The art of single sign-on

In our fast-paced tech era, we're surrounded by countless daily applications. Managing various identities across platforms is a common struggle. Whether at work or in personal accounts, the burden of countless usernames and passwords can be overwhelming. That brings us single sign-on (SSO) – the solution to simplify out digital experience.

What is single sign-on?#

At its core, SSO is a method of authentication that allows a user to access multiple applications or services with a single set of login credentials. Instead of remembering and entering different usernames and passwords for each application, SSO enables users to log in once and gain access to all connected systems seamlessly.

Imagine a world where you no longer need to juggle a myriad of login details for your email, project management tool, and collaboration platforms. That's the promise of SSO.

How does single sign-on work?#

SSO works by establishing a trust relationship between a central identity provider (IdP) and various service providers (SPs). The IdP serves as the authoritative source for user authentication, verifying the user's identity through a single login process. Once authenticated, the IdP generates tokens or credentials that grant the user access to connected SPs without requiring additional logins.

Let's take a closer look at two different SSO models.

A centralized identity and access management (IAM) system#

In this model, SSO operates like a master key within a centralized IAM system, a digital hub. The IdP is the master key that grants access to all connected products. The IdP is responsible for authenticating users and providing them with access to the appropriate resources. Users, upon authenticating once, gain universal access to every connected resources without the need for subsequent logins.

For example you have a SaaS company Alpha, using a centralized IAM system like Logto. The company have developed multiple products:

• A: An internal management service
• B: A client product service
• C: A web application for admins
• D: A native application for clients

Each of the product acts as a SP and the centralized IAM system act as the IdP. The user identity is stored in the IdP and the user can access all the products with a single sign-on.

This is a typical working day for a employee use SSO in Alpha company:

1. User initiates access to admin management functionalities in web application C.
2. Web application C redirects the user to the authentication service for user authentication.
3. The authentication service verifies user credentials by interfacing with the user identity database.
4. User identity database returns user identity information to the authentication service.
5. Authentication service completes the authentication process and returns the result back to web application C.
6. Authenticated user context enables web application C to send an authorized request to service A on behalf of the user for administrative functionalities.
7. User, after making changes, requests access to native application D to verify the modifications.
8. Native application D seeks authentication from the authentication service.
9. Authentication service auto-consents to the authentication request for native application D.
10. Native application D, authenticated, sends an authorized request to service B on behalf of the user.

Bridging identities across different systems: SPs and IdPs#

In a more intricate scenario, various services and applications maintain their distinct identity systems. Here, SSO acts as the mediator between SP and IdP. Users, upon authenticating with the IdP, traverse the digital landscape, are granted access to the SP without the need for additional new identities.

Now, let's zoom out to a broader context. Imagine a global retailer company, Bravo, with an extensive workforce. The company has recently entered into a partnership with your company, Alpha. For Bravo employees to access Alpha's products, a smooth authentication process is essential.

Here's how it works: Bravo, equipped with its own IAM system (IdP), a Bravo employee seeks access to Alpha's products managed by Alpha's IAM system (SP).

1. Bravo employee initiates access to Alpha's client application B.
2. Alpha's client application B redirects the user to Alpha's IAM system for user authentication.
3. Bravo employee seeks for a SSO authentication using Bravo's user identity. Alpha's IAM system redirects the user to Bravo's IAM system for user authentication.
4. Bravo's IAM system verifies user credentials by interfacing with the user identity database.
5. Bravo's user identity database returns user identity information to Bravo's IAM system.
6. Bravo's IAM system redirects the user to Alpha's IAM system with authenticated Bravo user identity context.
7. Alpha's IAM system creates or verifies user Bravo identity by interfacing with it's own user identity database.
8. Alpha's user identity database returns user identity information to Alpha's IAM system.
9. Alpha's IAM system completes the authentication process and returns the result back to Alpha's client application B.
10. Authenticated user context enables Alpha's client application B to send an authorized request to Alpha's product service A on behalf of the user.

Instead of creating a isolated new identity on Bravo employees, Alpha's IAM system delegates the authentication process to Bravo's IAM system. Once Bravo's IAM system verifies the employees, Alpha's IAM system establishes trust, granting Bravo employees smooth access to Alpha's products.

Imagine the same flow for a Bravo employee happens many times a day. Apart from accessing Alpha's products, Bravo employees also need to access other third-party SaaS products, such as Slack, Zoom, and Notion, which you may have already used. With one single SSO authentication, Bravo employees can access all the products without the need for additional new authentication processes.

This is the true power of SSO in facilitating secure and efficient cross-system authentication, ensuring a effortless experience for users in complex business partnerships.

Benefits of single sign-on#

Based on the above scenarios, we can see that SSO offers a wide range of benefits for both users and businesses.

1. Saves time and boosts productivity

   With SSO, users can log in once and navigate between applications, eliminating the need for repetitive logins. This not only saves time but also enhances overall productivity by reducing authentication barriers.

2. Enhances security

   By centralizing authentication through a robust identity provider, SSO can enhance security by adding extra layers of protection. Users can benefit from stronger authentication protocols, such as multi-factor authentication (MFA), provided by the IDP.

3. Globalized user management

   For organizations, SSO simplifies user management by centralizing user access control. Administrators can efficiently add or revoke access across multiple platforms and third-party products through the central identity provider.

Conclusion#

As the digital landscape continues to expand, SSO is becoming increasingly important for businesses to optimize the user access and enhance security. With SSO, users can enjoy a seamless experience across multiple applications, while businesses can benefit from centralized user management and enhanced security. If you pay attention, you'll notice that SSO is everywhere. From social media platforms to enterprise applications, SSO is the key to a smooth and secure user experience. It links the digital world together.