What is Single Sign-On?

In my previous blog, I have given a basic idea about identity and access management. Today I am going to give some basic idea about Single Sign-On (SSO)

In a very simple term, SSO means use a single credential to log into several applications without prompting to log in again and again.

First, we will look at how an organization achieves identity requirements.

How does a typical organization work?

Without a centralized system

In an organization, there are many applications that a user needs to access to perform day to day business.

Suppose an organization has separate databases/user stores for each and every application to store user credentials. In such a scenario, the IT section will have lots of work when creating, updating or deleting users since they need to do that in each and every place.

With a centralized system

Without having separate DBs for applications they might have a centralized system where all the users are stores.

In this case, it is easy to manage users but still, they need to think about security, federation options, how to provision a user and etc. This will be a burden for an organization because managing, authenticating and providing authorization to a user is not their main business objective. Yet they need to spend a huge amount of time and effort in the identity domain.

Using an Identity Provider

So the solution is to use an Identity Server which has the capability to manage identity requirements in a company

The benefits of using an Identity provider to manage identity and access management in an organization are it enables SSO, easy to manage users, do not need to put lots of effort into identity requirements and much more.

Why does an organization need SSO?

1. Increase Productivity

Now the company is using an identity provider to achieve SSO, managing users, updating users and deleting them will be really easy for the IT admin. Moreover, the company can focus on their day to day business without worrying too much about identity requirements. This will increase productivity.

2. Great user experience

Now Ben only needs to give his credentials one time and he will be able to access all the applications seamlessly. This will surely increase the user experience.

Why does a user need SSO?

1. Less Number of Passwords

Usually, we forget passwords. If we use different passwords for different accounts there will be a huge number of passwords to remember. But if we can use one username and password for all the applications, the burden of remembering several passwords will be reduced.

2. More secure

When there are several passwords to remember, we tend to use some simple variation of a base password or write down the passwords. These actions will increase security threats.

3. Save Time

When we have to provide credentials to every time when logging in to several applications, it is not convenient and it takes time. But if we have to log in only one time and all the other applications are automatically logged in, then it will save our time and will be user-friendly.

SSO can be easily achieved through open standards like SAML, OpenID Connect(OIDC) or Ws-Federation. Now I am going to show you how to achieve SSO using OIDC with the WSO2 identity server.

SSO with WSO2 Identity Server

Download WSO2 Identity server.

Install Apache Tomcat

Clone or download the samples.

Start the IS server by navigating to (IS-Home->bin) and type “sh wso2server.sh”

Log in to management console using “https://localhost:9443/carbon/” and give “admin” as both the username and password

Create two service providers (dispatch and manager)

1. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
2. Fill in the Service Provider Name as “dispatch”
3. Click Register to add the new service provider.
4. Configure OIDC under Inbound Authentication Configuration.
5. Give the callback URL as “http://localhost.com:8080/pickup-dispatch/oauth2client”
6. OAuth Client Key and OAuth Client Secret of the service provider will be used in future steps.
7. Repeat the steps from 1to 5 again and give the service provider name as “manager” and callback URL as “http://localhost.com:8080/pickup-manager/oauth2client”

Create a user “Ben”

1. on the Main tab, click Add under Users and Roles.
2. Click Add New User.
3. Specify the following values to create a new user(Domain: Primary, Username: ben, password: ben123).
4. Click Next
5. Select Application/dispatch and Application/manager and click Finish

Copy the client key and client secret values of each application in their properties file. Eg:<IS_SAMPLE_REPO>/oidc-sso-sample/pickup-dispatch/src/main/resources/dispatch.properties

Build the source code by navigating IS-Samples->oidc-sso-sample and run the Maven command mvn clean install

Deploy applications, pickup-dispatch.war and pickup-manager.war in Tomcat->webapps folder. pickup-dispatch.war file will be in <IS_SAMPLE>/oidc-sso-sample/pickup-dispatch/target directory and pickup-manager.war file will be in <IS_SAMPLE>/oidc-sso-sample/pickup-manager/target

Start the Tomcat server by navigating to (Tomcat-Home->bin) and using “sh catalina.sh start” in a terminal

Go to http://localhost:8080/pickup-dispatch/ and log in using Ben’s credentials.

Then go to “http://localhost:8080/pickup-manager/” Ben will be automatically logged in.

This is how we configure SSO using OIDC in WSO2 Identity Server. I hope this will help you to understand why SSO is important. Thank You.