Home

How does SSO (Single Sign-On) operate?

Users can access numerous applications with a single login thanks to Single Sign-On (SSO), an authentication method. A central authentication server, which keeps the user's credentials and validates them for every application, is used to do this.


In the age of the cloud, the concept of SSO is not new. SSO technology is derived from on-premises identity solutions that allowed companies to securely connect their servers, networks, and PCs in the middle to late 1990s. Around this time, businesses began handling user IDs using specialized systems like Microsoft Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). They then employed Web Access Management (WAM) or on-premises SSO solutions to safeguard access.

The performers on the stage of SSO
In the SSO game, there are three main players:
  • The identity provider, or IdP, is the main server for authentication. You enter your credentials there to be validated. Imagine it as the entrance to a high-security building.
  • Provider of Services (SP): For user login, each of these apps depends on SSO. You can use SPs for your CRM platform, project management tool, and work email. Think of these as separate offices inside the safe structure.
  • SSO Server: The IdP and SPs are connected by this bridge. It manages communication and sends authentication tokens between them in a secure manner. Imagine it as a safe corridor that links the entrances to the different workplaces.
The procedure for SSO
Excellent illustrations of SSO in action are provided by Google and other services. Let's use the attempt to use your Google account to access Trello as an example. You don't have to make a new Trello account and remember a fresh set of login credentials.

For instance, Trello takes you to the central service housed on accounts.google.com when you attempt to log in using your Google account. A sign-in form to enter your credentials will appear here. In the event that the authentication process is successful, Google will take you to Trello, where you will be instantly logged in.

If you wish to use your Google account to access Trello, follow these steps:
  1. The user asks for access: Choose a Google account as your login option on the Trello login page.
  2. The user is redirected to the Google login page by Trello.
  3. The login page was delivered. The Google login page is displayed to the user.
  4. Entering credentials: The user inputs their Google login information.
  5. Verification of SSO servers: Google provides the SSO Authorization server with authentication information.
  6. Authentication at IdP: If the credentials are legitimate, the Authorization server returns the SAML auth token.
  7. Permission to access: Trello receives the auth token from Google.
  8. Verify the token: Trello sends the token to the Google Authorization server for validation in the final step.
  9. Valid token: Trello will grant access to the user and save the session for upcoming exchanges if the token is legitimate.

Advantages of SSO
There are several advantages to SSO, including:
  • Better user experience: Users don't have to keep track of numerous passwords and usernames.
  • Enhanced security: Password reuse across apps is less common among users.
  • Simplified user access auditing: It can be difficult to make sure the right people have access to resources and private information. Users' access permissions can be set up by SSO solutions based on their seniority level, department, and position.
The drawbacks of SSO
There are however several significant drawbacks to the SSO:
  • Single point of failure: SSO's creation of a single point of failure is among its most prominent drawbacks. If the SSO system is hacked, the attacker could gain access to all associated apps and services.
  • Risks to security: The security of any connected application may be jeopardized if credentials are stolen.
  • App compatibility: Sometimes an application isn't set up properly to function with an SSO system. True SSO should be possible for application providers that use SAML, OAuth, or Kerberos. Otherwise, your SSO solution is just another password that users need to remember and doesn't provide full coverage.
SSO types
Working with SSO requires familiarity with several protocols and standards. Typical protocol types include:
  • The most popular kind of SSO is SAML. Applications and the SSO server communicate authentication details using the SAML protocol.
  • OAuth 2.0 (Open Authorization): On behalf of a resource owner, it grants authorized access to server resources. It outlines the transfer of tokens, enabling an IDP to verify a user's identity and use the credentials to gain access to APIs.
  • Based on OAuth 2.0, Open ID Connect (OIDC) is a more recent kind of SSO. Compared to SAML, it is a simpler protocol that is easier to integrate with online apps.
 

Not many people utilize some other SSO types, such Kerberos and smart card authentication.
  • With Kerberos, users can utilize their login credentials to get service tickets from the KDC. Applications are then given access to these tickets, removing the need for multiple logins. However, because Kerberos depends on shared secrets between the KDC and all participants, security issues such as compromised servers disclosing credentials make it less appropriate for internet-facing SSO.
  • To provide access to apps (doors) without requiring individual logins for each, a smart card that stores an identity functions in tandem with the SSO system (much like a lock). It strengthens the authentication process's defenses against unwanted access by adding a physical component. However, it needs to be carried by the user.
 
Choosing the appropriate SSO protocol
The following should be considered when choosing the appropriate protocol:
  • Applications for enterprises versus consumers: Because of its broad support, integration capabilities with enterprise identity providers, and sophisticated authentication scenarios, SAML is frequently used for enterprise applications. Because of its flexibility and compatibility with web and mobile applications, OIDC and OAuth 2.0 are better suited for applications that interact with consumers.
  • Authenticity versus authorization: SAML or OIDC are the best choices if authentication (user identity verification) is your main requirement. Developed on top of OAuth 2.0, OIDC adds an extra layer of identity to OAuth's authorization capabilities. When your application has to ask for access to user resources without disclosing user credentials, utilize OAuth 2.0.
  • Assess platform and application compatibility: Verify that the SSO protocols work with the apps you intend to integrate and your current infrastructure. While OAuth 2.0 and OIDC are frequently preferred by modern applications because to their API friendliness, some legacy or enterprise systems may support SAML more widely.
  • Think about the user experience: The contemporary, token-based methodology of OIDC and OAuth 2.0 can provide a more seamless and cohesive user experience, particularly for web and mobile apps.
  • Preparing for the future: Think about how your application ecosystem will develop in the future. Are you shifting toward mobile apps, APIs, and cloud-based services? In cloud and mobile services, OIDC and OAuth 2.0 are typically seen as more forward-looking and may provide greater flexibility.
  • Requirements for compliance and regulations: Make sure the protocol you've selected complies with any industry-specific regulations, including GDPR, HIPAA, or others that might specify particular security or privacy criteria.
Implementations of SSO
There are numerous products available that can be utilized for the SSO:
  • Microsoft Active Directory was the previous name of Microsoft Entra ID. It provides smooth interaction with Office 365, Dynamics CRM, and other Microsoft services, making it perfect for businesses who are already heavily committed in the Microsoft ecosystem. It is renowned for both its extensive administration capabilities and strong security measures.
  • A well-liked cloud-based SSO solution, Okta is renowned for its extensive application integrations, scalability, and ease of use. For businesses looking for a complete identity and access management (IAM) platform, it's a good choice.
  • ping identity. Ping Identity is well-known for its adaptability and serves businesses with intricate security needs. It is appropriate for businesses requiring a high degree of flexibility and security because it provides robust mobile and API security options.
  • OneLogin. OneLogin provides a simple SSO solution that is effective for small and medium-sized enterprises, emphasizing integration and simplicity. For improved security, it offers AI-powered authentication and real-time threat detection.
  • Because of its developer-friendly methodology, Auth0 is preferred. Because of its robust customization features, it is the preferred choice for businesses that need to modify their authentication procedures. Numerous programming languages and frameworks are supported by it.

I appreciate you reading, and keep being amazing!
Hi There, I'm Yahya, and I enjoy sharing knowledge and experiences.