CODEWITHSUNDEEP
authenticationoauthoauth-2.0openidsaml
Oliver McPhee
Oliver McPhee

Reputation: 1056

Choosing the correct authentication protocol

Could you help me determine which authentication protocol I should use for the following use case? I am new to this area of development and am a little bamboozled with all the technical information out there - so a 'for dummies' answer would be greatly appreciated.

I have an online learning website that hosts courses in English Language. A requirement has arisen that we should integrate with 3rd party Enterprise Systems (because we sell the courses to Enterprises).

The primary requirement is to allow 3rd party systems to redirect their users to my site and have them access it with there 3rd party system credentials (I believe this is called Single Sign-on?). The 3rd Party systems are obviously remote systems and I am focusing more on capability than 1 specific customer / integration.

So, what I am trying to understand, is what capability should I offer to allow this to happen? I am trying to develop a generic 'developer toolkit' so that I don't have to be bogged down in lots of individual integrations as and when they arise.

I have read that there are lots of protocols / things in this space (SAML, OAuth, OAuth2, OpenID, Shibboleth, etc) - so I wondered where I should focus my attention and research? Which is the most common among Enterprise systems (CRMs, etc)?

Also, as a sub-question. Is OAuth deprecated or sneered upon now that OAuth 2.0 is released?

Any help is truly appreciated!

Thanks all.

Upvotes: 1

Views: 406

Answers (1)

Avi
Avi

Reputation: 406

SAML 2.0 is the most popular protocol for Single Sign On when it comes to Enterprise systems. Most if not all enterprises are able to provide SAML based SSO for third party websites.

Ideally, if correctly implemented the enterprise would need to configure their system to send your website SAML assertions (Identity information in the form of XML) and you would the information in the assertion to log the user in.

The Enterprise would be called the Identity Provider (IDP) in this case and your website would be called the Service Provider (SP)

There are a number of open source libraries available that allow implementing SAML (Spring etc.), alternatively your existing servers may have the capability as well.

Once you have the base implementation done, you can then choose to do two things:

  1. If the user does not exist in your DB, create a new record and allow the user access.

  2. The enterprise that you are integrating with must supply a list of users before hand and then you can allow only the users that are present in the DB.

Although the second option has a lot of overhead and not used very often.

---------------------------- Answer to Comments-------------------------

It depends on the way you would setup the interaction.. There are two ways to setup SAML SSO:

  1. SP initiated SSO: This means that the users always access your site and then is redirected to the IDP for authentication. The SAML token is sent back to your site post authentication.

  2. IDP initiated SSO: This works in a way that the IDP generates a SAML token and directly posts it to the SAML endpoint of your website.

If you are using option#1 and users are already logged in step C would not be needed since the user is already logged in and the token can be directly generated.

For option#2 only the steps D and E would be needed. I would however urge you to strongly to not omit the SP Initiated SSO implementation since some IDPs do not support IDP initiated SSO.

Hope this helps

Avi

Upvotes: 1

Related Questions