Federated Identity Glossary
The concept of a centralised or linked electronic identity is known as federated identity. Federated identity systems handle several concerns:
Authentication
Authorisation
User attributes exchange
User management
The authentication aspect deals with validating user credentials and establishing the identity of the user.
Authorisation is related to access restrictions (e.g., is the user allowed to access X resource?).
The attributes exchange aspect deals with data sharing across different user management systems. For instance, fields such as “real name” may be present in multiple systems. A federated identity system prevents data duplication by linking the related attributes.
Lastly, user management is related to the administration (creation, deletion, update) of user accounts. A federated identity system usually provides the means for administrators (or users) to handle accounts across domains or subsystems.
SSO is strictly related to the authentication part of a federated identity system. Its only concern is establishing the identity of the user and then sharing that information with each subsystem that requires the data. Below, we focus on this crucial aspect of a federated identity system.
Single Sign-On (SSO) Authentication
At some point, web development teams encounter a common challenge. After creating an application on domain X, they wish to enable the same login credentials for a new deployment on domain Y. Ideally, users who are already authenticated on domain X should automatically be recognised as logged in on domain Y. This is the essence of Single Sign-On (SSO).
Non-Single-Sign-On Scenario
A straightforward approach to address this issue would be to share session information across various domains. However, due to security protocols, browsers implement a restriction known as the same origin policy. This rule states that cookies and other locally stored data can only be accessed by their originating domain. Consequently, cookies from domain X cannot be accessed by domain Y and vice versa. SSO solutions aim to resolve this limitation by enabling the sharing of session information between different domains.
No Cookie Sharing
Different SSO protocols utilise various methods for sharing session data while maintaining security; however, the core principle remains consistent: there exists a central domain responsible for authentication, which then facilitates session sharing with other domains in some manner. For example, this central domain might create a signed JSON Web Token (JWT), potentially encrypted using JSON Web Encryption (JWE). This token can then be sent to the client and utilised by both the authentication domain and any other associated domains. The token may reach the initial domain through a redirect and contains all necessary information for user identification at the requesting domain. Since it is signed, any alterations made by the client are not possible.
When users access a domain that necessitates authentication, they are sent to the authentication domain. Since users are already logged into that domain, they can be swiftly redirected back to the original site along with the required authentication token.
Single Sign-On (SSO) Authentication with Auth0
If you’ve been exploring SSO options online, you may have encountered various implementations such as OpenID Connect, Facebook Connect, SAML, and Microsoft Account (previously known as Passport), among others. We recommend selecting the most straightforward option for your development needs. For example, SAML is widely used in enterprise environments and may be a suitable choice in those cases. If you anticipate needing to integrate multiple options, don’t worry—there are frameworks available that facilitate compatibility between different SSO solutions. This is one of the services we offer at Auth0.
You can try Auth0’s authentication features at no cost. To get started, check out our documentation on Single Sign-On and explore AuthO SSO samples,
Referring back to the Typical SSO Scenario diagram we reviewed earlier will help illustrate how Auth0 fits into this process. In this context, Auth0 acts as the Authentication Server and serves as a connector between various SSO frameworks.
For more insights on this topic, we encourage you to read our complimentary whitepaper titled The Definitive Guide to Single Sign-On (SSO).
SSO Authentication
Single Sign-On authentication is becoming increasingly significant in today’s decentralised systems, where efficient user management across diverse applications and services is crucial. Solutions like OpenID Connect and offerings from Auth0 simplify the integration of SSO into both new and existing applications. If you’re developing a new application or service that requires authentication, it’s wise to consider implementing SSO from the outset.
Maxthon and SSO Authentication
1. Understanding Maxthon’s Approach: The Maxthon browser prioritises user privacy by integrating robust single sign-on (SSO) authentication features. This ensures that your online identities are secure while maintaining seamless access to various platforms.
2. Utilizing Encrypted Data: When you use SSO with Maxthon, your credentials are encrypted. This means that your login information is scrambled into a code that cannot be easily read or accessed by unauthorised parties.
3. Secure Authentication Process: Maxthon employs industry-standard protocols, such as OAuth. This allows users to log in using their existing accounts from trusted providers without sharing passwords directly with the sites they visit.
4. Enhanced Privacy Features: In addition to SSO, Maxthon provides options like browsing in incognito mode and blocking trackers. These features further protect your data from being collected or monitored by third-party websites.
5. User-Controlled Permissions: With single sign-on, you can manage which applications have access to your data quickly. You can revoke permissions at any time through the settings on the authentication provider’s page.
6. Regular Security Updates: Maxthon consistently updates its security protocols to reflect the latest advancements in cybersecurity. This commitment helps safeguard your privacy during SSO authenticated sessions.
7. Educating Users on Best Practices: Maxthon also offers educational resources on online browsing safety, helping users understand effective password management and how to recognise phishing attempts related to SSO services.
8. Feedback Loop for Improvements: Finally, users can provide feedback on their experience with SSO features, enabling the developers to continually refine privacy measures and enhance overall user security in future versions of the browser.