How does SSO (Single Sign On) work

authentication oauth-2.0 single-sign-on
Tom Schreck picture Tom Schreck · Feb 27, 2016 · Viewed 16.2k times · Source

I'm trying to wrap my head around SSO. It's my understanding that SSO allows you to login once and get access to multiple apps (if you have rights). So, I log into App A. I establish a token. How does that token become available to App B so I do not have to login to App B again (assuming user has rights to A and B)? My Apps are AngularJs apps. I access .Net WebAPis for data.

I can see if I login to App A and retrieve a token then launch App B from App A by passing the token to App B. This way App B has the token and can send to server to make sure user has access to B. However, if user opens a browser directly and goes to App B, then how does their session get established with existing token?

If the answer is there's session state on the back-end server, then how does session state match the user logged in App A with the new request for App B?

Thanks.

Answer

Troels Larsen picture Troels Larsen · Feb 27, 2016

Well, there are certainly many ways to achieve it, and it can be tricky. I can give you one solution as an example:

Consider two apps on different subdomains:

The Fine Corinthian Turkey Shop (turkey.example.com)
Rent a Baboon (monkey.example.com)

These two web apps want to share signon, and arrange for a third hosted website for their single sign-on:

sso.example.com

Then the flow is:

  1. Frank visits http://turkey.example.com/orders/12
  2. Turkey redirects to https://sso.example.com/login
  3. SSO presents user with login form, validates and issues token
  4. The token is saved in a cookie on SSO.
  5. User is now validated on SSO, but needs to get the token back to turkey.
  6. SSO stores a combination of (Guid, Token, Expiry) on the server, where Guid is a random guid and Expiry is something like 30 seconds.
  7. SSO sets a secure cookie on *.example.com containing the Guid
  8. SSO redirects back to http://turkey.example.com/orders/12
  9. Turkey can now retrieve the ticket from the cookie
  10. Turkey calls SSO server and exchanges the ticket for the token.
  11. Turkey stores token in the browser (typically a cookie)

Now let's imagine that Frank wants some nice juicy baboons to go with that turkey:

  1. Frank visits: http://monkey.example.com/order-in-bulk
  2. Monkey sees that Frank has no stored token and redirects to https://sso.example.com/login
  3. SSO sees that Frank is already logged in as he has a stored token.
  4. SSO stores a new (Guid, token, expiry) triple on the server
  5. Process is identical to the initial login the rest of the way

Related questions

Google OAuth 2 authorization - Error: redirect_uri_mismatch

On the website https://code.google.com/apis/console I have registered my application, set up generated Client ID: and Client Secret to my app and tried to log in with Google. Unfortunately, I got the error message: Error: redirect_…

Read More
What are the main differences between JWT and OAuth authentication?

I have a new SPA with a stateless authentication model using JWT. I am often asked to refer OAuth for authentication flows like asking me to send 'Bearer tokens' for every request instead of a simple token header but I …

Read More
What's a redirect URI? how does it apply to iOS app for OAuth2.0?

Beginner programmer here, please pardon ignorance & explanations will be really nice :) I've tried to read the tutorials for a certain OAuth 2.0 service, but I don't understand this redirect URI... in my particular context, let's say I'm trying to build …

Read More