Single Sign-On (SSO)

(OBJ 4.6)

Single Sign-On (SSO)

• Authentication process allowing users to access multiple applications with one set of credentials
• Simplifies the user experience and enhances productivity
  • Reduces the need of remembering many passwords for different applications or sites
• Trusted relationship between applications and Identity Providers (IdP)
  • IdP is a system that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network

How SSO Works

• User logs into the primary identity provider (IdP)
  • Example: Windows Domain Controller
  • Most commonly accepts username and password as their method for authentication or with a one-time code
• Accesses a secondary application or website configured for SSO
  • Has a trusted relationship with the primary IdP
  • Example: Internal SharePoint server
• The secondary application verifies the user's identity with the IdP's assertion
• Once authenticated, access to the secondary application is granted

Benefits of SSO

• Improved user experience
  • Users only need to remember one set of credentials
• Increased productivity
  • Users save time by not having to sign-in each application separately
• Reduced IT support costs
  • It is costly to receive a bunch of support calls just to reset a user's password when they forgot
• Enhanced security, encouraging stronger passwords
  • Encourage the use of stronger passwords since you only need one master password for many services

Protocols for SSO

• LDAP (Lightweight Directory Access Protocol)
  • Used to access and maintain distributed directory information
  • Can share user information across network resources
    • Can be used to look up encryption certificates, connected printers and other services on the network, and provide a single sign-on capability.
  • Supports central repository for authentication and authorization and user information
  • Can be secured using LDAPS (LDAP over SSL or StartTLS)
    • Encrypt the data to provide secure transmission
  • LDAP stores user data for authorization, like group memberships and roles
  • Example:
    • An organization might use LDAP to form a directory of its employees
• OAuth (Open Authorization)
  • Open standard for token-based authentication and authorization
  • Allows third-party services to access user account information without exposing passwords
  • Often used in RESTful APIs for secure sharing of user profile data between sites
    • The user account is hosted by one or more resource servers, also known as API servers
    • The client app or service registers with the authorization server, provides a redirect URL and gets an ID and secret
    • The client receives an access validation token by the authorization server. This token is presented to the resource server to access the requested resource.
  • Uses JSON Web Tokens (JWT) for data transfer
    • Can be easily passed in a Base64 encoded string in URLs and HTTP headers, and can be digitally signed for authentication and integrity.
• SAML (Security Assertion Markup Language)
  • Standard for logging users into applications based on sessions in another context
  • Redirects users to an identity provider for authentication
    • The IdP then verifies the user's identity and sends a response back to the application which in turns logs the user into the application or website.
  • Eliminates the need for services to authenticate users directly
    • SAML allows services to separate from identity providers
  • Decouples services from identity providers, enhancing security and flexibility