40
How does SSO work? (lemmy.world)
submitted 9 months ago by pdxfed@lemmy.world to c/explainlikeimfive@lemmy.world
8 comments fedilink hide all child comments

Also why is it sometimes called a federated ID? Does it have to be an email address or could any value work?

all 9 comments
sorted by: hot top controversial new old
[-] Max_P@lemmy.max-p.me 34 points 9 months ago

SSO - Single Sign-On

The idea is that you use one identity from any provider to log in everywhere. It's also used in the enterprise world to centrally manage every app you can log into. So they assign you an email address, and you can use their SSO service to get into Slack/Teams/Salesforce/Figma/admin panels and whatever else you might need. When you quit, they turn off your email, and by doing that you also lose access to all those other apps and accounts as well automatically.

It's also widely used by regular people often in the form of login with Facebook/Google/AppleID/Github and others.

The idea behind it is, you can focus on having one account that you keep very safe with a strong password and 2FA. And you don't have to remember any other password or username or whatever.

Not all SSO systems are compatible with eachother: some use SAML2, some use OpenID, some use a fairly standard OAuth flow, and some are specific to that platform like Facebook and Google. OpenID in particular is federated, because in theory you can use any OpenID provider to log into anything that accepts OpenID. Email is also federated, because it is also an open and interoperable standard: you can send a Gmail to a Yahoo account, or in my case, my own personal server. Or how Lemmy does it: I have my own Lemmy server, but it talks to all the other lemmys so I can subscribe, vote and comment.

The way it works is, you tell the site you would like to log in with a third party provider, the website redirects you to your SSO provider (that you trust and can validate that, for example, you're indeed on google.com if you select to log in with Google). Then, you log in there (if not already). Then it confirms to you that you're about to log in to whatever app, and what information about you will be shared such as your name, email address, picture, sometimes more. You validate, and your SSO provider sends you back to the website with a secret key that contains all that information, and voilà, you're logged in to the website without ever making an account or entering your details. No password or security questions to remember for that site!

It doesn't have to be an email, but since a lot of SSO providers are also email providers or use emails as your login there, it's nearly always an email.

[-] inspxtr@lemmy.world 6 points 9 months ago

Great explanation. Two question, what’s the likelihood of an SSO page being spoofed? This seems like an all-eggs-in-one-basket sitch, so what are the potential threats to this?

[-] towerful@programming.dev 5 points 9 months ago* (last edited 9 months ago)

"An SSO page" as in the log in page?

Well, first of all the website you want to log into needs to be a part of the scam (ie it's a dodgy website or it's been hacked). Hopefully you spot red flags for this.

An ideal SSO login/sign-up flow would only rely on an existing session. So you go to your federated identity site yourself, login, then your identity can be used with other services.
So a scammy website launching a login flow should be a red flag.

The next best ideal is that a login flow redirects you to your federated identity login, giving you a chance to inspect the URL.
Hopefully you spot the URL is incorrect.

Any flow that pops up a new window that doesn't have the address bar would make it easier to hide the scammy login page.

Luckily, most federated identity sites use a fairly long session (like a month). So, if a login flow for an existing session (which would normally be a brief flash of a new window) is suddenly asking for a username and password, hopefully that is a red flag.
Additionally, the login flow usually remembers the username/email and will only ask for your password. So it asking for your email should be a red flag ( Although, this doesn't help if you are using a different device).

Federated identity sites should also be used with Multi Factor Authentication. So, even if a scammy site manages to get your to enter your username password and MFA code, it's either unusable (because it's not time based MFA) or the timeframe of being able to leverage it is mere minutes (for TOTP).
And the hastle of dealing with MFA is done once a day (or week or month or whatever), instead of every login.

And finally, if a scammer/hacker gets through all of that, they have to try and take control of your federated identify.
SSOs should be hardened to anything they do.
When they log in, the SSO should detect a new device/IP accessing your account.
You should get notifications of a new device loging in with a button to click that says "that's not me".
That button invalidates all logged in sessions, and will take you through a credentials change flow (ie new password).

The level of sophistication required to pull this sort of thing off is incredibly high.
And even for compromised identities, there are instant "I've fucked up" notifications/buttons.
The "eggs in one basket" thing is more like "eggs in one bunker with a lot of extra security".

[-] eerongal@ttrpg.network 8 points 9 months ago

SSO is basically offloading your authentication to a trusted third party. Instead of having the user set up an account with a password in your system, you instead go "hey Google/Microsoft/okta/whatever, do you know this guy?".

In theory it doesn't have to be an email address, just any sort of account with said third party, email is just usually the standard to go with.

[-] cyborganism@lemmy.ca 4 points 9 months ago

Here's a good article that explains it well.

https://www.onelogin.com/learn/how-single-sign-on-works

[-] ArbiterXero@lemmy.world 3 points 9 months ago

A lot of different possible answers.

SSO is the concept, “single sign on” one set of credentials that you can use in multiple places.

Federated id’s are passed in the back end, as opposed to OIDC which works based on “pass back tokens”

Emails are usually used because they make great usernames. They’re definitely unique and people remember them, but it doesn’t have to be emails.

What do you want to know more about?

this post was submitted on 29 Sep 2023
40 points (97.6% liked)

Explain Like I'm Five

13539 readers
1 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 1 year ago
MODERATORS
sabbah@lemmy.world
AradFort@lemmy.world
rikudou@lemmings.world