How Does SSO (Single Sign-On) work?

What is SSO?

SSO is a type of authentication process which can be used to log in to multiple applications at once. Lots of big tech orgs like oracle etc use it. When i joined oracle ,I first heard about SSO and since then I have been curious to learn about it, and now sharing it as well with you all.

This type of authentication uses a central authentication server to store the user's credentials and then verifies them for each application.

There are 3 main components of a SSO authentication system :

1. Identity Provider : This is the central authentication server, this is the place where the user enters his/her credentials and then gets verified. To explain it in more simpler terms think of it as the entrance of a high security building.

2. Service Provider :  These are the individual applications that the user tries to access via SSO, for ex some tool or platform or even your wold email.To understand it more clearly think of it as small offices in the high security building.

3. SSO Server : This acts as a communication bridge between the later two. It has the responsibility of securely transmitting auth tokens between the identity provider and the service provider. Think of it as a connecting corridor between the offices and the entrance of that building.

Benefits of SSO : In SSO auth users dont need to login again and again so the entire user experience is enhanced. Also user password reusability is reduced. We can also grant and revoke permission to enter and use different user applications.

Disadvantages of SSO : If attacker/hacker gets access to the SSO user credentials all the sensitive information will be compromised at once as only one time password is needed to access all the applications. Single Point of failure is the most dangerous disadvantage of this system but to tackle this many companies are using authentication apps where your mobile acts as an authentication factor.

SSO Workflow : To understand how SSO works, let us take an example of accessing a particular website using a google account. Let the website be xyz, so if you don't want to remember a ton of passwords then you have to use your google account for logging in. This can be a great example for understanding SSO workflow.

When you choose to login in the website using your google id, you select the use google account option and then you are redirected to a page where you are asked to enter the credentials of your google account if you have not logged in and if you have logged in you are asked to select the google account from the accounts logged in. If the credentials entered are correct then you are automatically logged in.

To explain in more details, first the user requests access that is the using the xyz webpage and use google account as login method. Then the request is redirected to the identity provider that is the xyz website redirects the user to the google login page. Then the login page is served and the credentials are entered by the user. Google sends the authentication info to the SSO authorization server. The server returns ther auth token if the credentials are valid. Google send the auth token to the website and then the last step is that the website sends the token to google authorization server to validate it. If the entiore authorization process is valid then the user is given access to the website.