Single Sign-in
Have you wondered, how you get website Access by simply clicking on Sign-in with Google or Facebook?
SSO: Single sign-on is responsible for making seamless authentication and authorization from one application to another application.
Definition: SSO is a technique that enables a user to securely access multiple applications and services using a single ID
SAML: Security Assertion Markup language, is an open standard XML-based markup language for exchanging identity information between the systems.
OpenID connect: OpenId Connect is similar to SAML but it is based on JWT(JSON Web Token) for exchanging information between the different services.
Note:
SSO is based on the federated identity concept: Federated identity means single credentials are used at multiple domains for using their services.
In this article we are majorly focusing on SAML: Security Assertion Markup Language (SAML).
There are a few jargon that are very important to understand before a deep dive into SSO.
(1) Service provider and Identity provider: The service provider is the one who gives access to their services once the user is authenticated by an identity provider, for example: Gmail, etc. The identity provider is the one who issues authentication assertions, which are used to identify the user by service providers, for example: okta, and Auth0.
(2) SAML Assertion: A SAML assertion is a message that is used by the service provider (SP) to identify whether the user is signed in or not. It contains all the information required for a service provider to confirm user identity.
SAML assertion contains the following information:
Source: The source of a SAML assertion is the identity provider (IDP)
Timestamp: Time when it is issued.
Validation logic: The conditions that make the assertion valid like how long it should be valid etc.
let’s understand the entire flow of how SAML helps us to do single sign-on
Step (1) User enters Work Email ID, Google Frame SAR(SAML request) sends back to the user browser
Step (2) The browser redirects the SAR to the identity provider.
Step (3) The Identity provider shows the login page and authenticates the user.
Step (4) Once the user is authenticated, the identity provider(Idp) returns a signed SAML assertion.
Step (5) Now browser sends this back to the Service Provider(SP). Service provider need to verify this assertion using public cryptography.
Step (6) Once verified, service provider will share protected data to the user.
Note: (1) When a user wants to access some other domain, he/she is not required to sign in again as the identity provider already has that data so the user will simply do login seamlessly.
(2) XML support: It is based upon XML format for transferring data between two web applications or identity provider and service provider.
(3) Industry before SAML: Before inventing SAML, single sign-on is achievable using cookies but they work only on the same domain
(4) Centralized security: We can achieve centralized authentication using the identity provider
(5) No password required: The service provider is not required to store any password which also increases security because they may not be using best practices and they don’t have to address forgot password feature as well.
(6) SAML and OpenID connect is similar but have different mechanism as OpenID uses JWT(JSON Web Token) in the request instead of XML request.
I hope this article gives you a better understanding of Single Sign OnPlease comment your feedback if any, stay tune for more such articles,
