Single Sign-On (SSO) terminologies

Introduction

In this post, we will look at different terminologies in SSO. Single Sign-On means use the same credentials everywhere whereas web SSO login once in browser and access multiple websites without authenticating again. When comes to SSO there are multiple names thrown around so lets look one by one

SAMLOIDC
OAUTHJWT
Federated identitiesFederated Access
Identity providerService provider

Problem Statement

Before we deep dive into topics – understand why SSO ? SSO primarily aim to solve Password Fatigue, Too many disjointed Apps and developer simplicity.

SAML

SAML – Security Assertion Markup Language. Its based on XML to exchange identities between two parties for web single sign on. Most of the corporate applications uses SAML SSO to provide web SSO however current trends modern applications moving towards OAUTH2.0 framework to achieve the same by issuing OIDC or JWT tokens

OAUTH

OAUTH – open authorisation. Its a standard designed to allow website to access resources hosted on other website on behalf of users. OAUTH2 is authorisation protocol not authentication protocol. It uses access token to access other application. There are some additional terminologies to learn in OAUTH2

  • Resource owner – Owns the protected resource
  • Client – Client is the one requires access to the protected resource so client must hold access token
  • Authorization Server – This server issues Access tokens upon successful authentication
  • Resource Server – This server protects the user resources and receives token and validates before granting the access to the resource

Separate blog post to covers different types of grant in OAUTH2.0

Identity Provider

In SSO context, Identity provider in short IDP is responsible for authenticating users and provide tokens (SAML tokens or OIDC or JWT tokens). Most likely identity provider integrated with identity data store normally its Active Directory to authenticate the users. IDP also perform MFA whether TOTP tokens or Security keys ( Separate topic altogether)

Service Provider

Service Provider or SP host the application. SP allows to access the resource after successful authentication from IDP

OIDC

OAUTH is authorisation framework whereas OIDC provides authentication on top of OAUTH. OIDC uses JWT tokens to provide identity information so applications can extract required claims from JWT once validates the information.

JWT

JWT is JSON web tokens and its self-containing tokens to securely transmit information (mostly identity) between two parties as JSON object.

www.jwt.io

Federated Identities

Its method of linking identity information across different identity stores. It solves the problem of syncing identity and relevant secrets to every where.

Federated Access

Its enables the federated Identity to access multiple application by authenticating at centralised identity provider

Conclusion

In this post , we have explored the definitions of SSO terminologies and in the next post we have to deep dive into working of SAML2 and OAUTH2 framework.


Posted

in

, ,

by

Tags: