Single Sign-On(SSO)
Muhammad Arslan Khan
PUCIT | Power Platform | Dynamics 365 | ASP.NET MVC | ASP.NET Core | Dynamics 365 Plugins | SQL | JavaScript
When User login to mail it automatically login to others google services like Google Drive, Meet, YouTube How it’s Possible that user automatically sign in to other services without login? What magic behind this? That’s Single Sign-On Authentication
What is Single Sign-on Authentication?
Single Sign-On (SSO) Authentication is a mechanism that allows a user to access multiple applications or services with a single set of login credentials. The primary goal of SSO is to simplify the user experience by eliminating the need to remember and enter separate usernames and passwords for each application or service within an ecosystem.
?
Working of single sign on Authentication
Single Sign-On (SSO) authentication involves a series of steps that enable users to access multiple applications or services with a single set of credentials.
User Authentication:
When a user attempts to access an application or service, user is redirected to the authentication service, often provided by an identity provider like Azure Active Directory(Microsoft Entra ID).
Identity Provider Authentication:
The user is prompted to enter their credentials (username and password) on the identity provider's login page.
Issuance of Tokens:
The identity provider issues tokens upon successful authentication and sends them to Call Back URL as a response, this token is often a JSON Web Token (JWT) Azure Active Directory issues several types of tokens during the authentication and authorization processes for different purposes.
ID Token: The ID token carries information about the authenticated user, including their unique username, subject, and other user attributes.
Access Token: The access token grants access to specific resources or APIs on behalf of the authenticated user. This token contains login user claims.?
Refresh Token: The refresh token is used to obtain a new access token when the current one expires.
Token Exchange and Validation: The application or service receives the token validate by checking the token's signature, expiration, and the identity provider's public keys.
User Access to Resources:
Once the token is validated, the application grants the user access to the requested resources.
?Benefits of Single Sign-on Authentication
?
Implementation of Single Sign-On
First, we have to register two applications on Azure Portal Client Application and a Backend Application to communicate and generate tokens for authentication and authorization processes.
App Registration for Backend and do some required configuration settings
Step 1: Register Backend App
In this step we have to register an app.
Single-Tenant Application: A single-tenant application is tied to a specific Azure AD tenant. Only users from that tenant can sign in and use the application.
Multi-Tenant Application: A multi-tenant application allows users from any Azure AD tenant to sign in and use the application.
?When app is registered it provide two important Ids
Client ID (Application ID): The Client ID ?is a unique identifier assigned to an application ?when it is registered in Azure AD.
Tenant ID (Directory ID): The Tenant ID is a unique identifier assigned to an Azure AD tenant. It represents the identity of the organization or tenant in which the application is registered.
Step 2:? Register callback URL
The callback URL is the endpoint where Azure AD redirects the user's browser after a successful authentication or authorization process. This URL can use in postman.
Step 3: Add Client Secrets
?Step 4: Expose an API
Exposing an API define permission scopes.
User. Read: This grants the application to read only permissions.
User. Write: This grants the application to read and write permissions.
Step 5: Add Client ID
Register client id of client application registered later on
Client Application Configurations
领英推荐
Step 1: Register Client App
Now register second app which is client app follow the same step while registering backend app it will generate client and tenant id.
Step 2: API Permission
In this step add scope registered in backend app
Step 3: Download React Code
In this step download react app code provided by default or write it manually through create-react-app and enhance code according to your requirements
Step 4: Add Redirect URL
In this step add redirect URL of your local host or UAT URL where API response (tokens) will be sent
React Application and .Net Core Web Application
Final step is to generate token through react (frontend) and call API .Net Core(backend)
Configure React Code
After successful Register of Apps on Azure Portal we have to configure our react code to generate token using MSAL library
Package.Json
This file contains dependencies required like azure/msal-browser and azure/msal-react libraries for working with the Microsoft Identity platform and implementing authentication.
?AuthConfig.js
This file contains client app client id, Authority, redirect URL, Scope
Run Project and sign In
Now Finally Run Project By running command npm start in terminal and sign in to azure account
Response:
After successful login API will return access token and id token to redirect URL
Configure .Net Core Web API Project for Authorize the JWT Token and access the API
Appsettings.json
In appsetting file add required fields of backend app register on azure
Program.cs
In this step install 2 packages from Nuget Package Manager or PowerShell
(i)????????????? Microsoft.AspNetCore.Authentication.JwtBearer
(ii)??????????? Microsoft.Identity.Web
Add Service to bind AzureAd from Appsetting file
Add 2 middleware app.UseAuthentication and app.UseAuthorization
Authorize Keyword At Controller level
Add Authorize keyword at controller to Authorize and access API
Call API from Postman
In this step make a request to .Net API by passing token in Headers using Bearer keyword
Disadvantages of Single Sign-On
?
Founder | Building Thunai.ai
8 个月Fantastic breakdown of Single Sign-On (SSO) and its implementation! This is a crucial aspect of modern authentication strategies that greatly enhances both security and user experience. For those looking to dive deeper into SSO solutions, check out?this: https://www.infisign.ai/blog/top-10-single-sign-on-sso-providers-solutions-in-2024