Overview of Single Sign-On (SSO)
Single Sign-On (SSO) is a mechanism that allows users to access multiple independent systems and applications with a single authentication (login). This eliminates the need for users to enter IDs and passwords for each system, improving convenience. For system administrators, it also provides benefits such as reduced user management burden and enhanced security (preventing password reuse, etc.).
The main implementation methods for SSO include:
- Agent Method: Software called an “agent” is installed on each application server, and the agent handles authentication coordination.
- Reverse Proxy Method: A reverse proxy server receives user access and handles the authentication process. Upon successful authentication, the reverse proxy accesses each application server on behalf of the user.
- Delegated Authentication Method: The authentication server sends the ID and password to each application server on behalf of the user to perform authentication.
Identity Federation
Traditional SSO often relied on cookies and was mainly used within the same domain or in closed network environments. However, with the proliferation of cloud services, the need to coordinate user authentication information across different organizations and domains has grown. This is Identity Federation.
Identity Federation is a mechanism where, once a user is authenticated, that authentication information is shared with trusted service providers, allowing access without re-authentication. This enables seamless use of various cloud services both within and outside an organization.
Major protocols in identity federation include:
- SAML (Security Assertion Markup Language): An XML-based protocol for exchanging authentication and authorization information. It is primarily used in web-based SSO and is commonly employed for integration between enterprise systems and cloud services.
- OAuth 2.0 (Open Authorization): A protocol for securely delegating access permissions (authorization) to specific information without passing the user’s password to the service provider. While it does not directly provide authentication functionality, it is widely used to grant API access based on user consent.
- OpenID Connect (OIDC): A protocol that extends OAuth 2.0 with authentication capabilities. It provides user authentication information (ID tokens) on top of the OAuth 2.0 authorization framework. It is widely used in social logins with Google, Facebook, and others, enabling simpler and more modern authentication coordination.