Authentication and SSO

Question 1

What is SSO?

Answer 1

Single sign on.

Tackles the situation when two applications at different domains want to use the same login information, and for users logged in at one of the domains to be logged in at the other one as well.

The concept behind it is: There is a central domain, through which authentication is performed, and then the session is shared with other domains in some way.

Question 2

What is the flow without SSO?

Answer 2

1. User browses to domain1
2. domain1 asks for credentials, and authenticates the user
3. domain1 stores user’s cookies in Browser Cookie storage
4. User browses to domain2
5. domain2 asks for credentials and authenticates user
6. domain2 stores user’s cookies in Browser Cookie storage

Question 3

What does the Same origin policy prevent?

Answer 3

One domain of accessing the cookies of another domain. The policy dictates that cookies can only be accessed by its creator (domain that originally requested the data to be stored).

This forbids 2 domains of sharing session informations

Question 4

What problem does SSO want to solve?

Answer 4

Sharing session infomation across different domains

Question 5

What is one way to implement SSO?

Answer 5

A central domain generates a signed JSON Web Token (JWT), which may be encrypted using JSON Web Encryption (JWE).

This token is passed to the client and used by the authentication domain as well as any other domains.

This domain contains all information needed to identify the user for the domain requiring authentication.

Question 6

What are some challenges of Non-SSO?

Answer 6

Not user friendly

For administrator or developer, it is hard to manage authentication of multiple apps. There are also some security risks regarding this.

Question 7

What is the flow of SSO?

Answer 7

1. User clicks the link to log in and access service. This is done to the Service provider
2. The service provider redirect the user to the Identity provider to authenticate
3. The identity provider sees that the user is not authenticated, requests credentials
4. User types in credentials to authenticate
5. Identity provider communicates to the service provider that the credentials were correct, and that the authentication is ok
6. The service provider then sends a cookie to the User

Question 8

What is SAML?

Answer 8

Security Assertion Markup Language

XML based

Question 9

Name some SSO trends

Answer 9

From SOAP/XML to HTTP/JSON (more lightweight)

Social sign-in (FB, google)

OpenID Connect (auth) and OAuth 2.0 (authorization)

From auth only to API authorization (and data access)

Question 10

What is OpenID Connect?

Answer 10

Used for authentication

Uses ID token

Logs users in (SSO)

Make user accounts available in other systems

Question 11

What is OAuth 2.0?

Answer 11

Used for authorization

Uses Access token

Gets access to your API

Gets access to user data in other systems

Used when you want to give an app permissions to access your data in another application

Question 12

Describe a scenario where OAuth is used

Answer 12

You allow an app to send “merry christmas” to your FB friends on behalf of you

The app needs access to friend list

Instead of giving app credentials, you give the app a key/access token that gives it permissions to get access to you FB friend list