Single sign-on (SSO) means that you can access multiple mutually trusted application systems with only one logon. The single sign-on service in IDaaS is used for authentication of different applications of the same company. Users can access all added applications with only one logon.

The single sign-on service in IDaaS is applicable to the following scenarios:

IDP initiation

IDP initiation is also called IDaaS initiation. You log on to the IDaaS console and then can log on to applications (SPs) from the IDaaS console.

  1. On the IDaaS logon page, you enter the username and password to log on to the IDaaS console.
  2. The browser sends an IDaaS logon request carrying the username and password.
  3. After you pass the authentication, the IDaaS console creates a primary session returns the application list.
  4. You log on to the IDaaS console and can view the application list.
  5. You click the SP1 application icon from the application list.
  6. The browser sends a request carrying the ID of the SP1 application to the IDaaS console for generating a secondary token for the SP1 application.
  7. The IDaaS console generates a secondary token based on the received information and returns the secondary token to the browser.
  8. The browser sends a logon request carrying the secondary token to the SP1 application.
  9. The SP1 application system parses and authenticates the secondary token. After a successful authentication, the system will create a secondary session and return the successful logon page.
  10. The SP1 single sign-on is successful and the browser displays the SP1 homepage.
Note Steps (11) to (16) of the preceding figure demonstrate the single sign-on process of the SP2 application system, which is similar to that of the SP1 application system. After a primary session is created, this process can be used to implement single sign-on of any applications.

SP initiation

SP initiation includes two cases.

  • Access the SP page

    You access the SP page, send a Redirect or POST request for redirection with an authentication protocol such as SAML or CAS from the IDaaS console to the SP application. This process allows for centralized authentication of the SP application.

    The following example demonstrates the SP-initiated single sign-on process by using the SAML protocol.

    1. You access the SP resource page.
    2. The browser requests resources from the SP system.
    3. The SP system generates a SAML authentication request and returns it to the browser.
    4. The browser sends a SAML authentication request for access to the IDaaS SSO URL.
    5. IDaaS verifies the SAML authentication request information.
      Note If you have logged on to the IDaaS console, go directly to step i.
    6. You are redirected to the IDaaS logon page.
    7. You enter the IDaaS account and password.
    8. The browser sends a username + password request for logon to the IDaaS console.
    9. You log on to the IDaaS console. IDaaS analyzes the SAML authentication request information, obtains other information, and then generates response token data.
    10. IDaaS returns the response token data for the SAML request to the browser.
    11. The browser uses the SAML response data to access the SP authentication URL.
    12. The SP system uses the public key to verify the SAML response data.
    13. The SP system returns the SP resource URL to the browser after a successful authentication.
    14. The browser accesses the SP resource page.
    15. The SP system returns the SP resource page.
    16. You log on to the SP resource page.
  • Access an SP resource

    You access an SP resource and are redirected to the IDaaS SSO URL. After a successful IDaaS authentication, the SP system will return the logon page carrying the redirect_url parameter of the request event. After you log on to the SP system, the SP system returns the SP resource page to the browser.

    1. You access the SP resource page.
    2. The browser requests resources from the SP system.
    3. The SP system checks your logon status.
      Note If you have logged on to the IDaaS console, go directly to step i.
    4. You are redirected to the IDaaS SSO URL.
    5. The SP system returns the logon page carrying the redirect_url parameter of the request event.
    6. You enter the IDaaS account and password.
    7. The browser sends a username + password request for logon to the IDaaS console.
    8. The IDaaS console authenticates the account.
    9. The IDaaS console returns the deeplinking and id_token data to the browser.
    10. The browser sends the data to the SP system for verification.
    11. The SP system uses the public key to verify the id_token.
    12. The SP system returns the deeplinking URL to the browser and creates a session.
    13. You can view the SP resource page.

Later authentication

The SP system uses IDaaS for later authentication.

  1. You access the SP1 logon page.
  2. The browser requests the SP1 logon page.
  3. The SP1 system returns the logon page.
  4. You can view the SP1 logon page.
  5. You enter the username and password for logon.
  6. The browser sends a logon request carrying the username and password to the SP1 system.
  7. The SP1 system sends the username and password to IDaaS for logon authentication.
  8. After a successful authentication, IDaaS will generate a primary token and then return the primary token, application list, and user information to the SP1 system.
  9. You log on to the SP1 system and the browser obtains the successful SP1 logon page.
  10. You can view the successful SP1 logon page with the application list displayed.
  11. You click the SP2 application icon for single sign-on from the application list displayed on the SP1 system.
  12. The browser sends a request carrying the primary token and the ID of the SP2 system to IDaaS for generating a secondary token.
  13. IDaaS returns the secondary token and redirect URL of the SP2 system.
  14. The browser sends a request carrying the secondary token to the SP2 system for accessing the redirect URL.
  15. The SP2 system parses the secondary token and returns the successful SP2 logon page.
  16. You can view the successful SP2 logon page.

Logon redirection

You access the SP system page and are redirected to the IDaaS logon page for centralized authentication. After a successful logon, IDaaS will return a JWT token to the SP system page for implementing single sign-on. The JWT token carries information such as the application list and a secondary token for accessing another SP application.

  1. You access the SP1 logon page.
  2. The browser requests the SP1 logon page.
  3. The SP1 system returns the redirect URL.
  4. The browser accesses the redirect URL.
  5. IDaaS returns to the logon page.
  6. The browser sends a request carrying the username, password, and the ID of the SP1 system to IDaaS for logon.
  7. After a successful local authentication, IDaaS will create a primary session and return a JWT token which contains the application list and a secondary token to the browser.
  8. After receiving the information, the browser will verify the JWT token and parse the secondary token, and then send a request to the SP1 system for authentication and logon.
  9. The SP1 system obtains and parses the secondary token, creates a secondary session, and returns the successful logon page to the browser.
  10. You can view the successful SP1 logon page.
  11. After logging on to the SP1 system, you access the SP2 logon page.
  12. The browser requests the SP2 logon page.
  13. The SP2 system returns the redirect URL.
  14. The browser accesses the redirect URL.
  15. IDaaS directly generates a secondary token of the SP2 system based on the application ID and returns the token to the browser Because IDaaS has created a master session for you.
  16. The browser sends a request carrying the secondary token to the SP2 system.
  17. The SP2 system parses the secondary token, creates a secondary session, and returns the successful logon page to the browser.
  18. You can view the successful SP2 logon page.