This article is Part 1 of a five-part series on Atlassian Single Sign-On. Click to read Part 2.
Praecipio has partnered with our friends at resolution to bring you a series of blog posts on how to successfully implement Single Sign-On (SSO) with Atlassian tools. Resolution is an Atlassian Gold Marketplace Partner based in Germany that specializes in software development and network security. With more than 7 million users from 58 countries, resolution is the market leader for Atlassian Enterprise User Management Apps.
General Symptoms | Implications for Atlassian User Management |
Loss in productivity for the end user | Time wasted logging in and/or re-logging into Jira, Confluence, or BitBucket due to constant session time-out |
Applications used infrequently - such as open enrollment apps - are highly prone to forgotten passwords | Both Jira and Confluence can be in that position if users don't need to access them every week, as is the case for HR Help Desks |
Password frustration and low technology adoption | Jira Service Desk can have a poor reputation among non-technical users who only request support with a sense of urgency |
Poor password hygiene; passwords used are easy to remember, re-used for multiple apps, or written down on post-it notes | If users are prompted to log in again each time the session expires, most users will employ an easy password that they can type without thinking |
A high volume of password replacement calls to the Help Desk | If you already have an SSO in place that doesn't connect with Atlassian applications, a high percentage of this will be for Jira, Confluence, etc. |
Low productivity of Help desk employees and staffing issues for global companies | A lower number of critical tickets solved per agent, and poor license utilization |
Passwords are the weakest link in tech: we use them every hour, we forget them every day and ask for recovery emails constantly. We replace passwords with less complex alternatives so often that we have assumed it's fine to let them degrade: in the end, the only problem I have to deal with as a user is not gaining access to my accounts. Who would ever want to exploit my accounts?
Single sign-on kills password fatigue by killing passwords – plural. However, many business stakeholders still view SSO as a nice-to-have supplement that eliminates user friction, failing to recognize the web of security risks that it solves.
An overview of the symptoms of password fatigue for the different corporate ranks can help technical leaders kickstart the journey to onboard a suitable SSO solution. Having a solid case can also make them more persuasive security evangelists.
Many employees will just reuse the same memorable password in order to maintain access to their accounts. Many others will not access certain applications if an unwanted login blocks their way. User fatigue will then result in low tech adoption for applications that are not central to the employee's job description, with compliance and open enrollment software as two frontrunners in this race to oblivion.
When business processes are not followed, information will be lost or remain siloed, and business productivity and collaboration will suffer. Employees whose performance relies on the compliance and open enrollment software everybody has dropped will have a very hard time completing their job. Many companies using Jira Core to support these types of processes fail to recognize the threat that login friction poses to the general adoption of the mandated tool.
In the long run, poor password hygiene results in infections. How long until someone loses the paper notebook where her passwords are written? How long until it's found by the wrong hands on a plane or at a workshop outside the office?
Security officers have many reasons to panic in a culture of "security last" with no SSO. Besides password leaks, outdated user accounts can easily expose classified information to roles that lack the required clearance. Or disgruntled employees may discover they can still access the company's code repository on Bitbucket.
A very revealing symptom that a company is in urgent need of an SSO solution is buried in the recurring tasks of system administrators. Discontinuing accounts of leavers in a timely manner or adjusting the permissions of an employee who has moved to a different department are extremely difficult tasks without a centralized user management function.
Besides eating up the available seats in your licenses, lacking an automated method for provisioning users into applications has serious repercussions. For starters, new users will have to wait in a queue until an administrator is available.
Administrators must also enforce security measures when credentials are compromised, often at the cost of major productivity setbacks. Have you ever had to set new credentials for all your accounts? Yes, it feels pretty much like your first day on the job again.
Password frustration is a more visible phenomenon on the user side. But, ask a Help Desk agent at a large corporation without SSO how many password recovery calls he must attend to every day...and how those tasks rank in his important vs. urgent matrix.
High volumes of password replacement calls are among the key factors associated with the low productivity of Help Desks. In ITIL jargon, they are technically requests, but in practice, they're just a manifestation of the recurring problem: the dire need for an SSO. With an SSO in place, password recovery requests will be rare. They will still happen, particularly if you still have a password expiration policy (and there's a reason why Microsoft has abandoned that recommendation). But ownership will be much more effective, and you will have a maximum of 1 request per user.
As much as single sign-on solves the password management problem, it's important to remind stakeholders that it also has the important benefit of centralizing employee accounts for all mandated enterprise software. Admittedly, one immediate effect of that centralization is that users will have only one master key to all their applications. But the other side of the story is even more important: single sign-on connects user management for individual applications to a single source of truth, maintaining tight enforcement over access rights that eliminates the need for IT heroics.
The good news is that many enterprises already have the necessary infrastructure in place to easily set up an SSO solution. Customers of Office 365, for example, can enable their central directory on Azure AD for free. Part 2 of this series will offer a practical overview of your available options. It will detail what kind of identity resources are necessary to set up a single sign-on, what the most common configurations of centralized user directories for Atlassian applications are, and what tricks can get you a leading Identity Provider at an affordable price.
Read the rest of our Atlassian SSO Series: