What is Single Sign-On (SSO) and how does it work?
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites using just one set of credentials. SSO is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent software systems. True single sign-on allows users to log in once and access services without re-entering authentication factors.
It should not be confused with same-sign-on (Directory Server Authentication), often accomplished by using the Lightweight Directory Access Protocol (LDAP) and storing LDAP databases on (directory) servers.
A simple version of single sign-on can be achieved over IP networks using cookies, but only if the sites share a common DNS parent domain.
Examples – Facebook, Twitter, Instagram, etc.
How does it work?
When the user tries to access a different website, the new website would have to have a similar trust relationship configured with the SSO solution, and the authentication flow would follow the same steps.
- SSO works based on a trust relationship between an application, known as the service provider, and an identity provider, like Google, OneLogin, or miniOrange.
- This trust relationship is often based upon a certificate exchanged between the identity provider and the service provider.
- This certificate can be used to sign identity information that is being sent from the identity provider to the service provider so that the service provider knows it is coming from a trusted source.
- In SSO, this identity data takes the form of tokens containing identifying information about the user, like a user’s email address or a username.
What is SP (Service Provider) and IDP (Identity Provider)
- Service Provider (SP) is the entity providing the service, typically in the form of an application.
- Identity Provider (IdP) is the entity providing the identities, including the ability to authenticate a user. The Identity Provider typically also contains the user profile: additional information about the user such as first name, last name, job code, phone number, address, and so on. Depending on the application, some service providers may require a very simple profile (username, email), while others may require a richer set of user data (job code, department, address, location, manager, and so on).
Conclusion
Single Sign-On authentication solves a big problem: authenticating multiple applications with a single set of credentials. If you are implementing authentication for a new application or service, consider integrating SSO from the get-go. If you have any questions, comment them in the comment section below.