Single Sign-on (SSO) occurs when a user logs in to one application and is then signed in to other applications automatically, regardless of the platform, technology, or domain the user is using. The user signs in only one time, hence the name of the feature (Single Sign-on). Show
For example, if you log in to a Google service such as Gmail, you are automatically authenticated to YouTube, AdSense, Google Analytics, and other Google apps. Likewise, if you log out of your Gmail or other Google apps, you are automatically logged out of all the apps; this is known as Single Logout. SSO provides a seamless experience for users when using your applications and services. Instead of having to remember separate sets of credentials for each application or service, users can simply log in once and access your full suite of applications. Whenever users go to a domain that requires authentication, they are redirected to the authentication domain where they may be asked to log in. If the user is already logged in at the authentication domain, they can be immediately redirected to the original domain without signing in again. How it worksSingle Sign-on and Single Logout are possible through the use of sessions. There may be up to three different sessions for a user with SSO:
With SSO, a central domain performs authentication and then shares the session with other domains. The way a session is shared may differ between SSO protocols, but the general concept is the same. For example, the authentication domain may generate a signed JSON Web Token (JWT) (encrypted using JSON Web Encryption (JWE)), which contains all the information needed to identify the user for any other domain requiring authentication. This token is passed to the client, but because it is signed, it cannot be modified in any way by the client. The token can be passed to the original domain by a redirect and used by the authentication domain and any other domains to identify the user. SSO with Universal LoginThe easiest and most secure way to implement Single Sign-on (SSO) with Auth0 is by using Universal Login for authentication. In fact, currently SSO is only possible with native platforms (like iOS or Android) if the application uses Universal Login. The Swift and Android quick starts provide some examples of using Universal Login. If you cannot use Universal Login with your application, review the following for additional info on embedded authentication:
SSO on first loginFor SSO with Auth0, the Central Service is the Auth0 Authorization Server. Let's look at an example of the SSO flow when a user logs in for the first time:
SSO on subsequent loginsLet's look at an example of the SSO flow when a user returns to your website for a subsequent visit:
Check user's SSO statusYou can check a user's SSO status from an application by calling the ProtocolsSAML and WS-FederationSecurity Assertion Markup Language (SAML) and Web Services Federation (WS-Fed) are both protocols that are widely used in SSO implementations. Both SAML and WS-Fed exchange authorization and authentication data in XML format; the main parts of this exchange are the user, the identity provider, and the service provider. With SAML or WS-Fed:
OpenID ConnectOpenID Connect (OIDC) is an authentication protocol commonly used in consumer-facing SSO implementations. The OIDC protocol handles authentication through JSON Web Tokens and a central identity provider. With OIDC:
AD/LDAPLightweight Directory Access Protocol (LDAP) is an application protocol used to access a directory of credentials that can be shared by multiple applications; it is commonly used by intranets. When paired with Active Directory (AD), LDAP provides a centralized location for user identity, so the application makes an authentication request to the LDAP/AD server. The LDAP protocol exchanges information in LDAP Data Interchange Format (LDIF). Service-provider-initiated SSOFor Service-Provider-initiated SSO, Auth0 is the SSO Service Provider (SP). When a user logs in to an application:
SP-initiated SSO in Auth0 is handled by connections. Identity-provider-initiated SSOFor Identity-Provider-initiated SSO, a third-party Identity Provider (IdP) is the SSO provider. When a user logs in to an application:
When planning an IdP-initiated SSO implementation, you may choose to use Auth0's SSO Dashboard Extension, which allows you to create a dashboard that lists multiple enterprise applications that can be enabled for SSO. This dashboard is then presented to your users to log in. Use cases
Business to BusinessFor Business to Business (B2B) scenarios, SSO can simplify packaging your application for enterprise consumption. With Auth0, your applications can support common enterprise federation scenarios, such as Active Directory (AD), Lightweight Directory Access Protocol (LDAP), Ping, or Security Assertion Markup Language (SAML). This allows your partners and enterprise customers to log in with their preferred enterprise identity technologies.
Business to Consumer CIAMFor Business to Consumer (B2C) or Customer Identity Access Management (CIAM) scenarios, SSO can provide frictionless access to your applications or services. You can let customers authenticate through popular social identity providers, such as Google, Facebook, LinkedIn, Twitter, and Microsoft, instead of requiring them to make another account.
Learn more
How SSO works with different domain?About multi-domain support for SSO
Users can access back-end applications through multiple domains or through multiple hosts within a single domain, eliminating additional credential requests when they go through those multiple domains.
How do I create a shared login service across multiple domains?Solution: Use a private key saved on your server to sign a string that contains the following data items, current time-stamp, destination site (i.e "site2.com") the said GUID, this signature can be translated into saying "This is a proof that this link was created by the site at the said time for the user that has this ...
What is cross domain authentication?Cross-domain authentication is a common approach in identity management that authenticates users for sites that run on different domains. ReachFive handles this even for browsers that block third-party cookies. Cross-domain authentication is much more streamlined when using SSO.
|