Tag Archives: Application Security

Application Security – SSO and FID

This post in no way is a comparison between SSO and FID. Theoretically both does have some similarities but there are some core differences because of which a comparison should be deemed unfair and unethical. Having said that, while I was posed with a question on OAuth, i did research a bit on this in the internet and this blog is a by-product of it. The blog post doesn’t go into detail on any of these but just gives some important links and relations with respect to it. They can use this as a very high level starting point in the quest to become proficient in this regard. I am still amateur and everything with regards to this post by the readers will be taken in positive sense and looked upon. If very good points are shared by the readers, it will be incorporated into the blog.

SSO (Single Sign-On) allows users to access multiple services using a single login credentials. In a true SSO, the user only has to provide credentials a single time per session, and then gains access to multiple services without having to sign in again during that session. But the term SSO, is being used at different place where it exactly doesn’t mean what i just said and can be bit confusing. You can have your our mechanisms of singing on to different application without user having to sign-on explicitly providing the credentials. This also application developers call as SSO. In true definition we cannot say that they are wrong but for a developer at times the term SSO can be bit ambiguous because of this. Some of the commonly used configurations are (detailed in wikipedia):

  • Kerberos based
  • Smart Card based
  • OTP token based
  • Integrated Windows Authentication
  • SAML (Security Assertion Markup Language) – an XML-based open standard using which authentication and authorization details can be passed between two parties, in particular between identity provider (IdP) and a service provider (SP). These terms will become more clear when we explain Federated Identity (FID) in detail. Just to give you some base details, here are their definitions from wikipedia:
    • Identity Provider (IdP), also known as Identity Assertion Provider, is responsible for issuing user identification to all the service provider on a need basis, establishing the credibility of the user interacting with their services.
    • Service Provider (SP) is a company/organization which provides various services to their customers.

Federated Identity (FID) is a place where the user stores their credentials. It can also be thought as a means by which to connect the various identity management systems together. In FID, the user stores the credentials with the home organization/service, called as “identity provider”. When a user accesses a service, the service ideally asks for a credential. Instead, the service provider trusts the identity provider and authenticates against it. Because of this, the user is not being prompted with supplying a valid credential. Google, Yahoo etc. are some of the platforms which allows users to login to third party web sites, application etc. using FID.

Now, is it right to interchangeably use SSO and FID. Theoretically its not wise to do so. Having said that both does provide a means of authentication with user entering credentials each time when accessing different services hosted separately. As wikipedia states, SSO is technically a subset of FID using which authentication aspect of security is taken care off.

I took in the direction of research and this blog post, to learn more on OAuth and what it is. To explain OAuth, i had to explain you what SSO and FID is. Now since we have a background of SSO and FID, lets come back to the main topic what I was after.

There are various technologies which are used as part of implementing FID. Along with some proprietary standards being employed, there are some well known standards like SAML, OAuth and OpenID. Now lets dive into each one in some detail. I could see many blogs/forums in internet which compares SAML and OAuth. As pointed out in this stackoverflow answer section, there isn’t any similarity between the two.

    • SAML (Security Assertion Markup Language) – the base details was covered earlier. Here, we will try to expand on this in more detail. As detailed earlier, three main parties are the principal (user), Identity Provider (IdP) and the Service Provider (SP). This is how it all works, the user requests for a service from the SP. The SP requests and obtains and identity assertion from the IdP. On the basis of this, the SP makes an access control decision which allows/denies the user from accessing the service which it requested.The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A sample SAML use case

    • OAuth is an open-standard for authorization. It provides a method by which clients access the server resource on behalf of the resource owner. This can be used by end-users to authorize third party applications/services on behalf of them and without supplying credentials in the form of username/password. Now i think for a reader it is becoming more clear as to how relevant these technologies are with respect to FID.The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A Sample OAuth use case

    • OpenID is an open-standard again which can be used for both authentication and authorization purposes. The user in this case registers himself with their preferred OpenID identity providers and use this account as a basis for signing into other applications supporting the OpenID authentication. The below image is from a blog with gives a comparison between these various FID technologies which can be used.

A Sample OpenID use case

Reference/Attributions

Page Visitors: 690