Skip to main content
SSO Protocols: The Structure

Learn more about the difference between SSO protocols on Trio, SAML and OICD

Updated over a month ago

What is the definition of SSO?

Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications or services with a single set of credentials (username and password). This solution enhances security and convenience, as users don’t need to remember separate credentials for each application.

Authentication Protocols

SSO implementations rely on widely adopted authentication protocols, such as:

  • OAuth 2.0: An authorization protocol that enables third-party applications to grant limited access to an HTTP service.

  • OpenID Connect (OIDC): Built on OAuth 2.0, OIDC adds an identity layer for user authentication.

  • SAML (Security Assertion Markup Language): An XML-based standard for exchanging authentication and authorization data, commonly used in enterprise SSO.

These protocols use access tokens and ID tokens to validate a user’s identity without requiring repeated logins.

Identity Provider (IdP)

An Identity Provider (IdP) is a trusted service that creates, maintains, and manages identity information. Examples include Microsoft Active Directory (AD), Azure AD, Okta, and Google Identity Platform. The IdP authenticates the user and then generates an assertion or token that other applications use to confirm the user’s identity.

Service Provider (SP)

The Service Provider (SP) is any application or service that accepts identity assertions from an IDP. When a user attempts to access an SP, it redirects the authentication request to the IDP. Once authenticated, the SP receives an assertion (like a SAML response or an ID token in OpenID Connect) to verify the user’s identity.

Authentication Flow in SSO

The flow of the authentication in SSO includes the following items:

  1. Initiation: The user tries to access a protected resource on the SP.

  2. Redirection: The SP redirects the request to the IdP with an Authentication Request.

  3. Authentication: The IdP authenticates the user (typically with username and password).

  4. Assertion Creation: After successful authentication, the IdP generates a SAML Assertion, which includes:

    • Subject: Identifying the user (typically an email or username).

    • Attributes: Optional metadata about the user (e.g., role, department).

    • Conditions: Expiration time or restrictions on the assertion’s use.

    • Signature: Cryptographic signature to ensure the integrity and authenticity of the assertion.

  5. Response: The SAML assertion is sent to the SP.

  6. Access Granted: The SP validates the SAML Assertion, grants access, and often starts a session for the user.

Token Types and Their Usage

SSO uses different token types to authenticate users and manage sessions, such as:

  • Access Tokens: Short-lived tokens (in OAuth 2.0) granting access to resources.

  • Refresh Tokens: Longer-lived tokens allowing renewal of access tokens without re-authentication.

  • ID Tokens: Used in OpenID Connect to verify user identity.

  • SAML Tokens: XML-based assertions for SAML 2.0 SSO.

SSO Session Management

In most SSO setups, session cookies are used to maintain an SSO session. Once logged in, a session cookie allows the user to access multiple services without re-entering credentials. However, careful session timeout and revocation policies are essential to mitigate risks.

What does Trio do with SSO functionality?

By installing the agent on the users devices throughout the organization, Trio collects data from these devices as we as their users. So the Trio's backend server has the data ready for the autheticative purposes.

Every time the user is trying to access the intended platform andneeds to authenticate, the application in question exports the data from Trio's blackened servers and uses this data for authentication.

In fact, Trio facilitate user data access for the organizations by having collected all these platform in oneplace, so the companies are needless to sign in to multiple platforms to get the data they want.

Did this answer your question?