What is SSO
SSO is a concept that allows you to access and use more than one service with a single user ID. Let's give an example to understand this concept better.
- Normally, when a user wants to use any service, the user encounters the login screen of that service, logs in with the username and password, and a cookie is created for this service in the browser.
- When the user wants to use another service, the user encounters the login screen of that service, logs in with the username and password, and again a cookie is created for this service in the browser, and this process is repeated for the number of services / applications the user wants to use.
In this case, the user spends time creating an account for each service separately and logging in. Changing the passwords of these accounts regularly causes loss of time and in addition to this, the user using the same password for all services also causes security weakness.
How Single Sign-On Works?
There are basically three types of elements in the SSO concept. These are;
- Identity Provider
- Server
- Clients (Browsers, Mobile Applications etc.)
The user who wants to use a service is directed to the login page of the authorization server (IdP) and usually logs in with their username and password.
There are alternative login methods such as Passwordless Login in MonoSign.
Later, the server (IdP) authenticates and creates a session-specific key (Session Token), with this key the user is directed back to the page of the service he wants to use. This created token can also be used by other related services. In other words, the authorized user can connect to all services they have access on the same SSO platform without entering the password again.
The service to be used when the user wants to use a service belonging to the same SSO system, checks the token of the user / client received with the session token through the authorization server and allows the user to use the service if it receives a positive response, if the incoming token is not approved by the authorization server, the user is directed to the session page of the authorization server and the login process is repeated. The password is used only on the authorization server with this method and no time is wasted during the login processes of each service or application.