Single Sign-On Methods

Single sign-on (SSO) is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems.

Implementations of single sign-on:

  • Cookie-based
  • Session-based
  • Central Authentication Service (CAS)

It works by using web based HTTP cookies to transport user credentials from browser to server without from the user. Credentials on the client machine are gathered and encrypted before it being stored in the cookie.

Once the user enters the username and password in any subsystem, the user credentials will be stored in cookie, which is shared by multiple subsystems and automatically sent to the server.

The domain name of each system using cookie-based SSO should be the same or have the same top-level domain name. So user credentials in cookie can be shared between multiple systems.

Advantages

  • Easy to implement.

Disadvantages

  • Can’t cross domain.

Session-Based SSO

It works by using web based HTTP cookies to transport user authentication token.

The user token is stored in the client browser and sent to the server as session value. session values and user ID are stored in a cache like Redis shared across subsystems. Each subsystem checks the user from the cache by the token in the HTTP request cookie.

Advantages

  • Suitable for distributed system applications.

Disadvantages

  • Can’t cross domain.

Central Authentication Service (CAS)

When the user accesses the application system for the first time, since he has not logged in, he is directed to the authentication system to log in. The authentication system accepts security information such as user name and password, and generates an access token (ticket). The user accesses the application system through the ticket. After receiving the request, the application system will visit the authentication system to check the legitimacy of the ticket. If the check is passed, the user can access the application system resources without logging in again.

Advantages

  • Support cross domain.

Disadvantages

  • Need a an independent authentication system.