Introduction
In this post, we will look at different terminologies in SSO. Single Sign-On means use the same credentials everywhere whereas web SSO login once in browser and access multiple websites without authenticating again. When comes to SSO there are multiple names thrown around so lets look one by one
SAML | OIDC |
OAUTH | JWT |
Federated identities | Federated Access |
Identity provider | Service provider |
Problem Statement
Before we deep dive into topics – understand why SSO ? SSO primarily aim to solve Password Fatigue, Too many disjointed Apps and developer simplicity.
SAML
SAML – Security Assertion Markup Language. Its based on XML to exchange identities between two parties for web single sign on. Most of the corporate applications uses SAML SSO to provide web SSO however current trends modern applications moving towards OAUTH2.0 framework to achieve the same by issuing OIDC or JWT tokens
OAUTH
OAUTH – open authorisation. Its a standard designed to allow website to access resources hosted on other website on behalf of users. OAUTH2 is authorisation protocol not authentication
protocol. It uses access token to access other application. There are some additional terminologies to learn in OAUTH2
- Resource owner – Owns the protected resource
- Client – Client is the one requires access to the protected resource so client must hold access token
- Authorization Server – This server issues Access tokens upon successful authentication
- Resource Server – This server protects the user resources and receives token and validates before granting the access to the resource
Separate blog post to covers different types of grant in OAUTH2.0
Identity Provider
In SSO context, Identity provider in short IDP is responsible for authenticating users and provide tokens (SAML tokens or OIDC or JWT tokens). Most likely identity provider integrated with identity data store normally its Active Directory to authenticate the users. IDP also perform MFA whether TOTP tokens or Security keys ( Separate topic altogether)
Service Provider
Service Provider or SP host the application. SP allows to access the resource after successful authentication from IDP
OIDC
OAUTH is authorisation framework whereas OIDC provides authentication on top of OAUTH. OIDC uses JWT tokens to provide identity information so applications can extract required claims from JWT once validates the information.
JWT
JWT is JSON web tokens and its self-containing tokens to securely transmit information (mostly identity) between two parties as JSON object.
Federated Identities
Its method of linking identity information across different identity stores. It solves the problem of syncing identity and relevant secrets to every where.
Federated Access
Its enables the federated Identity to access multiple application by authenticating at centralised identity provider
Conclusion
In this post , we have explored the definitions of SSO terminologies and in the next post we have to deep dive into working of SAML2 and OAUTH2 framework.