What Are Single Sign-On (SSO) Protocols?

SSO Protocols can be extremely helpful in your organization as it cuts down on time spent on logins, but how do you choose which protocol to use?

What is SSO? SSO stands for Single Sign-On (SSO), a type of federated identity management where a user only needs to log in with one set of credentials to gain access to many applications.

What is a Single Sign-On Protocol?

Single Sign-On (SSO) is an approach to authentication that reduces the number of logins a user must engage with by allowing them to authenticate with multiple platforms through a single platform.

The user logs in once, and that login authenticates them across several different systems. This is also known, in some cases, as “federated” identity management, with a few differences between the two terms based on their applicability.
To support SSO as a legitimate technology, the underlying infrastructure must promote the same priorities as any other form of authentication–anonymity, security, and reliability. A single sign-on protocol allows for the secure communication of authentication and identity verification from an SSO provider and participating platforms,

How Do SSO Protocols Work?

The primary task that an SSO protocol is intended to accomplish is to facilitate authentication between different accounts, systems, or platforms. It wouldn’t be very secure to send usernames or passwords between different accounts simply, nor is it feasible to expect every platform to support the same forms of biometrics or MFA capabilities.
That’s why SSO protocols will often use a common series of responsibilities and actions:

• An Identity Provider (IdP) manages the central authentication server. This is where the core authentication steps will be taken–managing digital identities, processing user credentials, handling MFA factors, or other forms of authentication. You get a general idea if you’ve ever been asked to use Facebook or Google to log in to a third-party platform.
• Once the IdP affirms the user’s credentials, they start an SSO session with the platform the user is attempting to log into. They will often exchange proof of trust (such as a secure certificate) and, depending on the protocol, exchange information through an SSO server.
• The IdP will then pass information as a token to the SSO server, and the platform or application will confirm that the user has been authenticated and allowed access. The token is encrypted and signed, meaning the SSO server can guarantee that it hasn’t been falsified or modified.

What are the Different Types of SSO Protocols?

Like any other technology, there are multiple ways to operate a basic SSO protocol, and these different approaches all follow different application domains or security philosophies. All have their place, and all have been deployed in one way or another in some industry or specific infrastructure.
Some of the most common SSO protocols include:

• Lightweight Directory Access Protocol (LDAP): LDAP is a tool for local network access of files and folders in a system. This software protocol allows users to locate and identify individual users, resources (files, folders, devices), or even organizations connected to an intranet.

The LDAP server serves as a central authentication space that allows users to connect to the intranet and, depending on that authentication, connects to other connected devices and servers.

• Kerberos: Kerberos provides secret-key cryptography and strong authentication for local single sign-on using a ticket-based system. A central server handles tickets generated from users attempting to access system resources, and the ticket authentication allows the user to proceed.

Kerberos is freely available through the Massachusetts Institute of Technology (MIT). It is often deployed in academic settings when the institution doesn’t have a contract for a third-party cloud and application provider like Google or Microsoft.

• Security Assertion Markup Language (SAML): This open protocol uses XML to facilitate the exchange of authentication data between IdPs, an SSO server, and participating platforms.
• OAuth 2: OAuth 2 provides SSO access for web applications and user accounts over HTTPS–chiefly using web resources and social media platforms.

Suppose the user wants to link an application to their social media account (say, by linking a browser game to their Facebook account for updates). In that case, this protocol facilitates that request and authorizes data sharing.

• OpenID Connect: OpenID Connect, or OIDC, uses OAuth 2 and JSON Web Tokens to support customer facing SSO. This includes uses in web applications, mobile applications, or hybrid web-mobile apps.

What Are the Benefits of SSO?

Single Sign-On is a significant benefit for almost every organization that adopts it–which may seem counterintuitive for some readers. By centralizing authentication, it may seem like organizations are just inviting the potential for hackers and other security threats at a single point of failure.
The truth is that SSO introduces more robust security, stronger interoperability, and better user experiences.
Some of these benefits include:

• Eliminating User Error: The weakest link in the security chain is, more often than not, the user. This security weakness is only amplified when these users have to juggle multiple complex, ever-changing username and password combinations.

With a single combination, the user is likelier to use an appropriately complex set of credentials. Since many SSO providers also offer MFA, the benefits of that MFA will also extend to connected platforms and applications.

• Centralized Security and Auditing: Security auditing is critical to managing any authentication infrastructure. With a centralized IdP and authentication server, enterprises can minimize their security footprint and make auditing much easier–thus making compliance and reporting easier.
• Access Control: With a centralized authentication server, you can much more easily implement effective access control mechanisms based on role or other user attributes.

Conclusion: The Future of Authentication with SSO Protocols

1Kosmos BlockID supports secure authentication for enterprises, including features supporting SSO. With powerful Multi-Factor Authentication (MFA), FIDO2 compliance, and passwordless login, our enterprise can streamline user authentication to eliminate some of the biggest security issues–poor cyber hygiene, lack of robust biometrics, and identity proofing and liveness testing.

With 1Kosmos BlockID, you get the following features:

• SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
• Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
• Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
• Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
• Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
• Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
• Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Sign up for a free trial to give our Identity-Based Authentication a try!

FIDO2 Authentication with 1Kosmos

Read More