SSO – Explained

Why SSO

When a user wants to logon to multiple applications of an enterprise he needs to maintain that many username and passwords.

Disadvantage of this approach

  • Inconvienece – Should remember many username and password
  • RSO (Reduced Sign On) –  Passwords are considered least secure authentication

What is SSO

SSO (Single Sign On) is the feature provided to user to enter the same credentials to logon  to multiple  application within the same enterprise/domain. User signs into a centrally administered Login Server through a Central web portal

SSO can also happen across enterprise/domain through federation

Advantage of this approach

  • Convenient as user only has to remember only one username/password
  • Easy Administration as user accounts are created centrally. Changing of password is a breeze
  • Usually   LDAP based store is used to storing the user accounts centrally

Components of Single SignOn

  • Login Server – When the user first logon to the enterprise application, the Login Server will
    • Authenticate the user using the credentials provided
    • User’s identity is shared with other applications
    • Authenticated user is marked with encrypted login cookie
    • Within the Session when  the user tries to access the same page then the login server first checks for login cookie to get the user’s identity. If there is no cookie and then user is challenged with login
  • SSO API
    • Enables applications to communicate with Login Server to accept the validated user’s identity
    • Admin to manage app association with login server

SSO supported Application types

SSO supports the following type of applications to provide access

  • Partner Applications
    • Integrated with Login Server
    • Accept validated user through SSO API
  • External Applications
    • Web-based application which takes care of authenticating the user instead of delegating to Login Server

Various Single Sign on UseCases

 

Authenticating to Login Server

  • Login Server first checks for login cookie in the user browser.  If found user identities are retrieved from the encrypted login cookie
  • If login cookie not found then the Login Server prompts the user to provide the username and credentials
  • Login Server authenticates the user.  On successful authentication the login cookie with user identity is created on the client browser
  • Login Cookie expires when the session expires or when the user exists browser.  Administrator can also set the expiry time of the cookie

Accessing Partner Application

  • User directly access the partner application for the first time in the session.  The partner application will then redirect the request to login server for authentication
  • The login server then transparently redirects the user to the partner application after successful logon. The redirect URL internally contains the user identity as encrypted parameter
  • Partner application
    • Decrypts the parameter
    • Identifies the User
    • Establishes a session mgmt

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Cheat Sheet To JAVA Latest Technology

%d bloggers like this: