How does SSO (Single Sign On) work

authentication oauth-2.0 single-sign-on
18,848

Solution 1

Well, there are certainly many ways to achieve it, and it can be tricky. I can give you one solution as an example:

Consider two apps on different subdomains:

The Fine Corinthian Turkey Shop (turkey.example.com)
Rent a Baboon (monkey.example.com)

These two web apps want to share signon, and arrange for a third hosted website for their single sign-on:

sso.example.com

Then the flow is:

  1. Frank visits http://turkey.example.com/orders/12
  2. Turkey redirects to https://sso.example.com/login
  3. SSO presents user with login form, validates and issues token
  4. The token is saved in a cookie on SSO.
  5. User is now validated on SSO, but needs to get the token back to turkey.
  6. SSO stores a combination of (Guid, Token, Expiry) on the server, where Guid is a random guid and Expiry is something like 30 seconds.
  7. SSO sets a secure cookie on *.example.com containing the Guid
  8. SSO redirects back to http://turkey.example.com/orders/12
  9. Turkey can now retrieve the ticket from the cookie
  10. Turkey calls SSO server and exchanges the ticket for the token.
  11. Turkey stores token in the browser (typically a cookie)

Now let's imagine that Frank wants some nice juicy baboons to go with that turkey:

  1. Frank visits: http://monkey.example.com/order-in-bulk
  2. Monkey sees that Frank has no stored token and redirects to https://sso.example.com/login
  3. SSO sees that Frank is already logged in as he has a stored token.
  4. SSO stores a new (Guid, token, expiry) triple on the server
  5. Process is identical to the initial login the rest of the way

Solution 2

However, if user opens a browser directly and goes to App B, then how does their session get established with existing token?

If the answer is there's session state on the back-end server, then how does session state match the user logged in App A with the new request for App B?

I would say it's more about cookies and redirects than it is tokens. Tokens are generated once a user's identity is established.

So when you hit App B via your browser, App B redirects your user-agent to the Auth Server (which may in turn redirect you to a SSO site).

The thing to note is that the SSO login request is actually an HTTP request between your browser and the SSO server.

So the SSO cookie is already there - because earlier, App A would have also redirected your user-agent to the Auth / SSO server where the login was performed. The SSO server could then persist a cookie between you and it.

I can see if I login to App A and retrieve a token then launch App B from App A by passing the token to App B.

I'm not sure I understand about App A passing its token to App B. Usually Apps (Oauth 2.0 clients) would not share tokens. App B should make its own request to the Auth server which (if the user is signed in) may skip the login part but would then need to verify that :

  1. App B has rights to the scopes requested and that

  2. the signed-in user has granted access to those scopes.

If the user is logged in and has previously approved scope access then all this processing is seamless to the end user other than a bunch of redirects.

This assuming you use the Implicit grant flow (I noted that one of your apps is an angularjs app).

If you use the code, password or client-credentials Oauth2.0 grants then you may receive a refresh token after initial user login and consent.

The refresh token equates to long-term access (for that app only) without the need again for login and consent from the end-user more than once.

Share:
18,848
Tom Schreck
Author by

Tom Schreck

I've been in the IT industry since 1996. I started out developing MS Access applications then started developing web based apps in 1997 using ColdFusion. I started developing .Net apps in 2005. I've added mobile development in 2010. I'm a very big proponent of MVC. I love working with jQuery, jQuery Mobile, and doing UI development. I've created a code generator using T4 templates for generating stored procs, views, C# code for repository, business library, and data contracts. I'm currently working for Solutia Consulting.

Updated on June 26, 2022

Comments

  • Tom Schreck
    Tom Schreck about 2 years

    I'm trying to wrap my head around SSO. It's my understanding that SSO allows you to login once and get access to multiple apps (if you have rights). So, I log into App A. I establish a token. How does that token become available to App B so I do not have to login to App B again (assuming user has rights to A and B)? My Apps are AngularJs apps. I access .Net WebAPis for data.

    I can see if I login to App A and retrieve a token then launch App B from App A by passing the token to App B. This way App B has the token and can send to server to make sure user has access to B. However, if user opens a browser directly and goes to App B, then how does their session get established with existing token?

    If the answer is there's session state on the back-end server, then how does session state match the user logged in App A with the new request for App B?

    Thanks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

flutter_web_auth doesn't redirect from WebView to the app after authorizing the access to my data in Flutter
How to use nativeclient redirect URI when authenticating with Microsoft Azure?
Sample cypress script to bypass SSO
How to integrate Azure AD SSO in flutter app
Google OAuth2: Required parameter is missing: grant_type
How to OAuth 2.0 with Retrofit Android
Web API 2 OAuth Bearer Tokens with Custom Authentication
Instagram API returning 400 (Bad Request)
OAuth2 Password Grant Type with Client_Id & Client_Secret
Facebook Access Tokens - Server-Side Authentication