Also why is it sometimes called a federated ID? Does it have to be an email address or could any value work?
SSO - Single Sign-On
The idea is that you use one identity from any provider to log in everywhere. It’s also used in the enterprise world to centrally manage every app you can log into. So they assign you an email address, and you can use their SSO service to get into Slack/Teams/Salesforce/Figma/admin panels and whatever else you might need. When you quit, they turn off your email, and by doing that you also lose access to all those other apps and accounts as well automatically.
It’s also widely used by regular people often in the form of login with Facebook/Google/AppleID/Github and others.
The idea behind it is, you can focus on having one account that you keep very safe with a strong password and 2FA. And you don’t have to remember any other password or username or whatever.
Not all SSO systems are compatible with eachother: some use SAML2, some use OpenID, some use a fairly standard OAuth flow, and some are specific to that platform like Facebook and Google. OpenID in particular is federated, because in theory you can use any OpenID provider to log into anything that accepts OpenID. Email is also federated, because it is also an open and interoperable standard: you can send a Gmail to a Yahoo account, or in my case, my own personal server. Or how Lemmy does it: I have my own Lemmy server, but it talks to all the other lemmys so I can subscribe, vote and comment.
The way it works is, you tell the site you would like to log in with a third party provider, the website redirects you to your SSO provider (that you trust and can validate that, for example, you’re indeed on google.com if you select to log in with Google). Then, you log in there (if not already). Then it confirms to you that you’re about to log in to whatever app, and what information about you will be shared such as your name, email address, picture, sometimes more. You validate, and your SSO provider sends you back to the website with a secret key that contains all that information, and voilà, you’re logged in to the website without ever making an account or entering your details. No password or security questions to remember for that site!
It doesn’t have to be an email, but since a lot of SSO providers are also email providers or use emails as your login there, it’s nearly always an email.
Great explanation. Two question, what’s the likelihood of an SSO page being spoofed? This seems like an all-eggs-in-one-basket sitch, so what are the potential threats to this?
“An SSO page” as in the log in page?
Well, first of all the website you want to log into needs to be a part of the scam (ie it’s a dodgy website or it’s been hacked). Hopefully you spot red flags for this.
An ideal SSO login/sign-up flow would only rely on an existing session. So you go to your federated identity site yourself, login, then your identity can be used with other services.
So a scammy website launching a login flow should be a red flag.The next best ideal is that a login flow redirects you to your federated identity login, giving you a chance to inspect the URL.
Hopefully you spot the URL is incorrect.Any flow that pops up a new window that doesn’t have the address bar would make it easier to hide the scammy login page.
Luckily, most federated identity sites use a fairly long session (like a month). So, if a login flow for an existing session (which would normally be a brief flash of a new window) is suddenly asking for a username and password, hopefully that is a red flag.
Additionally, the login flow usually remembers the username/email and will only ask for your password. So it asking for your email should be a red flag ( Although, this doesn’t help if you are using a different device).Federated identity sites should also be used with Multi Factor Authentication. So, even if a scammy site manages to get your to enter your username password and MFA code, it’s either unusable (because it’s not time based MFA) or the timeframe of being able to leverage it is mere minutes (for TOTP).
And the hastle of dealing with MFA is done once a day (or week or month or whatever), instead of every login.And finally, if a scammer/hacker gets through all of that, they have to try and take control of your federated identify.
SSOs should be hardened to anything they do.
When they log in, the SSO should detect a new device/IP accessing your account.
You should get notifications of a new device loging in with a button to click that says “that’s not me”.
That button invalidates all logged in sessions, and will take you through a credentials change flow (ie new password).The level of sophistication required to pull this sort of thing off is incredibly high.
And even for compromised identities, there are instant “I’ve fucked up” notifications/buttons.
The “eggs in one basket” thing is more like “eggs in one bunker with a lot of extra security”.
SSO is basically offloading your authentication to a trusted third party. Instead of having the user set up an account with a password in your system, you instead go “hey Google/Microsoft/okta/whatever, do you know this guy?”.
In theory it doesn’t have to be an email address, just any sort of account with said third party, email is just usually the standard to go with.
Here’s a good article that explains it well.
SSO allows users to use a single set of credentials to access multiple systems within a single organization (a single domain)
Instead having a seperate login for a website or an app you (or whoever) set up an SSO connection between the service provider’s SSO platform and your SSO platform aka IdP. When trying to log into that website or app it redirects you to authenticate with your SSO platform. This way you sign in with your IdP (e.g. Azure, Ping, Okta, etc) credentials instead of having a seperate set of credentials for each site. If you’ve already logged into your IdP recently the site your logging into can detect that and you won’t need to enter your password.
I believe the above example would be federated SSO because it’s between your organisation and one or more other organisations or vendors.
Email is the most common but it can be lots of things (depending on what SSO platforms being used and how they are configured).
A lot of different possible answers.
SSO is the concept, “single sign on” one set of credentials that you can use in multiple places.
Federated id’s are passed in the back end, as opposed to OIDC which works based on “pass back tokens”
Emails are usually used because they make great usernames. They’re definitely unique and people remember them, but it doesn’t have to be emails.
What do you want to know more about?
if SSO would be anything but a scam thered be an opensourcefederated thing.
just like “login with google” is a scam to harvest data.
share data across commercial services…and you will have a bad time.
you think SSO will come to protonmail or signal? no. because SSO is bad no matter how convenient.
go use chrome, post on fb, use SSO, order on amazon etc…but do not forget: YOU are the problem. you are the reason chrome can do shit like WEI. you are the reason amazon has a monopoly. and you using SSO is just your next step into shit.
Can’t make any sense of that comment, but here’s a link.