Single Sign-On (SSO) on Board
Identity management is becoming a major concern for businesses. Implementing a Single Sign-On (SSO) infrastructure enables users to sign in once and have access to all authorized resources.
In this article, we'll look at the different methods of implementing SSO with Board, how to set up your own identity management system for federated authentication using SAML 2.0, and how to configure Board to utilize your new identify provider.
Introduction to Single Sign On (SSO)
Single sign-on (SSO) is a technology which combines several different application login screens into one. With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications. SSO is often used in a business context, when user applications are assigned and managed by an internal IT team. Remote workers who use SaaS applications also benefit from using SSO.
Authentication Protocols Supported
Security Assertion Markup Language (SAML) and OpenID Connect (OIDC)
SAML and OIDC are two identity protocols that authenticate users, transmit data, and provide access control information and a communication method for a user's ID. An identity provider (IdP) can choose to implement either protocol as the basis for user identity management.
An IdP is a trusted third party that authenticates users and provides them with a single set of credentials that can be used to access multiple applications. This frees users from the burden of remembering multiple username and password combinations and makes it easier for organizations to manage security and control access to their systems.
Board support both type of authentication protocols in order to federate customer’s IdP, consequently, all IdPs that support these two protocols are compatible can be federated in Board.
Security Assertion Markup Language (SAML)
SAML (SAML 2.0 since 2005) is an authentication and authorization standard.
Authentication proves that users are who they claim to be, while authorization allows authenticated parties to do what they request. SAML is an XML-based protocol for exchanging security information online. Because SAML enables single sign-on (SSO), a user can authenticate once and then access multiple applications without having to re-enter credentials.
SAML exchanges take place between system entities referred to as an asserting party (also called a SAML authority) and a relying party (RP) that processes the security assertions it receives. Security assertions are standardized statements in the markup language that determine access control decisions.
The SAML protocol follows two flows: IdP-Initiated and SP-Initiated.
SAML refers to the application as the Service Provider (SP) and refers to the information it is sending from the IdP to the SP as an assertion.
The first flow describes above is referred to as an Identity Provider-Initiated (IdP-Initiated) SSO.
OpenID Connect (OIDC)
OpenID Connect (OIDC) is an authentication layer built on top of the OAuth 2.0 authorization framework. OIDC allows third-party applications to obtain basic end-user profile information and verify an end user's identity. OpenID Connect (OIDC) allows a wide range of users to be identified, from single-page applications (SPAs) to native and mobile apps. Like SAML, OIDC may also be used to provide single sign-on (SSO) across apps.
In comparison to SAML, OIDC login flows work in the same way. But, there are three main differences:
- SAML transmits user data in XML format. OIDC transmits user data in JSON format.
- SAML calls the user data it sends a SAML Assertion. OIDC calls the data Claims.
- SAML calls the application or system the user is trying to get into the Service Provider. OIDC calls it the Relying Party.
So the overall flow looks the same, just the labels are different.
Board Subscription Hub
The Board Subscription Hub is a portal for administrators of Board Cloud Platforms that allows to carry out several user management tasks on multiple Board Cloud Platforms at once. It also shows your Board Cloud Platforms and provides a quick way to access them. The Subscription Hub makes it easier to manage all of your users and ensures a higher degree of efficiency while creating less administration: you can add users one by one, import them in bulk using a CSV file or by leveraging a federated identity provider already in place within your organization.
For more information about Board Subscription Hub follow this link.