•  10-07-2019
  •  | 
  •  

Question

I understand SSO as the one time login for all the applications connected. I would like to know more about SSO and how exactly it is achieved

Was it helpful?

Solution

This is Donnie. He's a friend of mine.

The basic mechanism is to trust your friend's friend.

Another metaphor that's used is the sticker they give you when you enter a secured building. In the morning, you show your valid ID (credential) to the security person, and for the rest of the day, the sticker acts as the pass (token). When you come back next day, you have to show your ID again.

Key technology is how you trust your friend or security guy or anyone in hostile network. See how Kerberos or asymmetric encryption work.

OTHER TIPS

Single Sign-on allows the end-user to login to a single portal and access multiple applications seamlessly, reducing multiple login screens and increasing security by having a central entry point.

Addressing end-users' complaints about having to remember multiple passwords is a common objective in many organizations. Having multiple login access points for web applications are not only a pain-point for the end-user, it is also a security risk that can leave your company vulnerable to network attacks. A single sign-on portal solution can eliminate the hassle of multiple password prompts and streamline access for the user. However, many SSO solutions are costly and difficult to implement to effectively handle all user access scenarios. Integration is especially difficult when attempting to allow the single sign-on experience to continue for external users, from customers, to partners, to vendors and even suppliers, who all want seamless access to hosted web applications.

I have recently been researching different SSO solutions- there are so many! I came across this little video and thought it was so clever! http://youtu.be/KTweSfRW18M?list=UUJD2scx1baSeUDSIk7N35Ww

SSO refers to single sign on which is implemented by default when we use claim based authentication along with form based authentication or window authentication. The main use is of claims, a third party called issuer who will provide the authorization to the user to access the application by providing a token which will contain claims and digital signature for the identification of an issuer by the application. you can get more information here:

http://en.wikipedia.org/wiki/Single_sign-on

"Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN)"

You can read more here https://auth0.com/blog/2015/09/23/what-is-and-how-does-single-sign-on-work/

In the context of Web Applications which are deployed under the same domain one way of achieving SSO is to use the Cookie based mechanism.

Let's suppose we have app1.example.com and app2.example.com and we want to enable SSO between them. As you already mentioned this means I login to app1 and if I access in the same Web browser session app2 then I will not have to login into app2 anymore.

Technically both applications will need a way to create the Security Token(Cookie) and to read it. For our example the Cookie can store information about the logged in user. This information can even be encrypted into the Cookie with a key which is known by both apps.

  1. First login scenario - app1 creates the cookie:

User logs in into app1.example.com. After the app1 login is successful, app1 will trigger the creation of the cookie for the logged in user for the domain and subdomains of example.com (set cookie for '.example.com'). At this moment the cookie is in the client's browser.

  1. Access second app with no login - app2 reads the cookie.

In a new browser tab the user is accessing app2.example.com. The browser will attach the cookie which was created by app1 to the request for app2.example.com because it is in the same domain. app2 will have a Filter which is reading the cookie extracts the username and creates the app2 session with it bypassing the whole login process and Voila! SSO achieved.

The same scenario can be achieved with login into app2 and access app1 without login with the condition that this time app2 should be able to create the cookie and app1 should be able to read it and use it for the session creation.

Single sign on is a functionality that comes by default when we implement the claim based authentication. It involves additional third party authentication by the issuer who is going to provide the token after getting the credentials from the user who wish to access an application.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top