Extending Single Sign-on to the Cloud
A new challenge arrives when the requirement for cross-domain authentication is introduced "browser SSO" where the user authenticating is no longer in the same domain as the application. A few examples of where this occurs are:
-
User wants to access an enterprise application from their home PC or the coffee shop
-
Enterprise user accesses a SaaS application and wants to sign on with their enterprise credentials
-
Consumer-facing site wants to single sign-on the user to another web asset (either another web application or a 3rd party website)
SSO protocols such as Kerberos rely on the user being located inside a trusted environment and being able to contact authoritative authentication servers (i.e. an Active Directory Domain Controller) so how to support single sign-on across multiple applications located in different security domains. Vaulting passwords is clearly not a secure cross-domain solution as there is still a password stored in the third-party application, meaning when the authentication provider disables a user or changes their password, this is not reflected in the third party application.
Federated sign-on provides a portable trust between an authentication provider and a service provider. When a user from an organization requests authentication to a service provider they will be redirected to their home organization for authentication and, if successful, will be redirected back to the application with a token confirming the authentication.
As the user accesses additional applications, the process is repeated. By retaining a session at the authentication provider an organization can achieve SSO across multiple domains and applications.
For web applications, federated single sign-on uses the web browser to allow the user to interact with both the application and the authentication provider to negotiate authentication. As this "browser SSO" process uses the web browser, all communication is between the end-user and the federation partner (ie between the user and the authentication provider or the user and the application provider) this means that there is no communication direct between the authentication provider and the application provider, no firewall rules, no VPN and reduced risk to an enterprise.