Single Sign-On is an authentication system that lets a user to login into multiple applications and services, just by authenticating into a master sign-on application using their network credentials. Even though it's not called a single sign-on, this type of authentication system first showed up in Microsoft's Active Directory, back in the 1990s.
Benefits of using Single sign-on
Strengthens the security. For example: Control the access of the users easily from a single application.
Improves user experience. For example: You can authenticate once into one application if that is integrated into the single sign-on system, after that all the subsequent authentications get authorized automatically.
Ease of maintenance. For example: During password change or update, a user can change their password in the single sign-on subsystem such as Microsoft's active directory or any other LDAP-based authentication subsystem. If you change the password at the prod level, the changes affect every prod system that's integrated into the SSO. Usually in a Non-Prod environment, you may have to update the password separately.
How does SSO work?
Consider a three-tier application, which has a web server, an application server, and a database server. The user logs into the application via a browser using his laptop or any mobile device.
Scenario:
The user launches the application in the browser by typing the URL.
Backend the URL is integrated into the SSO subsystem and the request goes to the SSO to launch the webpage.
Here anonymous user is authenticated even to launch the webpage and display the credentials field.
Once the above step is completed, the user enters his credentials and hits enter.
This is where the user gets authenticated into the SSO subsystem.
If the user has proper entitlements and still has access to that application, that user gets authorized into the application.
The authentication details get cached on the user's browser in an encrypted format.
Once the user is authenticated into one subsystem, depending upon his assigned entitlements, he can just log in to other applications without supplying his credentials.
This SSO has time limits. After a certain time, the session will expire and that user has to login again.
Requirements for SSO
The user should have proper entitlements.
These entitlements can be role-based or application-based.
Must be employed by a company, if that user wants to access the company's network.
Vendors of SSO
Ping
Oracle Identity Management.
Any LDAP-based application.
Microsoft Active Directory.
Comments