This blog post will cover Identity and Single Sign On (SSO). I’ve been working on this for the past 2.5 years on a few different platforms such as ADFS, Azure AD and Okta and it would be good to share some of the concepts and give you a starting point with Identity and SSO
Identity is now a pivotal consideration for your organisation for a couple of reasons:
- Organisations are no longer bound to deploying and delivering applications on-premises and are more likely to want to use a Service offering like Software as a Service (SaaS). It is likely that your organisation may want to use your existing user accounts (identities) to access these with maintaining control over the passwords and not exposing them to the application directly.
- Delivering and consuming applications on-premises is not a particularly flexible approach to modern IT. Many vendors are delivering their software offerings in the cloud allowing businesses to quickly consume applications and removing dependencies on the IT department. Identity & SSO helps to make this process easier.
- The management and control of identities remains with your organisational administrators.
Where do I start with Identity and SSO?
SSO can be a cumbersome subject to learn and it does require time to read and get a good understanding of some of the basic components which I’ll cover. SSO can also come in slightly different variations including Seamless Single Sign On (SSSO) and Desktop Seamless Single Sign On (DSSSO)
After a couple of years of exposure and with a hands on role I wanted to share my experiences and provide you with some resources and hopefully a few shortcuts to get up to speed quickly with identity & SSO
A Guide to Claims-Based Identity and Access Control, Second Edition
This book still has relevant information and the first 3-4 chapters should help you get an understanding of Identity, but the first concept you should understand is…….
Authentication vs Authorization
This is a key concept to understand when you are working with identity and SSO and will underpin the foundation of your knowledge by knowing the difference between the two.
Authentication is the process of proving who you are, this could be simply a username & password (and hopefully MFA)
Authorization is the process of being given access to the application
There is a very simple but effective analogy on page 3, chapter 1 that describes how authentication and authorization works with an Airport analogy which should help you understand the process, also known as ‘claims-based authentication‘.
“A very familiar analogy is the authentication protocol you follow each time you visit an airport. You can’t simply walk up to the gate and present your passport or driver’s license. Instead, you must first check in at the ticket counter. Here, you present whatever credential makes sense. If you’re going overseas, you show your passport. For domestic flights, you present your driver’s license. After verifying that your picture ID matches your face (authentication), the agent looks up your flight and verifies that you’ve paid for a ticket (authorization). Assuming all is in order, you receive a boarding pass that you take to the gate.
A boarding pass is very informative. Gate agents know your name and frequent flyer number (authentication and personalization), your flight number and seating priority (authorization), and perhaps even more. The gate agents have everything that they need to do their jobs efficiently.
There is also special information on the boarding pass. It is encoded in the bar code and/or the magnetic strip on the back. This information (such as a boarding serial number) proves that the pass was issued by the airline and is not a forgery. In essence, a boarding pass is a signed set of claims made by the airline about you. It states that you are allowed to board a particular flight at a particular time and sit in a particular seat. Of course, agents don’t need to think very deeply about this. They simply validate your boarding pass, read the claims on it, and let you board the plane.
It’s also important to note that there may be more than one way of obtaining the signed set of claims that is your boarding pass. You might go to the ticket counter at the airport, or you might use the airline’s web site and print your boarding pass at home. The gate agents boarding the flight don’t care how the boarding pass was created; they don’t care which issuer you used, as long as it is trusted by the airline. They only care that it is an authentic set of claims that give you permission to get on the plane. In software, this bundle of claims is called a security token. Each security token is signed by the issuer who created it. A claims-based
application considers users to be authenticated if they present a valid,
signed security token from a trusted issuer.”
In Part 2 we’ll look at some of the components required for Identity and SSO