with a random salt). So we can't retrieve your actual password even if we want to, but our directory system can take the password you offered the SSO processor, push it through a one-way numerical hash, and see if the results match.