Tuesday, April 20, 2010

A conversation on Single Sign On (SSO)

In my dream world you have a single logon, one username and password for the entire web, and the magic is only one organization will ever know this password. This organization is called our Identity provider.


Choosing your provider if one of the most important things you will do because moving to a new provider means recreating your identity online. Like a change of address without the help of the post office.


Ideas for who might be your provider:


  • Your local ISP, but this is a bad idea for the same reason that an @yourlocalisp.com email address is a bad idea. If some new ISP comes around, or you move, and you want to switch ISPs you can’t without losing your online identity and Email.

  • Your employer, this is great for any work related identities but not something you want to use for your day to day life.

  • A major company providing a free service, this is my personal choice but you have to make sure you pick a company you expect to be around in 10 years providing the service. Examples are Yahoo, Google, Facebook, Twitter. All of these are identity providers but only 3 of them I trust to be around in 10 years.

  • Run your own. For about $10 a year in hosting and domain cost you can buy your own domain and host your own Identity Provider. This is great because as long as you understand the setup you will always be able to own this domain even if companies go out of business. This is too much work even for me.


Now you might be wondering, how does this work I was told never to use the same username and password at multiple sites. This is true but all a user name and password is a way to identify you as the same person that came before. When you log in to a web site the site is really thinking “Welcome back username+password”. The new way of thinking is to have your Identity Provider speak for you so a website would say “Welcome back google user 7468845847347689”. All of this starts with a conversation but first a few terms. A Replying Party is a web site, like this blog, it relies on knowing who you are when you post a comment. The user, well that’s you.



User goes to Relying Party and says “let me in”

Relying Party Says “Who can vouch for you”

Now the user has to let the system know who its Identity provider is. Right now the market is fractured and there are multiple technologies for this so your choices might be limited.


  • The User chooses Google, Yahoo, LiveJournal, Blogger or any other openID provider.

    • Protocol does authentication and passes optional extra data like name and email

    • The relying party is not required to have any previous knowledge of Google’s existence; anyone can buy a domain and create an OpenID provider.



  • The User chooses Twitter (OAuth)

    • Protocol is designed for publishing not authentication it lets the replying party act on behalf of the user on the site doing things like making posts or generally modifying content

    • The relying party must register with twitter.com as an application.



  • The User chooses Facebook (Facebook Connect)

    • Non standard protocol.

    • The replying party must register with facebook first as an application

    • Custom API (with libraries to make it easier) is used to check if a user is authenticated act on the users behalf based on permissions requested.





There are other technologies but they are not as popular on the open web including

  • Microsoft ADFS 2.0

  • WS-Federation 1.1

  • WS-Federation 2.0

  • SAML 2.0

  • Infocard

    • Required to be running a card selector software.
    • Required to be running a browser compatible with my installed selector (seems only IE worked for me and I was right out of luck on my phone)


Once they have made their choice the user is redirected to a chosen an Identity Provider.

That Identity Provider authenticates the user, this can be a user name and password, biometric, internal pass-through, magic, anything.

The Identity Provider tells the users web browser to send the user back to the Relying Party and tell then “I’m USERNAME/CoonicalID, signed the Identity Provider”

The Relying Party says checks the signature* and say “Welcome USERNAME/CoonicalID”



Want to try this out, just comment on this post, it uses the OpenID mentioned above.