SSO is a master key to open different locks 🔐
📖 Staud, LUC #28: GraphQL vs REST, 2023
Single Sign-On (SSO) enables users to access multiple systems with a single set of credentials, significantly reducing password fatigue and enhancing the user experience.
Let’s delve into the SSO process by examining how a user logs into LinkedIn using Google as the Identity Provider (IdP).
1. User requests access
The user would first attempt to access the Service Provider (LinkedIn). Upon reaching this page, they would be presented with login options, and in this particular instance, they would choose “Sign in with Google.”
2. Authentication request
The Service Provider (LinkedIn) will then redirect the user to the IdP (Google) with an authentication request.
3. IdP checks for active session
Once the IdP (Google) receives the request, it checks for an active session. If it doesn’t find one, authentication is initiated.
4. User submits credentials
At this stage, the user will provide their login credentials, including their username and password, to the IdP.
5. IdP verifies credentials
The IdP will then verify the submitted credentials against its User Directory (database). If the credentials are valid, the IdP will generate an authentication token or assertion.
6. IdP sends token to Service Provider
Once the token or assertion is created, the IdP sends it back to the Service Provider, confirming the user’s identity. This authentication process allows the user to access the Service Provider (LinkedIn).
7. Access granted using existing session
Since the IdP has established a session, when a user attempts to access a different Service Provider (for instance, Canva), they won’t need to re-enter their credentials. In the future, any service providers will request authentication from the IdP, verify the existing session, and grant access to the user based on the previously authenticated session.
Summary
SSO workflows, such as the one illustrated, function on SSO protocols, which are a set of guidelines that dictate the communication and trust mechanisms between the IdP and the Service Provider. Commonly used protocols include Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and OAuth 2.0.
