Authentication

tags : Security, Identity Management

See this thread

SSO(Single Sign On) §

Just a system of abstraction that translates downstream identity metadata to a consumable protocol based response that a program can be configured to understand. Consist of two parties (IDP and SP)

IDP (Identity Provider) §

• System where translations start.
• Active Directory/LDAP/SQL Database are the most common examples of Identity providers.
• Although most documentation refer to the IDP as whatever system provides your SSO. This is because IMO it’s easier to understand the last point of abstraction rather than explaining all abstraction points.

SP (Service Provider) §

• This is the application side or the Consumer side of the SSO transaction.
• Usually this is some common use library written into the application to handle the SSO response and turn it into useable configuration for the application to determine its ACLs.

Ways to do it §

SAML §

• SAML is a technology for user authentication
• Uses XML, Shibboleth is a popular implementation of SAML
• Considered the first true abstraction based SSO language and is quickly becoming “Legacy” to the more modern OAuth/OIDC.
• Application deserialize XML response to either Cookies to store in Session storage.

OIDC (OpenID Connect) §

What is OIDC §

• Built on top of OAuth to allow for Identity based authentication.
• Published in Feb 2014 by the OpenID Foundation as the 3rd gen of OpenID technology
• Allows clients to verify the identity of an end user based on the authentication performed by an authorization server
• Specifies a RESTful HTTP API to fetch user info, using JSON as a data format.
• How the RP establishes a session is not specified by the OIDC spec
• JWT has some mass adoption for certain tokens used in OIDC but not mandated

Relationship of OAuth (Open Authorization) and OIDC (OpenID Connect) §

• OAuth (Open Authorization) is a federated protocol
• OAuth allowed 3rd party(A) tweet on your behalf
• Now what if A assumed, just because you allowed it to tweet on your behalf, it can also Login(Authentication) into service B as you! (See What is going on with OAuth 2.0?)
• Now that’s problematic! To solve this issue, OIDC (OpenID Connect) came in along with JWT.

Others §

• Web Authentication, Web Sessions
• IAM (Identity and Access Management)

Resources §

• The definitive guide to form-based website authentication
• Show HN: Obligator – An OpenID Connect server for self-hosters | Hacker News