Brief about Single Sign-On (SSO)
There are different approaches to authenticate on the website and Single sign-on (SSO) is one of them.
Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. … All thanks to Wikipedia!
In simple words, It is an approach where the users have to use single set of credentials for various applications. That means, user have to just authenticate once and save the efforts of providing credentials again and again for every application.
As SSO has a centralized authentication server that all the other applications use for authentication purpose which saves the time, efforts and reduced the risk of improper password storage.
How does SSO work:
There are two main components: Service Provider (SP) and Identity Provider (IP) and web browser.
- User’s browser sends request to service provider.
- Service provider sends request to user’s browser.
- With the help of browser, the access request is sent to identity provider.
- Identity provider asks for user’s credentials if necessary or else proceed with the token response to user’s browser.
- The token is now send to application’s endpoint with user’s identity to Identity Provider.
- Identity Provider sends the response to browser as response received and user validated with granting access.
The SSO frameworks and protocols:
There are three SSO frameworks and protocol: OAuth 2.0, OpenID, and SAML. Let’s see the difference between them in short.
OAuth 2.0: Open Authentication (OAuth)2.0 is a framework that controls authorization mechanism to a protect resource such as an application or a set of resources. When we signed up to new application, let’s say Instagram and then allow Instagram to access/generate to new contacts then that time OAuth 2.0 comes in picture. As per this, application can access resources from web server on behalf of the user without any authentication. Here, the identity provider (IdP) issues the tokens to third-party applications with the help of user’s approval.
OpenID: OpenID Connect is the industry standard that organizations use to authenticate users. It is built on the OAuth 2.0 protocol and uses an additional JSON Web Token (JWT), called an ID token. This one covers scopes and endpoint discovery which OAuth 2.0 don’t follow. It majorly deals with user authentication and used for logins in web applications and mobile applications. When we use Google sign in for authentications applications like Medium, YouTube then OpenID comes in picture. Identity Provider (IdP) use this so that users can sign in to the IdP, and then access other websites and apps without having to log in or share their sign-in information.
SAML: The Security Assertion Markup Language (SAML) is also an SSO protocol uses message exchange to authenticate in XML SAML format. The enterprise applications use this kind of authentication mechanism. We all have experienced SAML authentication in the work environment. Like, when we login into intranet of the office then can access to Workday, Salesforce without authentication. It is an XML-based standard for exchanging authentication and authorization data between IdPs and service providers to verify the user’s identity and permissions.
NOTE: The Burp suite extension ‘SAML Raider’ can be used to check or test for SSO related vulnerabilities while performing Penetration Testing.