What is Single Sign-On (SSO) ?
Single Sign-On (SSO) is an authentication process in which a user is provided access to multiple applications and/or websites by using only a single set of login credentials (such as username and password). This prevents the need for the user to log in separately into the different applications.
The user credentials and other identifying information are stored and managed by a centralized system called Identity Provider (IdP). The Identity Provider is a trusted system that provides access to other websites and applications.
SSO based authentication systems are commonly used in enterprise environments where employees require access to multiple applications/websites of their organizations. In this scenario, the SSO service provider uses the organization’s directory, such as Microsoft Active Directory, Azure Active Directory, or a directory provided by the SSO solution itself for authenticating users and providing access to the various applications/websites.
How does Single Sign-On (SSO) work?
The authentication process using miniOrange Single Sign-On takes place as described in the following steps:
- The user requests a resource from their desired application/website.
- The application/website redirects the user to miniOrange (Identity Provider) for authentication.
- The user signs in with their miniOrange credentials if no external IdP is configured. If you have an existing Identity Provider (SAML, OAuth/OpenID Connect, etc), miniOrange redirect user to the existing Identity Provider for authentication.
- The IdP sends an SSO response to miniOrange.
- miniOrange returns SSO response back to the client application/website and
- The application/website grants access to the user.
Now, the user can access all other applications/websites which are configured for SSO. If the user wants to access a resource from another application/website, the application/website checks whether the user has an active session with miniOrange.
- Identity provider- User Identity information is stored and managed by a centralized system called Identity Provider (IdP). The Identity Provider authenticates the user and provides access to the service provider. The identity provider can directly authenticate the user by validating a username and password or by validating an assertion about the user’s identity as presented by a separate identity provider.
The identity provider handles the management of user identities in order to free the service provider from this responsibility.
- Service Provider- A service provider provides services to the end-user. Service providers rely on identity providers to assert the identity of a user, and typically certain attributes about the user that are managed by the identity provider. Service providers may also maintain a local account for the user along with attributes that are unique to their service.
- Identity Broker- Identity broker acts as an intermediary that connects multiple service providers with various different identity providers. Using Identity Broker, you can perform single sign-on (SSO) over any applications without the hassle about the protocol it follows.No needs to understand or implement complex SSO protocols like SAML, OpenID, OAuth, CAS or any other. Instead, you can just call the HTTP endpoints and access any identities. The important reason why we should use Identity Broker is that it supports Cross Protocol i.e. configuring Service Provider following a particular protocol with an Identity Provider following some different protocol.
- Access Multiple Application with Single Login: User once authenticated by the SSO service provider can access multiple other apps/websites which are supported by the SSO domain. The SSO provider tracks the user’s session and eliminates the need to login individually for each app/website.
- Avoid multiple passwords: Since SSO requires a single set of credentials for authentication and provides access to multiple apps/websites, the user needs to only remember a single password contrary to remembering multiple passwords for each individual app/website.
- Improved internal security: With a centralized SSO system, user accounts can be easily managed across multiple applications. Also, the identity provider is required to hold only a single password per user, thus reducing the number of passwords needed to protect.
- Efficient Collaboration: Large organizations and enterprises develop their own SSO solutions so that it is easy to share data, files and other information across multiple applications. This makes sharing and collaboration process faster and less expensive.
- Single Password Vulnerability: If your SSO password gets compromised, the security for all the supported apps/websites gets compromised. For example, if a user’s Google Apps password gets stolen by a hacker, the entire range of Google apps like Gmail, Google Docs, Google Drive, etc will be accessible to the hacker.
- Slow Process: Authentication process using Single Sign-On is slower than traditional authentication where each app/website maintains its own database containing user data. This happens because, for every authentication attempt by the user, the application/website has to request the Single-Sign-On provider for the user’s verification data.
Why SSO is used by Organizations?
Using Single Sign-On services for authentication allows organizations to delegate storage and management of user credentials to a centralized system. This prevents the hassle of managing user data and passwords.
Enterprise SSO products provide authentication to a large number of third party applications without the need to modify the applications in any way. This turn-key feature makes it easy for organizations to migrate to SSO based authentication.
SSO can be used in the below scenarios:
- Authentication Using Federated Identity: If an enterprise makes use of third-party identity provider, federated identity (SAML) is preferred for user authentication in cloud-based as well as on-premise applications. In this case, a user attempting access to an application is redirected to an SSO based service provider which requests the identity provider for verification of the user’s identity.
- Authentication for On-Premise Enterprise Applications: Enterprises make use of multiple applications for various tasks. SSO can be used as a central point of authentication using a single set of login credentials for providing access to all the different enterprise applications.
SAML Vs OAuth
|Protocol||SAML is an authentication protocol.||OAuth is an authorization protocol.|
|Usage Scenario||SAML will be used by those who are looking for federation and identity management. They will use this identity to log in the users to different applications.||OAuth will be used by those who are not looking to maintain identities but are rather trying to leverage the implementation of the secure protocol by applications such as Google, Microsoft, Paypal, which ensure that the identities are authentic.|
|Suitable Application||SAML is popular for browser-based applications.||OAuth is suitable for both browser and mobile applications.|
|Commonly Used By||SAML is widely used for enterprise applications.||OAuth is widely used for customer applications and API access.|
|Data Format||SAML uses XML to transfer messages between applications.||OAuth uses JSON to transfer messages between applications.|
Enterprise SSO products basically store user credentials like username and password and automatically replay them each time a user attempts to access an enterprise application. This allows the SSO product to be used with a vast range of third party applications as the application itself does not need to be modified in any way to work with the SSO system.
Popular social networking applications like Twitter, Facebook, Google offer SSO services that allow users to log in to third-party applications with their respective social network credentials. This is very convenient for the users since they already have their information in their social media accounts and they are also logged in most of the time. But using social media SSO services also presents security risks since hackers around the world are always targeting user accounts on social networking websites.
Security Assertion Markup Language (SAML) is an open standard which contains user identity and attributes information in the form of an XML document. This XML document is digitally signed by the Identity provider and shared with the Service provider during the user authentication process.
OAuth2 allows third party applications to authorize users by providing an access token. The access token prevents external applications from getting the user’s password and other data. The application can only access limited user information which is permitted by the user themselves.
OpenID Connect is an identity layer that operates on top of OAuth 2.0. It provides basic profile information about the end-user by specifying RESTful APIs that use JSON as a data format.
LDAP (Lightweight Directory Access Protocol) is a protocol that enables anyone to locate organizations, individuals and other resources such as files and devices in a network. The network can be the Internet or a corporate intranet.
RADIUS stands for Remote Authentication Dial-In User Service. It is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.
WS-Federation (Web Services Federation) is an SSO protocol that is commonly used for authentication with Microsoft services like Active Directory Federation Services (ADFS) and Azure Active Directory. It defines mechanisms that are used to enable sharing of identity and account attributes, user authentication and authorization across applications.
The Central Authentication Service (CAS) is a single sign-on protocol for web applications. Its purpose is to allow a user to access multiple websites by using a single set of credentials only once.