Single sign-on (SSO)

Single sign-on (SSO) is an authentication method that allows users to log in once with one set of credentials and grant access to multiple applications or systems without having to log in again. It is commonly used in enterprise environments, allowing employees to be more productive and reduce the risk of reusing the same password across multiple applications.

How does SSO work?

SSO works by using a trusted third-party identity provider (IdP) that authenticates users and then grants access to multiple applications or systems. When a user tries to access an application or system, the application sends a request to the IdP for authentication. If the user is already authenticated, the IdP sends back a token that verifies the user's identity, and the application grants access without requiring the user to log in again.

What are the benefits of using SSO?

SSO has several benefits, including increased security, improved user experience, and simplified IT management. By reducing the number of credentials that need to be managed, SSO can reduce the risk of password-related security breaches. Additionally, users only need to remember one set of credentials, which can improve productivity and reduce the burden on IT support.

What types of SSO are available?

There are several types of SSO, including web-based SSO, federated SSO, and social SSO. Web-based SSO is the most common type and is used to authenticate users for web-based applications. Federated SSO is used to authenticate users across different organizations or domains, and social SSO allows users to authenticate using their social media accounts.

What are the requirements for implementing SSO?

To implement SSO, you need a trusted identity provider that can authenticate users and issue tokens, as well as applications or systems that can support the SSO protocol. Additionally, SSO requires some level of integration between the identity provider and the applications or systems.

Is SSO secure?

Yes, SSO can be a secure authentication method, especially when it is implemented correctly. However, as with any security system, there are risks involved, and it is important to ensure that the identity provider and applications or systems are properly configured and secured. SSO can also be vulnerable to some types of attacks, such as phishing or man-in-the-middle attacks, so it is important to take appropriate precautions.

What are the most common SSO protocols?

The most common SSO protocols are SAML (Security Assertion Markup Language), OpenID Connect, and OAuth. SAML is a widely used protocol for web-based SSO, while OpenID Connect and OAuth are often used for social and mobile SSO.

Where are SSO authentication tokens stored?

SSO authentication tokens are typically stored in cookies, which are small text files that are stored on the user's device. However, the specific storage location and mechanism can vary depending on the SSO protocol being used and the implementation of the SSO system.

Source: YouTube

Snippet from Wikipedia: Single sign-on

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

True single sign-on allows the user to log in once and access services without re-entering authentication factors.

It should not be confused with same-sign on (Directory Server Authentication), often accomplished by using the Lightweight Directory Access Protocol (LDAP) and stored LDAP databases on (directory) servers.

A simple version of single sign-on can be achieved over IP networks using cookies but only if the sites share a common DNS parent domain.

For clarity, a distinction is made between Directory Server Authentication (same-sign on) and single sign-on: Directory Server Authentication refers to systems requiring authentication for each application but using the same credentials from a directory server, whereas single sign-on refers to systems where a single authentication provides access to multiple applications by passing the authentication token seamlessly to configured applications.

Conversely, single sign-off or single log-out (SLO) is the property whereby a single action of signing out terminates access to multiple software systems.

As different applications and resources support different authentication mechanisms, single sign-on must internally store the credentials used for initial authentication and translate them to the credentials required for the different mechanisms.

Other shared authentication schemes, such as OpenID and OpenID Connect, offer other services that may require users to make choices during a sign-on to a resource, but can be configured for single sign-on if those other services (such as user consent) are disabled. An increasing number of federated social logons, like Facebook Connect, do require the user to enter consent choices upon first registration with a new resource, and so are not always single sign-on in the strictest sense.

  • kb/single_sign-on.txt
  • Last modified: 2023/05/01 08:12
  • by Henrik Yllemo