Secure Access Service Edge (SASE) supports the single sign-on (SSO) feature based on OpenID Connect (OIDC). This feature is also known as identity federation. This topic describes the basic concepts of the SSO feature of SASE to help you understand the capabilities of the feature.
Introduction
SSO is a user authentication method that allows a user to use one set of logon credentials, such as a username and a password, to access multiple or associated systems. After the user uses the logon credentials to log on to an application or a service, the user can access all applications and services that are managed in the same identity authentication system without the need to re-enter the credentials.
In an SSO process of SASE, SASE serves as an identity provider (IdP), and a SASE IdP is mapped to the IdP of a service provider (SP). This way, you can implement SSO to allow users of a SASE IdP to access your office application.
Term | Description |
IdP | A Resource Access Management (RAM) entity that provides identity management services. |
SP | An application that uses the identity management feature of an IdP to provide users with specific services. An SP uses the user information that is provided by an IdP. |
OIDC | An authentication protocol that is developed based on OAuth 2.0. For more information, see OIDC and OAuth 2.0. OAuth is an authorization protocol. OIDC adds an identity layer to extend OAuth. This way, OIDC can use OAuth for authorization. OIDC also allows clients to verify the identities of users and use an HTTP RESTful API to obtain basic information about the users. |
OIDC token | An identity token that is issued by OIDC to an application. An OIDC token is an identity token that indicates a logon user. An OIDC token can be used to obtain the basic information about a logon user. |
client ID | An ID that is generated for an application when you register the application with an external IdP. When you apply for an OIDC token from an external IdP, you must use a client ID. The client ID is specified in the |
URL of an issuer | The URL of an issuer is provided by an external IdP. The URL is indicated by the |
Scenarios
SASE supports OIDC-based SSO. After you connect your SASE IdP to your existing SSO system by using OIDC, a user from the SASE IdP can log on to the portal of your office application as a user from your SSO system. The user does not need to re-enter the username and password or scan QR codes.
How it works
In the SSO implementation process, a central authentication server is required to verify the credentials of users and issue a token or a ticket. In an SSO process of SASE, SASE serves as an IdP, and the application that is integrated into your existing SSO system serves as an SP.
The following figure shows the workflow.
Benefits
Improve user experience
After a user logs on to the SASE client, the user can be associated with a SASE IdP and access the applications that are integrated into the OIDC-based SSO system of an enterprise. This improves user experience.
Ensure security
Users log on to office applications from the SASE client as users of a SASE IdP. This ensures data security in real time when users access office applications.