A ripple widening from a single stoneWinding around the waters of the world.
—Theodore Roethke, American poet, from The Far Field (1964)
Now that we’ve covered sessions, we can discuss single sign-on (SSO), starting with what it is and why it is valuable. We’ll also cover how it works and considerations for attributes of single sign-on sessions to help you design SSO for your projects.
What Is SSO?
Single sign-on is the ability for a user to authenticate once and access multiple applications without having to log in again. It is usually enabled by using an identity provider. This chapter will focus on SSO and assumes a set of applications that use either OIDC or SAML 2.0, use the same identity provider and are accessed via the same browser, or, in the case of native applications, at least use the same browser when delegating authentication to the identity provider. Once authenticated, a user enjoys single sign-on access to applications as long as their identity provider session (SSO session) has not expired or been terminated.
Single sign-on can aid a variety of scenarios. In consumer-facing environments, for example, a user might enjoy single sign-on across multiple applications that allow the user to log in via Google Sign-In.i In an enterprise environment, an employee might enjoy single sign-on across internal and cloud applications that leveraged their company identity provider for authentication. In universities, students, professors, and administrators might enjoy single sign-on across university applications leveraging a university identity provider.
Single sign-on offers many benefits. For users, single sign-on offers the convenience of not having to authenticate as often, fewer usernames and passwords to remember, and no exposure of their credentials to applications. Application owners can delegate to the identity provider the work for implementing login pages, credential validation, secure storage of credentials, and some account recovery features. For a business or organization, single sign-on additionally provides a single place at which to implement and enforce authentication policy, different forms of authentication, account recovery, logging, and account termination. It’s easier to enforce best practices in a single place than in many individual applications. SSO also improves security to the extent that users with only one password to remember are less likely to write it down on the proverbial sticky note or whiteboard.
There are, however, a few trade-offs with single sign-on. Implementing single sign-on creates a gateway to your application with the potential to be a single point of failure. A centralized service also provides a single point of attack. To mitigate these risks, it’s essential to select an identity provider that is designed to be highly available and implements security best practices. An identity provider also has greater visibility of user activity and the ability to track users across sites, which can be a privacy concern. When selecting an identity provider, users and businesses should perform due diligence evaluation of the privacy features and security certifications of a provider before entrusting their application’s authentication to it.
How SSO Works
Single Sign-On
If the user then visits application 2 with the same browser, the second application detects that the user has not yet logged in to it and redirects the user to the identity provider. The user’s browser includes the identity provider cookie with the request, so the identity provider uses the cookie to detect the user already has an authenticated session at the identity provider. It checks if the user’s session is still valid and, if so, redirects the user’s browser back to the second application with the requested security token(s) without prompting the user for credentials. The second application then creates or updates a local session for the user (and possibly a cookie) as appropriate for the type of application it is. The user can continue to access subsequent applications or come back to the first two, without signing in again, as long as their session at the identity provider, often called their SSO session, remains valid.
There are various reasons that the user’s session might become invalid. It might have timed out as described in Chapter 10. Alternatively, the session might have been terminated at the identity provider by an administrator or if the user logged out of the identity provider. The user might have even logged out of another application that triggered a logout request to end the identity provider session. We’ll cover more about logout scenarios in Chapter 13. Regardless of the reason, if a user is redirected to an identity provider with an authentication request and their session is no longer valid, the identity provider will prompt the user to reauthenticate (unless the request contained authentication request parameters to suppress active authentication).
Even with a valid SSO session, there are situations where the user still has to interact with the identity provider. If the user visits an application that requests API authorization to call an API on the user’s behalf, and the identity provider is also the authorization server for the API, the identity provider will prompt the user for consent for the API access. If the user visits an application that requires a session with a stronger or different form of authentication than that used to establish their existing session, the user will be prompted to meet the new application’s authentication requirements. If an application includes in its authentication request a parameter to force authentication, the user will need to reauthenticate. Similarly, a parameter can be used to specify a maximum length of time that can elapse between active authentications, and this may trigger a need for a user to reauthenticate as well. In the absence of such special cases, SSO enables a user to access multiple applications after authenticating once, until their authentication session expires.
SSO Session Attributes
When implementing single sign-on with an identity provider you control, there are several features to configure, from session duration to the strength of the authentication mechanisms used as well as the login page branding and mechanisms available for terminating sessions.
SSO Session Duration
The length of the SSO session, often specified in terms of maximum and idle timeouts, should be configured, keeping in mind the sensitivity of the applications relying on the SSO session; however, it is possible to accommodate applications with different requirements. If an application using OIDC requires a user to actively authenticate more frequently than an identity provider session would require, the “max_age” parameter in the authentication request can be used to specify the maximum allowed time, in seconds, that can elapse since the user was last actively authenticated. The use of this parameter requires the identity provider to actively authenticate the user again if the value of max_age in an authentication request is less than the elapsed time since the user last authenticated. Applications should still check the auth_time claim in the ID Token to ensure the requested max_age was followed.
An application can enable a user to remain active in the application without reauthenticating for a longer time than an identity provider session by using a longer application session timeout.
Multiple Identity Providers
Authentication Broker with Multiple Identity Providers
Authentication Mechanisms
An identity provider should be selected and configured to support the specific authentication mechanisms required by the applications leveraging the session. Applications can use parameters in the authentication request to specify desired classes of authentication mechanisms. For example, one application might require only a username/password login, whereas another application might require a stronger form of authentication such as a one-time password. Stronger forms of authentication are discussed in the next chapter.
Login Page Branding
In terms of user experience, the login page for an SSO session should make it clear what the user is logging in to. For example, if an employee is redirected to a corporate identity provider, it is helpful for the login page to be branded to identify it as the corporate login page. We’ll talk more about logout in Chapter 13, but it should be easy for users to terminate the sessions created when they log in. If the user’s login creates an SSO session, but the application only performs a local application logout, users may not realize another step is needed to terminate the SSO session. In designing or configuring login pages, it should be clear through branding and other means what the user is logging in to and how to terminate any sessions when done.
Summary
Single sign-on is the ability to log in once and access multiple applications that rely on the same identity provider without having to reauthenticate for each application. Single sign-on offers convenience to users and provides a centralized administration point for authentication policy. Application owners should ensure the characteristics of a single sign-on session at an identity provider are compatible with their requirements for factors such as session duration and the strength of authentication required. Speaking of authentication strength, the next chapter is going to discuss exactly that in more detail.
Key Points
Single sign-on is the ability for a user to authenticate once and access multiple applications that delegate authentication to the same identity provider without the user reauthenticating to each application.
Single sign-on with an identity provider avoids exposure of user credentials to applications.
The use of an identity provider may relieve developers of the work to build login pages and account recovery mechanisms in each application.
The use of an identity provider for single sign-on provides a single place to administer authentication policy and a single account shut-off point.
Single sign-on can create a single point of failure if not designed to be highly available as well as secure.
Identity providers should be configured with session settings appropriate for the applications relying on the identity provider.