Also why is it sometimes called a federated ID? Does it have to be an email address or could any value work?

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    34
    ·
    1 year ago

    SSO - Single Sign-On

    The idea is that you use one identity from any provider to log in everywhere. It’s also used in the enterprise world to centrally manage every app you can log into. So they assign you an email address, and you can use their SSO service to get into Slack/Teams/Salesforce/Figma/admin panels and whatever else you might need. When you quit, they turn off your email, and by doing that you also lose access to all those other apps and accounts as well automatically.

    It’s also widely used by regular people often in the form of login with Facebook/Google/AppleID/Github and others.

    The idea behind it is, you can focus on having one account that you keep very safe with a strong password and 2FA. And you don’t have to remember any other password or username or whatever.

    Not all SSO systems are compatible with eachother: some use SAML2, some use OpenID, some use a fairly standard OAuth flow, and some are specific to that platform like Facebook and Google. OpenID in particular is federated, because in theory you can use any OpenID provider to log into anything that accepts OpenID. Email is also federated, because it is also an open and interoperable standard: you can send a Gmail to a Yahoo account, or in my case, my own personal server. Or how Lemmy does it: I have my own Lemmy server, but it talks to all the other lemmys so I can subscribe, vote and comment.

    The way it works is, you tell the site you would like to log in with a third party provider, the website redirects you to your SSO provider (that you trust and can validate that, for example, you’re indeed on google.com if you select to log in with Google). Then, you log in there (if not already). Then it confirms to you that you’re about to log in to whatever app, and what information about you will be shared such as your name, email address, picture, sometimes more. You validate, and your SSO provider sends you back to the website with a secret key that contains all that information, and voilà, you’re logged in to the website without ever making an account or entering your details. No password or security questions to remember for that site!

    It doesn’t have to be an email, but since a lot of SSO providers are also email providers or use emails as your login there, it’s nearly always an email.

    • inspxtr@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Great explanation. Two question, what’s the likelihood of an SSO page being spoofed? This seems like an all-eggs-in-one-basket sitch, so what are the potential threats to this?

      • towerful@programming.dev
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        “An SSO page” as in the log in page?

        Well, first of all the website you want to log into needs to be a part of the scam (ie it’s a dodgy website or it’s been hacked). Hopefully you spot red flags for this.

        An ideal SSO login/sign-up flow would only rely on an existing session. So you go to your federated identity site yourself, login, then your identity can be used with other services.
        So a scammy website launching a login flow should be a red flag.

        The next best ideal is that a login flow redirects you to your federated identity login, giving you a chance to inspect the URL.
        Hopefully you spot the URL is incorrect.

        Any flow that pops up a new window that doesn’t have the address bar would make it easier to hide the scammy login page.

        Luckily, most federated identity sites use a fairly long session (like a month). So, if a login flow for an existing session (which would normally be a brief flash of a new window) is suddenly asking for a username and password, hopefully that is a red flag.
        Additionally, the login flow usually remembers the username/email and will only ask for your password. So it asking for your email should be a red flag ( Although, this doesn’t help if you are using a different device).

        Federated identity sites should also be used with Multi Factor Authentication. So, even if a scammy site manages to get your to enter your username password and MFA code, it’s either unusable (because it’s not time based MFA) or the timeframe of being able to leverage it is mere minutes (for TOTP).
        And the hastle of dealing with MFA is done once a day (or week or month or whatever), instead of every login.

        And finally, if a scammer/hacker gets through all of that, they have to try and take control of your federated identify.
        SSOs should be hardened to anything they do.
        When they log in, the SSO should detect a new device/IP accessing your account.
        You should get notifications of a new device loging in with a button to click that says “that’s not me”.
        That button invalidates all logged in sessions, and will take you through a credentials change flow (ie new password).

        The level of sophistication required to pull this sort of thing off is incredibly high.
        And even for compromised identities, there are instant “I’ve fucked up” notifications/buttons.
        The “eggs in one basket” thing is more like “eggs in one bunker with a lot of extra security”.