Before we can start going through the implementation details of an SSO, we need to learn the basic concepts used by any method for securing application endpoints, regardless of whether they are based on SSO or not. The fundamental concepts used by any such system are authentication and authorization. These can be summarized as follows:

  • Authentication: It validates that a user or a non-human client is known to the system and has proved that they are who they claim to be.

  • Authorization: It determines whether a user or a non-human client that has passed the authentication is allowed to access a specific resource.

Let's now dive into a less abstract description of each of these processes.

Authentication flow

The purpose of authentication is to determine that the entity that is trying to connect to our system is who it says it is. Unless a specific part of our application was designed to be accessible anonymously, the application should reject access to any entity that cannot prove its identity.

Password authentication

A typical and, perhaps, the best-known way of authenticating is by using a username and password. This is how the authentication flow works:

  1. The user enters the username, claiming to be a specific person.

  2. The user then enters the password that, in theory, only that specific person should know.

This process is summarized in the following diagram.

Get hands-on with 1400+ tech skills courses.