Digabit Inc.
Welcome, Guest Login

Digabit Support Center

SSO 101 - Single Sign-On Basics

Last Updated: Jan 25, 2017 11:31AM MST

What is SSO?

Single Sign-on (SSO) is a property of access control of multiple related, but independent software systems.  With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.
You should note that SSO is not limited to web applications.

Types of SSO

  • Kerberos based: Initial sign-on prompts the user for credentials, and gets a Kerberos ticket-granting-ticket (TGT).  Software applications use the TGT to prove user’s identity.
  • Smart card based:   Initial sign-on prompts the user for the smart card.  Additional software applications also use the smart card
  • OTP token: Two-factor authentication.  Digital numbers are created on a device and combined with passwords for processing
  • Integrated Windows Authentication:  Originally designed for IIS and IE.  Though it has moved to cross platform, this authentication method has lost steam in internet based solutions.
  • Security Assertion Markup Language:  XML based solution for exchanging user security information between an enterprise and a service. 

Security Assertion Markup Language (SAML) Defined

SAML is the XML-based open standard data format for exchanging authentication and authorization data between parties. It is designed to be cross-platform and cross-browser agnostic.
To understand SAML you should have an understanding of the pieces that make up SAML, as well as common SSO terminology listed at the bottom of this article.

SAML Components

  • Principal (User) - End user looking to get access to an application.
  • Identity provider (IdP) - where the user authenticates via user name and password or two-factor authentication.
  • Service provider (SP) - relies on the IdP’s identity assertion before providing a service.

SAML versus LDAP

Both SAML and LDAP are protocols used to identify users.
  • LDAP is identifying, querying AND modifying directory data. Requires an open port to a directory service, exposing a company’s user data to the web
  • SAML is just identifying.
  • Note: SAML is a less intrusive, more broadly accepted standard for SSO across the web.  SAML can be used on AD and other directory services.

SSO Terminology

  • Active Directory (AD):  Database based system that provides authentication, directory, policy, and other services in a Windows environment
  • Active Directory Federated Services (AD FS):  Software installed in conjunction with AD that allows AD to talk to provide SSO via SAML to external service providers.
  • Lightweight Directory Access Protocol (LDAP): Application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.
  • LDAP Server:  A directory service that utilizes LDAP to access and maintain a directory of users.  AD is a form of LDAP Server.  
  • OAuth:  Allows access to outside services on behalf of another user.  Similar in concept to SU in Linux.
  • OpenID:  Standard allowing users to be authenticated by cooperating sites using a third party service.  Generally users are authenticated via URI.  It allows for a framework of communication between sites.   Some concerns remain around spoofing.

Contact Us

Current System Status

seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found