Search

Open Standard SSO Protocols

Updated: Dec 30, 2020

What is an open standard?

An open standard is a standard that is freely available for adoption, implementation and updates. A few as famous examples of open standards are JSON, XML, SQL and HTML.

In other words, open standards are specifications of a software as opposed to open source which refers to software source code freely accessible and open for developers.


Authentication vs authorization

Authentication is the process of recognizing a user’s identity.

Authorization is a security mechanism to determine access levels or user/client privileges related to system resources.

Despite the similar-sounding terms, authentication and authorization are separate steps in the login process, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.

What is SSO and why is it useful?

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.

For example, SSO is a particularly convenient method to use in wide organizations for team collaboration without providing each team with all the credentials for all apps but with only one that unifies them.



Advantages:

· Users select stronger passwords.

· It improves the effectiveness/timeliness of disabling all network/computer accounts for terminated users.

· It improves an administrator's ability to manage users and user configurations to all associated systems.

· It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications.

· It provides users with the convenience of having to remember only a single set of credentials.

· It reduces the time taken by users to log into multiple applications and platforms.


How does SSO work?

SSO works as an agreement between three entities - users, identity providers (Idp) and service providers (SP). The Idps are responsible for the users identification usually using a username and password, and if the credentials are recognized the user will receive a token. this is a key that will provide the user access to the SP.

There are different authorization protocols to establish a SSO, here we briefly explain the basics of SAML, OAuth2 and JWT.


SAML - Security Assertion Mark-up Language

SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider) - exchanging both authentication and authorization data between them using a digitally signed XML documents.



There are two common usage scenarios for SAML. The first is IdP-initiated SSO, and the second is SP-initiated SSO.

IdP-initiated example - PingOne for Enterprise. In this scenario, users first log in to the system, which presents an application catalog with internal and external applications that the company has configured sso for, therefore granting the user access to them.

When a user clicks on an application -

· The SAML IdP takes the user’s identity, along with any other attributes that the two sides have agreed to communicate.

· It builds an XML-based SAML assertion.

· It signs the assertion with the private key of a public/private keypair that was exchanged between the IdP and SP when the SSO partnership was configured.

· It then either sends the assertion to the SP via the user’s browser or sends a reference to the assertion that the SP can use to securely retrieve the assertion.

· The SP receives the SAML assertion, validates the signature using the public key and extracts the identity of the user from the SAML assertion along with any other attributes it needs.

Now the end user is on the landing page of his chosen app, just like he had manually signed in to it.


OAuth2

The OAuth 2.0 authorization framework is a protocol that allows a user to grant a third-party web site or application access to the user's protected resources, without necessarily revealing their long-term credentials or even their identity.

The access is either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.


workflow:

· The client requests authorization from the resource owner (SP).

· The SP grants authorization to access using one of the four types of available authorizations (authorization code, implicit, resource owner password credentials or client credentials).

· The client asks the server access authorization token, identifying and presenting the authorization code obtained in the previous step.

· The authorization server validates client’s credentials and authorization code. After they are validated, it returns a valid access token.

· The client and server resources are already able to exchange secure requests with the access token to serve protected content.


JWT - JSON Web Token

JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA.


Header- definition for JWT and which algorithm to use, Payload- user details, Verify signature- secret definition for encoding.

The encoded result is on the left.


Not everything is butterflies and rainbows

· Single high-value target: if a user can use one credential to access all secured apps, so can a hacker. it is enough for a hacker to breach the identity provider to obtain access to all apps.

· Long set up time: in order to create a highly secured entry point the set up and choice of a highly qualified security provider is crucial

· Single point of failure: if the identity provider goes down, you loose access to all apps.

· Some SSO-linked sites may give their user data to third-party entities: This is an area requiring careful attention.


In Conclusion

The advantages however, especially when working with many highly secured applications with a large team, outweigh the disadvantages.

Mainly, with expert professional guidance during planning and implementation to reap the benefits while minimizing the downsides.

73 views0 comments

Recent Posts

See All