In the enterprise environment, dealing with several applications is the norm, both internal and external. From the architecture governance perspective, having control of user information and control over who and how one can access that information is quite important. That’s why single sign-on (SSO) exists.
SSO is used when you authenticate to your authentication platform (Azure AD, for example) and manage application access to your user’s data. When you have mixed authentication platforms, Federation is one way to integrate with other apps, letting them know that you have already authenticated one user, and providing them the information necessary to work.
These integrations (SSO and federated approach) are normally done by integration languages like SAML2, OAuth2, or OpenID. SAML is an open standard for authentication and authorization between identity providers and service providers. SAML is an XML-based markup for security assertions. OAuth is the industry-standard protocol for authorization that provides authorization flows for web, desktop, and mobile solutions. OpenID is an open standard and decentralized authorization protocol allowing users to identify themselves through a URL (or XRI).
Let’s clarify these terms with a very useful example.
Josh, six months ago.
Josh works as a salesman in Sales One Company. When he starts work, he uses his corporate ID to log on to his PC. This PC is connected to Sales One Windows’ Domain. After that, he has to log in to Salesforce to start working on prospects and sales. Sales One started ten years ago and they started using Google Drive as their document repository. So, Josh has to log in again with his Google account to access important documents like contract formats.
Josh has three different identities to do his work, one for his PC, one for Salesforce, and another one for Google Drive. This is hard for him because he has to remember three different accounts and three different passwords (three different identities). Because of that, every time that Josh changes some of his information (Phone number, Address, and so on), he has to log in to the three different systems and provide the same information three times.