Talk:Single sign-on/Archives/2016

This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

I just updated the opening section of the single sign-on article to try to distinguish between true SSO (based on the work of the formal user groups and how Google federates all their apps), versus OPenID, OAuth, Facebook Connect, etc, where I thought you have to sign in each time. I included a source saying that OpenID was not technically SSO, but instead is pluggable authentication with a shared database [[1]]. I also looked at the different standards bodies to get info direct from the source. Opengroup.org has a page showing how SSO is supposed to work, where the login info is passed to the secondary sources without the user having to do anything but click.[[2]] The National Information Standards Organization (NISO) has an SSO initiative called ESPRESSO where they are trying to draft true single sign-on, and in the call for the draft document they specifically mention Athens and Shibboleth as being true SSO, but only if the participating sites have agreed on which one to use.[[3]] I went to the OpenID COnnect site and found their spec, and it does say that the OpenId process can be automatic, at least that's how I'm reading section 3.1.2.1. Authentication Request on [[4]]. My personal experience is that I'm prompted every time - I've never gone to a web site where I was automatically logged in and it said "Welcome Tim" or something like that on the top.

I looked in the other comments on this talk page and saw that there were two old previous discussions about this - one saying SSO and OpenID are different user:Sam lowry2002, and one saying they were the same, but without providing any sources user:JamesHenstridge. Here's a blog listed as an external link which heavily mixes and matches the terms SSO and OpenID [[5]]. I"m not sure what's right. Anyone have any additional insight about OpenID and whether it is expected to function as true SSO? If not, the entire security section, which only discusses OAuth, needs to be updated.Timtempleton (talk) 15:44, 23 May 2014 (UTC)

I said that OpenID can be used to build a Single Sign-On system, and I stand by that. I agree that many sites implementing OpenID are not implementing SSO, that doesn't mean that OpenID can't be used to implement it.

Rather than requiring the user to click a "log in" button, there is nothing stopping Relying Party web sites from starting the authentication process without prompting by the user. This could either be done when the user first visits the site or when they do something that requires authentication (e.g. as part of the checkout process on a web store, editing a wiki page, etc). If you want to do this without user interaction, you'd need to use a fixed identity URL to start the authentication procedure. With OpenID 2.0's identity select mode, this isn't such a problem: you can use an Identity Provider's identity URL instead. In this way, the IdP can authenticate as any identity URL it manages in the response.

On the Identity Provider side, it knows which RP it is talking to and knows who the user is through browser credentials (cookies, client certificates, basic or digest auth, etc). While the IdP could ask the user if they want to provide their identity to the RP, if could also complete the authentication process for recognised RPs without user interaction. If you put these two together, an RP could transparently authenticate a user provided they have previously authenticated to the IdP. --James (talk) 02:40, 10 June 2014 (UTC)

https://www.atlassian.com/software/crowd/overview/ — Preceding unsigned comment added by 190.216.150.147 (talk) 13:37, 14 March 2016 (UTC)