Skip to main content

Distributed Single sign-on and Single sign-out

Rationale

The purpose of distributed Single sign-on and Single sign-out is automatically sign-in and sign-out to multiple different external services (herein: SSO target) when user signs in to Trivore Identity Service (TIS) via user-interface or OpenID Connect. For example, when user signs in to https://oneportal.t5.fi he/she will also be signed in to https://service1.example.org and https://service2.example.com. Every namespace in TIS  can have multiple different external SSO targets and sign-on to these targets is completely transparent to user.

Mechanisms

Currently, TIS provides two different mechanisms for Single sign-on: Management API (REST) and OpenID Connect. It is recommended to choose  OpenID Connect when possible. Management API mechanism can be used when the SSO target already uses TIS Management API for other purposes and already has required API credentials. In this case, it is simply less of a development burden to implement SSO via Management API.

Please note that SSO mechanisms are independent of the sign-in procedure being used. For example, if user signs in to TIS via OpenID Connect, he/she can be automatically sign in to every SSO target regardless if those targets use Manangement API or OpenID connect mechanism. SSO mechanism defines the mechanism between the SSO target and TIS server which is different/independent from the procedure between the user's browser and TIS server.

Description of functionality

Single sign-on procedure is executed when user signs in to TIS via user-interface or OpenID Connect. In both cases, user's browser will receive HTML <img> elements that contain src= attribute with an URL that points to the SSO target callback URL (meaning that the SSO requests originate from user's browser, not from TIS server). Query parameters sso-token and sso-validity will be automatically added to this URL.

The SSO target can then use the token to fetch related user information from TIS using either Management API or OpenID Connect, depending on the defined mechanism for the target. Parameter sso-token is a unique token that can only be used by the SSO target that it was assigned to. Ie. tokens can not be shared between different targets but each target will be given its own token. Tokens can be used only once as they are deleted immediately after being consumed. Parameter sso-validity defines the token validity time in minutes, after this validity period, the token will be permanently removed and can not be consumed anymore by the SSO target.

It is the responsibility of the SSO target to store the user information retrieved using the token. The SSO target should also send a cookie to the user's browser so it can later identify which token belonged to which user. Cookie validity time does not need to be the same as the token validity time but can be freely chosen by the SSO target. It is recommended to store the token and validity time to an http session and send a response to the user's browser immediately to make sure that the SSO procedure completes as fast as possible and the browser receives the cookie before it is redirected to another page (as is the case when user signs in via OpenID Connect). Token should only be consumed after the user first time enters the service or shortly before the token expires if it is desirable to sign-in the user regardless of whether he/she actually enters the service (for later identification purposes, ie. token might expire in 3 days but the user might first enter the service after 7 days).

The HTTP response (in addition to the cookie) from the SSO target should contain a valid image of the type jpg, png or ico (16x16 pixels in size). This image may be shown on user's browser, depending on the settings.

Image

Single sign-out

Single sign-out procedure is executed when user signs out from TIS  via user-interface or OpenID Connect. In both cases, user's browser will receive HTML <img> elements that contain src= attribute with an URL that points to the SSO target sign-out URL (meaning that the SSO requests originate from user's browser, not from TIS server). When SSO target receives this sign-out request, it should immediately invalidate user's session or, at least, remove any user-related information from session. These <img> tags are generated only for SSO targets that have consumed their token as there is no need to sign out from target that has not consumed the token because the user is not signed in to that service. All tokens, consumed or not,  for current session will also be removed from database on Single sign-out which means that they can not be consumed afterwards.