single-sign-on-(sso)
Single Sign-On (SSO) — это процесс аутентификации, который позволяет пользователю получать доступ к нескольким приложениям с использованием одного набора учетных данных для входа.
Single Sign-On (SSO) is an authentication mechanism that enables users to log in once with a single set of credentials (username and password, or other authentication factors) and gain access to multiple, independent software systems without being prompted to log in again for each system. The core principle involves a trusted third-party Identity Provider (IdP) that authenticates the user. Once authenticated, the IdP issues a security token (e.g., SAML assertion, OAuth token, OpenID Connect ID Token) to the user's browser or client. This token contains information about the user's identity and authorization. Service Providers (SPs), which are the applications the user wishes to access, trust the IdP and validate the received token. Upon successful validation, the SP grants the user access without requiring separate credentials. Common SSO protocols include Security Assertion Markup Language (SAML), OAuth 2.0, and OpenID Connect (OIDC). SSO enhances user experience by reducing login friction and improves security by centralizing authentication management, simplifying password policies, and reducing the risk of credential reuse across multiple applications.
graph LR
Center["single-sign-on-(sso)"]:::main
Pre_cryptography["cryptography"]:::pre --> Center
click Pre_cryptography "/terms/cryptography"
Rel_authentication["authentication"]:::related -.-> Center
click Rel_authentication "/terms/authentication"
Rel_authorization["authorization"]:::related -.-> Center
click Rel_authorization "/terms/authorization"
Rel_saas_software_as_a_service["saas-software-as-a-service"]:::related -.-> Center
click Rel_saas_software_as_a_service "/terms/saas-software-as-a-service"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧠 Проверка знаний
🧒 Простыми словами
It's like having a master key that unlocks all the different doors in your house, so you only need to use one key instead of a separate one for each room.
🤓 Expert Deep Dive
SSO implementations typically rely on federated identity management protocols. SAML 2.0, a widely adopted standard, uses XML-based assertions exchanged between an IdP and SPs, often facilitated by browser redirects (HTTP POST binding). OAuth 2.0, primarily an authorization framework, is frequently used in conjunction with OpenID Connect (OIDC) for authentication. OIDC builds upon OAuth 2.0, adding an identity layer that provides user profile information and a standardized ID token. Key architectural components include the Identity Provider (authenticates users and issues tokens), Service Providers (rely on IdP for authentication), and the user's client (facilitates token exchange). Security considerations involve robust token validation (signature verification, expiration checks, audience restriction), secure transport (TLS/SSL), and protection against token replay attacks. The trade-off is the increased criticality of the IdP; a compromise of the IdP can lead to widespread access breaches across all connected SPs.