What Is Single Sign-On (SSO)? How it works, Why do you need it?

What is Single Sign-On (SSO)?

Check out the pre-integrated applications that you can enable Single Sign-On (SSO) for- [5000+ APPS INTEGRATION]

The user credentials and other identifying information are stored and managed by a centralized system called Identity Provider (IdP). The Identity Provider is a trusted system that provides access to other websites and applications.

How does Single Sign-On (SSO) work?

Single Sign-On (SSO) Workflow
  1. The application/website redirects the user to Identity Provider for authentication.
  2. The user signs in with their credentials if no external IdP is configured. If you have an existing Identity Provider (SAML, OAuth/OpenID Connect, etc), the user is redirected to the existing Identity Provider for authentication.
  3. The IdP sends an SSO response.
  4. It returns SSO response back to the client application/website and,
  5. The application/website grants access to the user.

SSO Components

  • Identity provider- User Identity information is stored and managed by a centralized system called Identity Provider (IdP). The Identity Provider authenticates the user and provides access to the service provider. The identity provider can directly authenticate the user by validating a username and password or by validating an assertion about the user’s identity as presented by a separate identity provider.
  • Service Provider- A service provider provides services to the end-user. Service providers rely on identity providers to assert the identity of a user, and typically certain attributes about the user are managed by the identity provider.
  • Identity Broker- An identity broker acts as an intermediary that connects multiple service providers with various different identity providers. Using Identity Broker, you can perform single sign-on (SSO) over any applications without the hassle of the protocol it follows. The important reason why we should use Identity Broker is that it supports Cross Protocol i.e. configuring Service Provider following a particular protocol with an Identity Provider following some different protocol.
Single Sign-On (SSO) Identity Brokering

Benefits:

  1. Access Multiple Application with Single Login: The user once authenticated by the SSO service provider can access multiple other apps/websites and eliminates the need to login individually for each app/website.
  2. Avoid multiple passwords: Using SSO the user needs to only remember a single password contrary to remembering multiple passwords for each individual app/website.
  3. Improved internal security: With a centralized SSO system, user accounts can be easily managed across multiple applications. Also, the IDP is required to hold only a single password per user, thus reducing the number of passwords needed to protect.
  4. Efficient Collaboration: Large organizations develop their own SSO solutions so that it is easy to share data, files, and other information across multiple applications. This makes sharing and collaboration process faster and less expensive.

Why SSO is used by Organizations?

Using Single Sign-On services for authentication allows organizations to delegate storage and management of user credentials to a centralized system. This prevents the hassle of managing user data and passwords.

Single Sign-On (SSO) into multiple applications

SSO can be used in the below scenarios:

  • Authentication Using Federated Identity: If an enterprise makes use of a third-party identity provider, federated identity (SAML) is preferred for user authentication in cloud-based as well as on-premise applications. In this case, a user attempting access to an application is redirected to an SSO-based service provider which requests the identity provider for verification of the user’s identity.
  • Authentication for On-Premise Enterprise Applications: Enterprises make use of multiple applications for various tasks. SSO can be used as a central point of authentication using a single set of login credentials for providing access to all the different enterprise applications.

SSO Protocols:

SAML 2.0

Security Assertion Markup Language (SAML) is an open standard that contains user identity and attributes information in the form of an XML document. This XML document is digitally signed by the Identity provider and shared with the Service provider during the user authentication process.

OAuth 2

OAuth2 allows third-party applications to authorize users by providing an access token. The access token prevents external applications from getting the user’s password and other data. The application can only access limited user information which is permitted by the user themselves.

OpenID Connect

OpenID Connect is an identity layer that operates on top of OAuth 2.0. It provides basic profile information about the end-user by specifying RESTful APIs that use JSON as a data format.

LDAP

LDAP (Lightweight Directory Access Protocol) is a protocol that enables anyone to locate organizations, individuals, and other resources such as files and devices in a network. The network can be the Internet or a corporate intranet.

RADIUS

RADIUS stands for Remote Authentication Dial-In User Service. It is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service and many more protocols.

miniOrange Single Sign-On (SSO) & Multi-Factor Authentication (MFA) solution for more than 5000+ pre-integrated applications