Single Sign-On (SSO) is an authentication method that allows users to access multiple applications and platforms using a single set of credentials. In fact, SSO belongs under the wide umbrella of Federated Identity Management (FIM). Sometimes, Single Sign-On is specifically called ‘Federated SSO’.
Most probably you have logged-in via SSO this week, without knowing hot it works. For example, you sign into various platforms using your social media account or Google email.
Clearly, single sign-on is more convenient for the regular user. With all the accounts and passwords to remember, SSO makes it an easier task for users to handle their credentials. In addition, it helps enhance security.
SSO works based on a trust relationship with application and services that agrees to interoperate. Usually, the certificate exchanged between the identity provider and the service provider authorizes the agreement.
In fact, FIM refers to the trust relationship created between two or more domains or identity management systems. Moreover, SSO is a common feature available within the FIM architecture.
In this trust relationship, there are three entities involved. These are the user, identity provider, and service provider.
Following, the certificate contains the signs of identity information. It is sent from the identity provider to the service provider to ensure the service provider knows it is from a trusted source. Basically, the identity data takes the form of tokens that contain key identifying pieces of information about the user like their username or email address.
This process can take a few seconds up to a couple of minutes. Depending on the security, the login can require more than username and passwords, and other forms of multi-factor authentication.
Aside from the three involved entities in this trust relationship. There are other technologies essential to implement SSO. Below are common protocols that act as components to support SSO systems.
An SSO token refers to the collection of data sent to another system during the SSO process. This contains valuable information about the user such as their email address, password, and any accompanying information needed for authentication.
Tokens must arrive with a digital sign for the receiving end to verify that the token is coming from a trusted source. Then, the certificate used for the digital signature gets exchanged during the configuration process. More importantly, the SSO tokens are saved in a cookie on SSO.
Do you notice the times your browser remembers the username or email ID on the same login form? This is because browser cookies stores SSO details. Thus, whenever the use clears the cookies, you also delete saved login credentials.
Same Sign-On is commonly confused with Single Sign-On. Besides, both concepts can be referred to as SSO. Though same in goal, there is a clear distinction between Directory Server Authentication (Same-Sign On) and Single Sign-On.
Unlike Single Sign-On, the Same Sign-On doesn’t involve any trust relationship between the entities that are doing the authentication. Same Sign-On systems require authentication for each application by using the same credentials from a directory server.
On the other hand, Single Sign-On refers to systems where single authentication provides access to multiple applications by sharing the authentication token seamlessly to the applications.
Furthermore, Directory Server Authentication is not as secure as available Single Sign-on solutions. Conversely, Single Sign-Off or Single Log-Out (SLO) is the property whereby a single action of signing out terminates access to multiple software systems.
You have learned basic concepts including the entities, protocols, as well as the typical SSO flow. By now, you must have a rough idea of the Identity Provider’s importance in the process of authentication.
Next, we introduce 1Kosmos BlockID, a next-generation identity provider that supports SSO solutions with an award-winning application. Its app makes use of blockchain-based authentication and facial recognition with Liveness checking for extra security. More importantly, 1Kosmos has already reached IAL3 and AAL3 levels per the NIST 800-63-3 guidelines.
For instance, Zoom, the video conferencing platform, can integrate 1Kosmos. As a result, Zoom users can easily use the 1Kosmos app to verify themselves and access their Zoom account the passwordless way!
Interested in creating SSO with 1Kosmos BlockID for your platform? Get in touch!