Single Sign-On (SSO) has revolutionized the way users authenticate and access applications in today’s digital landscape. By providing a seamless authentication experience and improving security, SSO has become a cornerstone of modern identity and access management (IAM) solutions. In this blog, we’ll delve into the core concepts of SSO, including its benefits, key components and protocols.
Core Components
Authentication and Authorization: Authentication (aka AuthN) is a process of making sure you are who you claim to be, e.g. entering your username, password, multi-factor authentication (via text, email, face recognition, etc.). Authorization (aka AuthZ) is deciding what you can access and do after you are authenticated (e.g. view or update some data in a given system, etc.)
Identity Provider (IdP): An identity provider is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications. (e.g Okta, Microsoft Azure Active Directory, and Google Identity Platform.)
Service Provider (SP): (aka Relying Party) An SP is an application or service that relies on the IdP for authentication. When a user attempts to access an SP, they are redirected to the IdP to log in. Once the user has been authenticated, the IdP sends a security token back to the SP, which allows the user to access the application or service. (e.g On websites when you see Login in using Google/Facebook/Github, that website is SP and Google or Facebook are IdP)
SSO (Single Sign On): Single sign-on is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors. The essence is a SINGLE authentication in one system provides access to multiple systems, so it is really about how these systems communicate, how they trust each other.
Federation: when one system trusts another system to provide its authentication (identity) information. For example, when you go to https://leetcode.com/ and click “Login with Google”. Here Leetcode federates with Google, because Leetcode trusts the identity information that Google provides
SP-Initiated vs IdP-Initiated protocols – Beer Drinker’s Guide to SAML (and SP-initiated vs IdP-initiated)
SAML (Security Assertion Markup Language): SAML is a SSO Protocol which is a XML based for exchanging authentication and authorization information between IdP and SPs.
OpenID Connect (OIDC): OIDC is a SSO Protocol which is built on top of OAuth, specifically designed for SSO. Utilizes JSON Web Tokens (JWTs) for compact and secure information exchange. https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow
Benefits of SSO
- Improved security: By eliminating the need for users to create and manage multiple passwords, SSO can help to reduce the risk of password theft and unauthorized access.
- Increased convenience: Users only need to remember one set of credentials, which makes it easier for them to access the applications and services they need.
- Reduced IT costs: SSO can help to reduce the time and resources that IT administrators spend on managing user accounts and passwords.