Single Sign On Integrations - Intro

Single Sign on(SSO) is everywhere and provides lot of convenience to users. Let me give you few more examples.

  • Have you noticed that when we are logged into our Gmail account and go to Youtube within the same browser, we are automatically logged into Youtube without any further requests for user credentials or authentication. 
  • In today's cooperate world with COVID-19 impact, employees and partners heavily use cooperate applications such as Zoom, Salesforce, Jira in working from home efforts. Authenticating once and letting them securely use all these cooperate applications in another productive use of Single Sign On.
  • In the Education sector also, COVID-19 impact has made the students and teachers to heavily depend on online tools. At such occasion also Single Sign On integration among these educational applications such as Moodle, Office365, Yammer etc, provide lot of convenience.

User convenience is not the only benefit of Single Sign on though. It provides a lot more convenience to the enterprise as well in maintenance and monitoring aspects. Let's look at them in detail below.

Benefits

  • Central credential store - To provide Single Sign On, a central entity is needed to keep track of the user base and this entity will be trusted by rest of the applications to authenticate the users. This means user credentials are stored at once place and all the high security restrictions, encryption of credentials, keeping the storage securely behind a firewall kind of steps are required only for a single component rather than each application handling them separately.
  • User access level handling - With the users maintained in a central location, user on-boarding and user retiring happens in a central place. If a user get resigned now you don't have to go to multiple places and remove the user, but do it at a central location. As the users are managed centrally, their access level can also to audited from a single location.
  • User behavior monitoring - This provides the capability even to monitor the applications accessed by the users, time intervals and locations in a holistic view at a single location. If user should be blocked immediately closing all the active sessions, such functionality can also be provided in a far more convenient implementation.

Single Sign On specific terms

In the SSO domain, there are few jargons that are good to be familiar with.
  • Service Provider (SP) / Relying Party / Application -  All these refer to the application that is going to be dependent on a separate party to authenticate the users. In most general cases they initiate the request and redirect the users to a separate party to get authenticated.
  • Identity Provider (IDP) / Authentication Server / OpenID Provider - All these refer to the central entity that is storing the user-base and knows how to authenticate the users. They accept the requests to authenticate the users and provide the response on users authenticity along with any other related attributes as per the configuration or request from the SP.

Single Sign On flow

Below is the generic flow happening at a SSO integrated application login.
We will look into the protocol specific details attached with each of these requests in a separate post.

Single Sign On protocols 

SAML - In the education sector most widely used protocol is SAML (Security Assertion Markup Language). This has been the traditional choice with an XML based request, response formats.
 
OpenIDConnect -  This is the most widely used protocol in the current days. The protocol is based on OAuth 2.0 protocol, hence have the request and response formats from light weight JSON format. 
 
Well-known IDPs support both of these and even mediation between them.We will look into these available vendors in a separate post.

Hope this gave you a glance at the SSO functionality.
Cheers!

Comments

Post a Comment

Popular posts from this blog

Sign into Dokuwiki with Google

Image
Dokuwiki(https://www.dokuwiki.org/dokuwiki) is a nice and helpful gift by the opensource community. Being a favor of administrators for ease maintenance and integration options, it caters the needs of a content management system or as a corporate or a personal note keeper. In this post I am sharing an approach we followed to keep this simplicity as it is, while making it available for an existing Google user-base via Single Sign On capabilities. We made use of the extend-ability of Dokuwiki via plugins and OAuth 2.0 protocol based integration provided by Google for this purpose. Let's look at the flow and then how this was configured.   Flow As in the diagram, when the user comes to the Dokuwiki login page, we want to show them the option of login via Google. With this feature available, if they are already logged into Google, they will be automatically logged into Dokuwiki with Single Sign On in action. If not, they will go through the Google login procedure at Google site, as usu
Read more

Shibboleth based SSO for SAP

Image
  This was a very interesting project I did with a customer from Israel. They had already selected Shibboleth as the IDP for the solution, where they wanted to login to SAP Hana Cockpit and provide Single Sign-On with variety of other web applications they have. Main reason behind selection of Shibboleth has been free use being a free and open source software. I did setup an OpenLDAP instance for the user base with an structure selected based on the hierarchy they wanted and integrated it with Shibboleth first. SAP Hana Cockpit platform was new to me, but they had good documentation and with little effort could figure out on SAML based authentication they supported. Then we did the integration with Shibboleth which made the scenario complete as follows. User comes to login to SAP Hana Cockpit platform via it’s link. User is redirected to Shibboleth and provided it’s login screen. (We branded it.) User enters credentials which were validated against the OpenLDAP . (We are to have SMS b
Read more