SSO ecosystem

From Online Meeting Coop Wiki
Jump to navigation Jump to search

What is "SSO"?

From https://en.wikipedia.org/wiki/Single_sign-on: Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. It is not a silver bullet and has its own implications for designing systems, please see the wikipedia critisicm listing.

Advantages of SSO

As the end-user of a system:

  • You only need to remember one username/password combination for multiple services
  • You only need to trust one identity management service, not multiple

As a system administrator:

  • You have less overhead on customer service requests with regard to user account management
  • Your system delegates user account management to another dedicated identity management service
  • You have less overhead on mitigating critical security vulnerabilities in your system related to identity management

See more on the wikipedia benefits listing.

The SSO Vocabulary Jungle

This list is not and can not be exhaustive since the ecosystem is moving. There is big money in identity management. However, there are some usual suspects which you'll find mentioned time and time again. They tend to stick around because systems and organisations have invested in those integrations and support must go on for the sake of dependent userbases. A lot of the following text is quite subjective and published ~ July 2020, so things might change if you're looking at this in a distant future or alternative timeline.

LDAP

Lightweight Directory Access Protocol (LDAP) is probably one the most well supported method for SSO. It appears to be quite well supported in many system integrations which is good. However, rather than being well understood how to manage from a technical perspective, it is rather seen as some sort of black magic in most cases. Finding system adminstrators and developers who can confidently design, manage and change LDAP configurations is not an easy task today. Nonetheless, it is often seen as "the baseline" since so many systems offer the integration. That is the trade-off.

OAuth

OAuth is the go-to corporate solution which is used by GAFAM. The standardisation process of this SSO method is therefore muddied by competing corporate needs on this maximum Big Tech global scale. For this reason, it can be quite difficult to understand from a technical perspective but despite this, many developers and system administrators are more likely to run into having to maintain, change and design OAuth integrations because of the reliance on this method by a lot of technology start-ups. In other words, you might meet a developer who knows OAuth but not LDAP. OAuth has many integrations but typically not as many as LDAP. Of course, it depends.

OpenID Connect

TODO.

SAML

TODO.