Single Sign-on
Identification
Name: Single Sign-on
Category: Technology
Version: 1.0
Modelling/Architecture Pattern: Architecture
Synonyms: SSO
Contributor(s): EJW
Attribution: Paul Toal (Oracle blogs: https://blogs.oracle.com/cloudsecurity/post/3-patterns-for-delivering-single-sign-on). OWASP (https://owasp.org/www-pdf-archive/OWASP-Single-Sign-On-Vijay.pdf). Auth0.com https://auth0.com/blog/what-is-and-how-does-single-sign-on-work/
Description
Context: Enterprises must protect their valuable information, application and technology resources from unauthorised use, and so often require users to identify and authenticate themselves before they are granted permission to use them.
Problem: the essential problem is how to satisfy these security constraints while minimising the inconvenience to the users, especially in commercial applications. Being asked to supply the same credentials information multiple times will quickly become very tedious for users and could lead to pressure to weaken security as a result.
Trade-offs, Design Constraints (Forces): the need for the enterprise to control the use of their assets has to be balanced against the need to provide the user with an agreeable experience. This implies asking for and authenticating users’ credentials the minimum number of times possible. There is also an administrative benefit in trying to locate all users’ security-related information in a single logical place.
Solution Structure: the solution requires the Service Provider (SP i.e. the supplier of the application resources) to use an Identity Provider (IdP) as a trusted source of authentication information. The IdP holds the users’ credential information along with the resources they have access to and their privileges. The IdP maintains information on active SSO sessions.
Solution Dynamics: The User navigates through their browser to a service provider (SP) at the start of the process. In the SP’s domain there are a number of applications that the user wishes to use.
There is potentially a series of credentials conversations (where a conversation is a group of related messages) between the browser and the SP, whereby the User establishes their identity and authenticates. The information gathered is redirected to the Identity Provider’s domain (IdP), where the information is checked against records held by the IdP concerning user credentials and the applications they have access to. If all goes well the IdP starts an SSO session and issues a token to be passed back to the user for use in subsequent calls.
There is potentially a series of resource conversations between the browser and the service provider which includes the token data. Resource requests are passed by the SP to the IdP with the user’s token. The IdP matches the token with the SSO session and looks up the resource in their records. If all goes well authorization is sent to the SP for the user and the SP releases the resource.
SSO sessions will be closed when the user logs out or on a time-out for inactivity basis.
Layers/Aspects of the ArchiMate modelling language used: Layers: Business, Technology. Aspects: Active and Passive Structures.
Variants, Refinements and Combinations: Although many modern applications will be setup for this pattern out-of-the-box using standards like SAML, OAuth or OpenID Connect, legacy apps may not recognise these standards. Hence there are a few variations of this pattern in use, such as:
- An IAM platform can stand in front of the SP and manage access to SP. This will be used where apps recognise that an external IdP will be used but don’t recognise SAML etc.
- An IAM platform can ‘form fill’ for a legacy app that requires login and expects this to be done as part of the app. The IdP role may be supplied by using social media credentials, which are familiar to many users. Desktop apps written in languages like Java can also be enabled to use this pattern without the need for a browser.
Known Uses: most enterprises recognise the benefit of this pattern to facilitate the user experience while maintaining adequate security. This will be especially true of commercial websites, where the user experience is a priority focus.
Other comments and references: No data