A very traditional part of internet security requires users to sign up on the website whose services they wish to use or log in if they already have signed up. However, as more and more websites require this step, the more credentials a user has to remember. Many websites don’t have the same credential policies, so the user can’t even use the same credentials everywhere. Here, the idea for a single sign-on mechanism was born.
A single sign-on (SSO) is an authentication mechanism enabling users to use the same set of approved credentials to sign up on multiple websites. The most popular SSO mechanism supported on the internet is using Google credentials, thanks to its easy-to-integrate API. Other popular SSO mechanisms include using Facebook, GitHub, Active Directory, Azure AD and Twitter credentials. It authenticates the user only once and fetches the data through cookies after that.
The primary concept of SSO is sharing session information across different internet domains. Security is significantly compromised in such a case, and most browsers don’t allow for cookies from one domain to be accessed by another. SSO shares session information after a central domain authenticates it. For example, the central domain can use a signed and encrypted JSON Web Token, which is passed to and used by other domains.
There are multiple SSO protocols that each perform SSO in their unique way. Different implementations include SAML, Facebook Connect, and OpenID Connect. Choosing a particular implementation depends on the nature of the domain that is being integrated with them. Some options like Auth0 help handle all the major work with integrating SSO into a domain.