What is Single Sign-On (SSO)?
Single Sign-On (SSO) is an authentication process in which a user is provided access to multiple applications and/or websites by using only a single set of login credentials (such as username and password). This prevents the need for the user to log in separately into the different applications.
The user credentials and other identifying information are stored and managed by a centralized system called Identity Provider (IdP). The Identity Provider is a trusted system that provides access to other websites and applications.
Single Sign-On (SSO) authentication systems are commonly used in enterprise environments where employees require access to multiple applications/websites of their organizations. In this scenario, the SSO service provider uses the organization’s directory, such as Microsoft Active Directory, Azure Active Directory, or a directory provided by the SSO solution itself for authenticating users and providing access to the various applications/websites.
How does Single Sign-On (SSO) work?
The authentication process using Single Sign-On takes place as described in the following steps:
- The user requests a resource from their desired application/website.
- The application/website redirects the user to Identity Provider for authentication.
- The user signs in with their credentials if no external IdP is configured. If you have an existing Identity Provider (SAML, OAuth/OpenID Connect, etc), the user is redirected to the existing Identity Provider for authentication.
- The IdP sends an SSO response.
- It returns SSO response back to the client application/website and,
- The application/website grants access to the user.
Now, the user can access all other applications/websites which are configured for SSO.
- Identity provider- User Identity information is stored and managed by a centralized system called Identity Provider (IdP). The Identity Provider authenticates the user and provides access to the service provider. The identity provider can directly authenticate the user by validating a username and password or by validating an assertion about the user’s identity as presented by a separate identity provider.
- Service Provider- A service provider provides services to the end-user. Service providers rely on identity providers to assert the identity of a user, and typically certain attributes about the user are managed by the identity provider.
- Identity Broker- An identity broker acts as an intermediary that connects multiple service providers with various different identity providers. Using Identity Broker, you can perform single sign-on (SSO) over any applications without the hassle of the protocol it follows. The important reason why we should use Identity Broker is that it supports Cross Protocol i.e. configuring Service Provider following a particular protocol with an Identity Provider following some different protocol.
- Access Multiple Application with Single Login: The user once authenticated by the SSO service provider can access multiple other apps/websites and eliminates the need to login individually for each app/website.
- Avoid multiple passwords: Using SSO the user needs to only remember a single password contrary to remembering multiple passwords for each individual app/website.
- Improved internal security: With a centralized SSO system, user accounts can be easily managed across multiple applications. Also, the IDP is required to hold only a single password per user, thus reducing the number of passwords needed to protect.
- Efficient Collaboration: Large organizations develop their own SSO solutions so that it is easy to share data, files, and other information across multiple applications. This makes sharing and collaboration process faster and less expensive.
Why SSO is used by Organizations?
Using Single Sign-On services for authentication allows organizations to delegate storage and management of user credentials to a centralized system. This prevents the hassle of managing user data and passwords.
Enterprise SSO products provide authentication to a large number of third-party applications without the need to modify the applications in any way. This turn-key feature makes it easy for organizations to migrate to SSO-based authentication.
SSO can be used in the below scenarios:
- Authentication Using Federated Identity: If an enterprise makes use of a third-party identity provider, federated identity (SAML) is preferred for user authentication in cloud-based as well as on-premise applications. In this case, a user attempting access to an application is redirected to an SSO-based service provider which requests the identity provider for verification of the user’s identity.
- Authentication for On-Premise Enterprise Applications: Enterprises make use of multiple applications for various tasks. SSO can be used as a central point of authentication using a single set of login credentials for providing access to all the different enterprise applications.
Security Assertion Markup Language (SAML) is an open standard that contains user identity and attributes information in the form of an XML document. This XML document is digitally signed by the Identity provider and shared with the Service provider during the user authentication process.
OAuth2 allows third-party applications to authorize users by providing an access token. The access token prevents external applications from getting the user’s password and other data. The application can only access limited user information which is permitted by the user themselves.
OpenID Connect is an identity layer that operates on top of OAuth 2.0. It provides basic profile information about the end-user by specifying RESTful APIs that use JSON as a data format.
LDAP (Lightweight Directory Access Protocol) is a protocol that enables anyone to locate organizations, individuals, and other resources such as files and devices in a network. The network can be the Internet or a corporate intranet.
RADIUS stands for Remote Authentication Dial-In User Service. It is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service and many more protocols.