Skip to content

Instantly share code, notes, and snippets.

@ahmad-moussawi

ahmad-moussawi/what_is_sso.md

Created November 23, 2021 11:29
Show Gist options
  • Save ahmad-moussawi/5370d725b11de28b5e269bc3321630a3 to your computer and use it in GitHub Desktop.
Save ahmad-moussawi/5370d725b11de28b5e269bc3321630a3 to your computer and use it in GitHub Desktop.
Download ZIP
What is SSO?
Raw
what_is_sso.md

What is SSO

Terminology

  • SSO : Single Sign On
  • IdP : Identity Provider (Azure Ad, Okta, Auth0, JumpCloud, etc ...)
  • SP : Service Provider (TreasuryXpress, Outlook.com, Jira.com, etc ...)
  • SAML : Security Assertion Markup Language
  • ADFS : Active Directory Federation Service

Advantages

  • One Centralized Login
  • Easy to add/remove users access
  • Easy to enforce aging policy (password lifetime, etc)
  • Implementing MFA is done by the IdP

Disatvantages

  • Dependant on other provider
  • Complext to setup

SSO Protocols

  • SAML
  • OpenId Connect
  • OAuth 1 (not supported)
  • OAuth 2
  • ADFS (not supported)

SSO Providers

  • Azure Active Directory
  • Okta
  • Auth0
  • JumpCloud
  • OneLogin
  • Custom implementation
  • and many more ...

Login on Behalf (Login by Role)

We support the Login On Behalf, it's useful when you want to login for multiple real users with the same login. A good example would be, the Support Login wich used heavily within the US team.

Auth 2

+--------+                               +---------------+
|        |--(A)- Authorization Request ->|   Resource    |
|        |                               |     Owner     |
|        |<-(B)-- Authorization Grant ---|               |
|        |                               +---------------+
|        |
|        |                               +---------------+
|        |--(C)-- Authorization Grant -->| Authorization |
| Client |                               |     Server    |
|        |<-(D)----- Access Token -------|               |
|        |                               +---------------+
|        |
|        |                               +---------------+
|        |--(E)----- Access Token ------>|    Resource   |
|        |                               |     Server    |
|        |<-(F)--- Protected Resource ---|               |
+--------+                               +---------------+

OpenId

+--------+                                   +--------+
|        |                                   |        |
|        |---------(1) AuthN Request-------->|        |
|        |                                   |        |
|        |  +--------+                       |        |
|        |  |        |                       |        |
|        |  |  End-  |<--(2) AuthN & AuthZ-->|        |
|        |  |  User  |                       |        |
|   RP   |  |        |                       |   OP   |
|        |  +--------+                       |        |
|        |                                   |        |
|        |<--------(3) AuthN Response--------|        |
|        |                                   |        |
|        |---------(4) UserInfo Request----->|        |
|        |                                   |        |
|        |<--------(5) UserInfo Response-----|        |
|        |                                   |        |
+--------+                                   +--------+

Refresh Token

  +--------+                                           +---------------+
  |        |--(A)------- Authorization Grant --------->|               |
  |        |                                           |               |
  |        |<-(B)----------- Access Token -------------|               |
  |        |               & Refresh Token             |               |
  |        |                                           |               |
  |        |                            +----------+   |               |
  |        |--(C)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(D)- Protected Resource --| Resource |   | Authorization |
  | Client |                            |  Server  |   |     Server    |
  |        |--(E)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(F)- Invalid Token Error -|          |   |               |
  |        |                            +----------+   |               |
  |        |                                           |               |
  |        |--(G)----------- Refresh Token ----------->|               |
  |        |                                           |               |
  |        |<-(H)----------- Access Token -------------|               |
  +--------+           & Optional Refresh Token        +---------------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment