What do you mean by Single Sign On (SSO)
- Single sign on is an authentication to access different application from a single environment by without giving multiple username or passwords.
- Single sign on uses only one login and through this user access different applications.
- Single sign off, reverse action of SSO that single action of signing out terminates access of multiple applications.
SAML (Security Assertion Mark-up Language)
- SAML is an XML standard that allows secure web domains to exchange user authentication and authorization data.
- SSO authentication process only applicable to web based application
- For windows, usable passwords and synchronize those passwords with your internal user database using the Provisioning API
- Using SAML, an online service provider can contact a separate online identity provider to authenticate users who are trying to access secure content.
How SAML works in SSO
Lets see how SAML works in SSO authentication.
Look at the work flow of SSO authentication used in google application.
Initially before the whole process, the partner must provide Google with the URL for its SSO service as well as the public key that Google should use to verify SAML responses.
Following steps are the work flow of entire SSO authentication process. Each step number plotted in the above figure:
- The user attempts to reach a hosted Google application, such as Gmail, Start Pages, or another Google service.
- Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for the partner’s SSO service. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL. This RelayState parameter is meant to be an opaque identifier that is passed back without any modification or inspection.
- Google sends a redirect to the user’s browser. The redirect URL includes the encoded SAML authentication request that should be submitted to the partner’s SSO service.
- The partner decodes the SAML request and extracts the URL for both Google’s ACS (Assertion Consumer Service) and the user’s destination URL (RelayState parameter). The partner then authenticates the user. Partners could authenticate users by either asking for valid login credentials or by checking for valid session cookies.
- The partner generates a SAML response that contains the authenticated user’s username. In accordance with the SAML 2.0 specification, this response is digitally signed with the partner’s public and private DSA/RSA keys.
- Google’s ACS verifies the SAML response using the partner’s public key. If the response is successfully verified, ACS redirects the user to the destination URL.
- The user has been redirected to the destination URL and is logged in to Google Apps.
These are the basic principle behind the working of SSO authentication.
Advantages of SSO applications
- Reduces phishing success, because users are not trained to enter password everywhere without thinking.
- Reducing password fatigue from different user name and password combinations
- Reducing time spent re-entering passwords for the same identity
- Can support conventional authentication such as Windows credentials (i.e., username/password)
- Reducing IT costs due to lower number of IT help desk calls about passwords
- Security on all levels of entry/exit/access to systems without the inconvenience of re-prompting users
- Centralized reporting for compliance adherence.
- SSO server can introduce a single point of network failure.
- The SSO server and other host security must be hardened
What are the area need to be tested in SSO authentication applications
- Check Browser Cache
- Check authenticated and non authenticated users
- Check users having different privileges
- Check URL security
- Check server performances
Basic Test scenarios for SSO Login authentication:
1. Valid user logged in their own intranet application and access external host application
Result:- User should be able to access external host application since they are valid sso users.
2. Invalid user logged in their own intranet application and access external host application
Result:- External application login prompt should show up since they are invalid sso users.
3. Valid user logged in intranet and access external host application and at same time intranet session expires
Result: User should be able to work on external host application even the intranet session expires.
4. Valid user logged in intranet, access external application and logged out and again access external application
Result:- User should be logged in to the external application without login prompt.
5. Valid user logged in intranet, access external application and then session out from innotas application
Result:- User should be able continue working on external application after expires since a session already made with intranet application, so while session out user credentials will be automatically fetched from browser cache and logged in.