Single Sign-On (SSO) is a service that allows users to need only a single set of login credentials (username and password) to access multiple applications during their session. The goal of SSO is to minimize the number of times a user has to log in at various websites or applications by having the user manually log in at one site or application (called the identity provider or IdP), and then being automatically logged in, without having to provide credentials, at one or more other sites or applications (called service providers or SPs).
In addition to streamlining the user’s working experience, SSO is also helpful on the back end with monitoring user accounts and providing a log of user activities.
There are two single sign-on flows supported by the Security Assertion Markup Language (SAML) v2.0: IdP-initiated SSO and SP-initiated SSO. In IdP-initiated SSO, the user starts at the IdP site, logs in, and clicks a link to the SP site which then initiates SSO.
In the SP-initiated SSO, the user starts at the service provider site and, rather than logging in at the SP site, SSO is initiated with the IdP (as long as the user is already authenticated at the IdP–if they are not, then the user will have to enter their credentials).
At the end of a user’s session, there are two types of single logout flows that can occur: IdP-initiated and SP-initiated. Again, with IdP-initiated single logout (SLO), the user will start at the IdP site and click a link to log out, effectively logging the user out of every SP site to which there is an SSO session as well.
In SP-initiated SLO, the user will again begin at the service provider site. The user will click a link to log out of the IdP site, and effectively also be logged out of every SP site to which there is an SSO session.
While single sign-on is a highly sought service by users due to the great convenience it provides, organizations should also pay attention to the risk it can create to enterprise security. If an attacker gains control of a user’s SSO credentials, they’ll have access to all of the SP sites and applications that user has permission to, increasing the amount of damage they can inflict. It is imperative that a relationship of trust exists between the identity provider and the service providers. Service providers must trust that the identity provider has authenticated the user.
VendorInsight supports single sign-on via the SAML v2.0 Assertions, Protocol, Binding and Profiles as defined by the OASIS standard. For more detailed information please refer to the SAML v2.0 specification documents at www.oasisopen.org
To learn more about this feature and how it works within the VendorInsight risk management software, please contact a team member using the link below and we will follow up with you as soon as possible.