What do you mean by Single Sign On (SSO)

SAML (Security Assertion Mark-up Language)

How SAML works in SSO

Lets see how SAML works in SSO authentication.

Look at the work flow of SSO authentication used in google application.
Initially before the whole process, the partner must provide Google with the URL for its SSO service as well as the public key that Google should use to verify SAML responses.


Following steps are the work flow of entire SSO authentication process. Each step number plotted in the above figure:

  1. The user attempts to reach a hosted Google application, such as Gmail, Start Pages, or another Google service.
  2. Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for the partner’s SSO service. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL. This RelayState parameter is meant to be an opaque identifier that is passed back without any modification or inspection.
  3. Google sends a redirect to the user’s browser. The redirect URL includes the encoded SAML authentication request that should be submitted to the partner’s SSO service.
  4. The partner decodes the SAML request and extracts the URL for both Google’s ACS (Assertion Consumer Service) and the user’s destination URL (RelayState parameter). The partner then authenticates the user. Partners could authenticate users by either asking for valid login credentials or by checking for valid session cookies.
  5. The partner generates a SAML response that contains the authenticated user’s username. In accordance with the SAML 2.0 specification, this response is digitally signed with the partner’s public and private DSA/RSA keys.
  6. The partner encodes the SAML response and the RelayState parameter and returns that information to the user’s browser. The partner provides a mechanism so that the browser can forward that information to Google’s ACS. For example, the partner could embed the SAML response and destination URL in a form and provide a button that the user can click to submit the form to Google. The partner could also include JavaScript on the page that automatically submits the form to Google.
  7. Google’s ACS verifies the SAML response using the partner’s public key. If the response is successfully verified, ACS redirects the user to the destination URL.
  8. The user has been redirected to the destination URL and is logged in to Google Apps.

These are the basic principle behind the working of SSO authentication.

Advantages of SSO applications


What are the area need to be tested in SSO authentication applications

Basic Test scenarios for SSO Login authentication:

1. Valid user logged in their own intranet application and access external host application
Result:- User should be able to access external host application since they are valid sso users.

2. Invalid user logged in their own intranet application and access external host application
Result:- External application login prompt should show up since they are invalid sso users.

3. Valid user logged in intranet and access external host application and at same time intranet session expires
Result: User should be able to work on external host application even the intranet session expires.

4. Valid user logged in intranet, access external application and logged out and again access external application
Result:- User should be logged in to the external application without login prompt.

5. Valid user logged in intranet, access external application and then session out from innotas application
Result:- User should be able continue working on external application after expires since a session already made with intranet application, so while session out user credentials will be automatically fetched from browser cache and logged in.

Leave a Reply

Your email address will not be published. Required fields are marked *