What is Single Sign-On (SSO)? How does SSO work?

In this article, we’ll talk about Single Sign-On, and how it works. Synup currently supports only SAML SSO and this article will also go into detail about the terminologies you’ll encounter when setting up SSO for your Synup account.  

To learn how to configure SSO for your Synup account, read this article.

What is Single Sign-On?

When you try to login to Synup, instead of using a dedicated userID and Password, Synup can ask identity providers to verify your identity. If they successfully authenticate your identity, we take their word for it and enable you to access your Synup account.

With SSO, you don’t have to come up with different passwords for various applications. Users like you can login using existing login information that is managed by Identity Providers (IdP) like G-Suite, Azure AD, ADFS, Okta, and OneLogin.

In short, Single Sign-On (SSO) is a system that lets users securely authenticate multiple cloud applications by logging in only once in a managed authentication system. This managed authentication system is called an Identity Provider (IdP) and the cloud applications that rely on authentication provided by IdP are called Service Providers (SP)

What is SAML? How does SAML work?

SAML is a very widely used XML-based authentication framework to securely exchange information between an Identity Provider (like G-Suite) and Service Provider (like Synup). As part of this setup,

• The Service Provider trusts the Identity Provider (IdP) to verify the user’s authentication
• The Identity Provider, on successful authentication, exchanges the user’s identity via a digitally signed authentication assertion with the Service Provider (SP) enabling a seamless login for the user.

In short, SAML is a standard security protocol that enables IdPs to securely let SPs like Synup know whether you are you.

Here is a list of some common terminologies you may encounter when trying to set up SAML SSO for Synup:

• Service Provider (SP): This is the entity providing the service or web application. In our case, the SP is Synup.

• Identity Provider (IdP): This is the entity that is capable of authenticating the user’s identity. Popular IdPs are Azure AD, G-Suite, Okta, and OneLogin.

• SAML Request: Also known as the authentication request. When a user tries to login using SSO, the service provider generates this request to the identity provider.
• SAML Response: The identity provider is responsible for generating the SAML response in XML format which contains the details of the user whose authentication is validated by the IdP. SAML Response is constructed by the IdP based on the mutually pre-configured information for a given SP. Once an SP receives the SAML response, it is the SP's responsibility to validate the response generated by the appropriate IdP and then parse the user's identity information embedded in the SAML response.
• ACS URL: This is the public endpoint from the SP side that IdP will post the SAML Response to.
• SAML SSO URL or Login URL: This is the public endpoint from the IdP side that the SP will send the SAML Request to.
• Assertions: SAML allows for one party to assert security information in the form of statements about a subject. For instance, a SAML assertion could state that the subject is named “John Doe”, and has an email address of john.doe@example.com.
• Certificate: SPs need to validate the SAML response generated by the IdP, and to be able to validate this, SP needs the public portion of the certificate that is used to sign the SAML response.

For a step-by-step guide on how to set up SSO for your Synup account, read this article.