Authentication and SSO Flashcards

1
Q

What is SSO?

A

Single sign on.

Tackles the situation when two applications at different domains want to use the same login information, and for users logged in at one of the domains to be logged in at the other one as well.

The concept behind it is: There is a central domain, through which authentication is performed, and then the session is shared with other domains in some way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the flow without SSO?

A
  1. User browses to domain1
  2. domain1 asks for credentials, and authenticates the user
  3. domain1 stores user’s cookies in Browser Cookie storage
  4. User browses to domain2
  5. domain2 asks for credentials and authenticates user
  6. domain2 stores user’s cookies in Browser Cookie storage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does the Same origin policy prevent?

A

One domain of accessing the cookies of another domain. The policy dictates that cookies can only be accessed by its creator (domain that originally requested the data to be stored).

This forbids 2 domains of sharing session informations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What problem does SSO want to solve?

A

Sharing session infomation across different domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is one way to implement SSO?

A

A central domain generates a signed JSON Web Token (JWT), which may be encrypted using JSON Web Encryption (JWE).

This token is passed to the client and used by the authentication domain as well as any other domains.

This domain contains all information needed to identify the user for the domain requiring authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some challenges of Non-SSO?

A

Not user friendly

For administrator or developer, it is hard to manage authentication of multiple apps. There are also some security risks regarding this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the flow of SSO?

A
  1. User clicks the link to log in and access service. This is done to the Service provider
  2. The service provider redirect the user to the Identity provider to authenticate
  3. The identity provider sees that the user is not authenticated, requests credentials
  4. User types in credentials to authenticate
  5. Identity provider communicates to the service provider that the credentials were correct, and that the authentication is ok
  6. The service provider then sends a cookie to the User
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is SAML?

A

Security Assertion Markup Language

XML based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name some SSO trends

A

From SOAP/XML to HTTP/JSON (more lightweight)

Social sign-in (FB, google)

OpenID Connect (auth) and OAuth 2.0 (authorization)

From auth only to API authorization (and data access)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is OpenID Connect?

A

Used for authentication

Uses ID token

Logs users in (SSO)

Make user accounts available in other systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is OAuth 2.0?

A

Used for authorization

Uses Access token

Gets access to your API

Gets access to user data in other systems

Used when you want to give an app permissions to access your data in another application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe a scenario where OAuth is used

A

You allow an app to send “merry christmas” to your FB friends on behalf of you

The app needs access to friend list

Instead of giving app credentials, you give the app a key/access token that gives it permissions to get access to you FB friend list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly