Information Technology Reference
In-Depth Information
How Single Sign-On Works
To understand how SSO works, let's see what happens when a user accesses
a second application within the Single Sign-On environment after having
been successfully authenticated and granted access to the first one. Follow
carefully the flows in the diagram below. It may look complex at first glance,
but follows quite simply from what we have seen earlier.
Fig 15: SSO steps
What is happening here?
When the interceptor redirects the browser to the SSO server, the browser
produces the Authentication Token that the SSO server gave it at the time of
its first login (when the browser tried to access the first application). The SSO
server checks the validity of the Authentication Token against its Token
Database. If the token is valid, it means the Single Sign-On session is still
active and the user doesn't have to log in again. So the user will not see a
login screen this time. This is SSO!
What about authorisation? Well, there are a few options on how this can be
done. The diagram above shows how coarse-grained authorisation works in
the general case. The SSO server generates an Application Access Token for
this application anyway, stores it in the Token Database and then redirects
the browser back to the application along with the token's “handle”, usually
