Heretto Deploy Portal SSO - Introduction

This document describes high level SSO functionality of the Heretto Deploy Portal.

What is SSO?

Maintaining user identities, roles, and groups is a difficult job, and is often one that Service Providers (SPs) would often rather not do as it does not reflect their core competency. A popular solution is to delegate the responsibilities of managing user accounts and authentication to a third party entity Identity Provider (IDP). SSO, an acronym for Single Sign-On, is a family of authentication schemes which use IDPs to manage user accounts and authenticate users, and to transfer only relevant attributes back to the Service Providers. The name comes from the idea that you only have to sign-on in a single place, your IDP, and then various SPs simply contact the IDP to determine your identity in lieu of managing your personal account details and authentication themselves.

Tip: True single sign-on enables the user to log in once and access services without re-entering authentication factors.
Important: This document makes multiple references to "resources". A resource is simply any content or service that a Service Provider may offer to viewers. It could be an image, an article, a paragraph, or even access to some feature, such as a mortgage calculator.

To take full advantage of SSO, The SP must be able to distinguish which of it's resources are protected. In those instances, if a user is either not currently identified by the SP, or if the user has insufficient privileges to access the protected resource, then they are typically presented with a list of one or more partner IDPs by which they will be able to authenticate with, and hopefully thus gain access to the protected resource.

Tip: A User Agent is typically a web browser, but in some specialized cases, it may not be. It may in fact be a server or some other program than a web browser.

When user agents are redirected to the IDP, the link includes the information about which page they had originally requested (this is the state). From there, the IDP confirms the user's identity, and then redirects the user agent back to the SP with an assertion and the original state of the request. This response is then processed by the SP, after which, the SP will decide whether the user is authorized to access the requested resource at that point.

Attention: Authentication and authorization are often confused, and it is helpful to establish a good working definition of what they mean. Authentication is the process of proving that you are who you say you are. It's sometimes shortened to AuthN. Authorization is the act of granting an authenticated party permission to do something. It specifies what data you're allowed to access and what you can do with that data.

The following sequence diagram illustrates how SSO works, generally speaking, in relation to the Portal:

Figure 1. Portal Single Sign On
portal sso diagram
Tip: JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. Assertions are simply trusted details about a user that an IDP shares with an SP. It is from these details that authorization decisions can be made.