Single Sign On (SSO)

What is Single Sign On (SSO) ?

Single Sign On (SSO) is an authentication process in which a user is provided access to multiple applications and/or websites by using only a single set of login credentials (such as username and password). This prevents the need for the user to login separately into the different applications.

The user credentials and other identity information is stored and managed by a centralized system called Identity Provider (IdP). The Identity Provider is a trusted system which provides access to other websites and applications.

SSO based authentication systems are commonly used in enterprise environments where employees require access to multiple applications/websites of their organizations. In this scenario, the SSO service provider uses the organization’s directory, such as Microsoft Active Directory, Azure Active Directory, or a directory provided by the SSO solution itself for authenticating users and providing access to the various applications/websites.

How does Single Sign-On (SSO) work ?


single sign on sso workflow

The authentication process using miniOrange Single Sign On takes place as described in the following steps:

  1. The user requests a resource from their desired application/website.
  2. The application/website redirects the user to miniOrange (Identity Provider) for authentication.
  3. The user signs in with their miniOrange credentials if no external IdP is configured.
  4. If you have an existing Identity Provider (SAML,OAuth/OpenID Connect, etc), miniOrange redirect user to the existing Identity Provider for authentication.
  5. The IdP sends SSO response to miniOrange and which in turn sends response back to the client application/website.
  6. The application/website grants access to the user.
  7. Now, the user can access all other applications/websites which are configured for SSO. If the user wants to access a resource from another application/website, the application/website checks whether the user has an active session with miniOrange.
  8. miniOrange returns SSO response back to the application/website and the user is granted access.

SSO Components

  • Identity provider- User Identity information is stored and managed by a centralized system called Identity Provider (IdP). The Identity Provider authenticates the user and provides an access to the service provider. The identity provider can directly authenticate the user by validating a username and password or by validating an assertion about the user's identity as presented by a separate identity provider.
    The identity provider handles the management of user identities in order to free the service provider from this responsibility.
  • Service Provider- A service provider provides services to the end user. Service providers rely on identity providers to assert the identity of a user, and typically certain attributes about the user that are managed by the identity provider. Service providers may also maintain a local account for the user along with attributes that are unique to their service.
  • Identity Broker- Identity broker acts as an intermediary which connects multiple service providers with various different identity providers.Using Identity Broker, you can perform single sign-on (SSO) over any applications without the hassle about the protocol it follows.No need to understand or implement complex SSO protocols like SAML, OpenID, OAuth, CAS or any other. Instead, you can just call the HTTP endpoints and access any identities.The important reason why we should use Identity Broker is that it supports Cross Protocol i.e. configuring Service Provider following a particular protocol with an Identity Provider following some different protocol.

Benefits:

  1. Access Multiple Application with Single Login: User once authenticated by the SSO service provider can access multiple other apps/websites which are supported by the SSO domain. The SSO provider tracks the user's session and eliminates the need to login individually for each app/website.
  2. Avoid multiple passwords: Since SSO requires single set of credentials for authentication and provides access to multiple apps/websites, the user needs to only remember a single password contrary to remembering multiple passwords for each individual app/website.
  3. Improved internal security: With a centralized SSO system, user accounts can be easily managed across multiple applications. Also, the identity provider is required to hold only a single password per user, thus reducing the number of passwords needed to protect.
  4. Efficient Collaboration: Large organizations and enterprises develop their own SSO solutions so that it is easy to share data, files and other information across multiple applications. This makes sharing and collaboration process faster and less expensive.

Limitations:

  1. Single Password Vulnerability: If your SSO password gets compromised, the security for all the supported apps/websites gets compromised. For example, if a user’s Google Apps password gets stolen by a hacker, the entire range of Google apps like Gmail, Google Docs, Google Drive, etc will be accessible to the hacker.
  2. Slow Process: Authentication process using SSO is slower than traditional authentication where each app/website maintains their own database containing user data. This happens because for every authentication attempt by the user, the application/website has to request the SSO provider for the user's verification data.

Why SSO is used by Organizations?

Using Single Sign On services for authentication allows organizations to delegate storage and management of user credentials to a centralized system. This prevents the hassle of managing user data and passwords.

Enterprise SSO products provide authentication to large number of third party applications without the need to modify the applications in any way. This turn-key feature makes it easy for organizations to migrate to SSO based authentication.

SSO can be used in the below scenarios:

  • Authentication Using Federated Identity: If an enterprise makes use of third party identity provider, federated identity (SAML) is preferred for user authentication in cloud based as well as on premise applications. In this case, a user attempting access to an application is redirected to an SSO based service provider which requests the identity provider for verification of the user’s identity.
  • Authentication for On-Premise Enterprise Applications: Enterprises make use of multiple applications for various tasks. SSO can be used as a central point of authentication using a single set of login credentials for providing access to all the different enterprise applications.

SAML Vs OAuth

Features SAML OAuth
Protocol SAML is an authentication protocol. OAuth is an authorization protocol.
Usage Scenario SAML will be used by those who are looking for federation and identity management. They will use this identity to login the users to different applications. OAuth will be used by those who are not looking to maintain identities but are rather trying to leverage the implementation of secure protocol by applications such as Google, Microsoft, Paypal, who ensure that the identities are authentic.
Suitable Application SAML is popular for browser-based applications. OAuth is suitable for both browser and mobile applications.
Commonly Used By SAML is widely used for enterprise applications. OAuth is widely used for customer applications and API access.
Data Format SAML uses XML to transfer messages between applications. OAuth uses JSON to transfer messages between applications.

Enterprise SSO

Enterprise SSO products basically store user credentials like username and password and automatically replay them each time a user attempts to access an enterprise application. This allows the SSO product to be used with a vast range of third party applications as the application itself does not need to be modified in any way to work with the SSO system.

Social SSO

Popular social networking applications like Twitter, Facebook, Google offer SSO services that allow users to log into third party applications with their respective social network credentials. This is very convenient for the users since they already have their information in their social media accounts and they are also logged in most of the times. But using social media SSO services also presents security risks since hackers around the world are always targeting user accounts on social networking websites.

SSO Protocols:

SAML 2.0

Security Assertion Markup Language (SAML) is an open standard which contains user identity and attribute information in the form of an XML document. This XML document is digitally signed by the Identity provider and shared with the Service provider during user authentication process.

OAuth 2

OAuth2 allows third party applications to authorize users by providing an access token. The access token prevents the external applications from getting the user’s password and other data. The application can only access limited user information which is permitted by the user themselves.

OpenID Connect

OpenID Connect is an identity layer which operates on top of OAuth 2.0. It provides basic profile information about the end-user by specifying RESTful APIs that user JSON as data format.

LDAP

LDAP (Lightweight Directory Access Protocol) is a protocol that enables anyone to locate organizations, individuals and other resources such as files and devices in a network. The network can be the Internet or a corporate intranet.

RADIUS

RADIUS stands for Remote Authentication Dial In User Service. It is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.

WS-Federation

WS-Federation (Web Services Federation) is an SSO protocol that is commonly used for authentication with Microsoft services like Active Directory Federation Services (ADFS) and Azure Active Directory. It defines mechanisms that are used to enable sharing of identity and account attributes, user authentication and authorization across applications.

CAS

The Central Authentication Service (CAS) is a single sign-on protocol for web applications. Its purpose is to allow a user to access multiple websites by using a single set of credentials only once.


Related Articles: