Tired of entering your password? I know I am. If I didn’t have to type in my password 20 times every day, I would have finished fixing all the defects in Compass. Ok, that’s hyperbole, but it really is a pain, isn’t it? Wouldn’t it be great if you could log in once to access all your applications? The good old people writing security standards have been nice enough to give us a solution. It is called “single sign on”. With more and more DevOps products integrating with each other it is becoming even more important to have a centralized identity management solution where you can sign in once, and access multiple applications.
Single sign-on (SSO) prevents the need to sign on to multiple applications separately. Rather than having to sign on for each application, the user signs in once at an identity provider (IP) and this provides tokens to provide to other web applications and services. A token is like an ID card. You show it wherever you go, and it is trusted in many places. If the ID card is trusted, you can do things such as rent a car, walk into a secure building, fly on a plane, and so forth. The same goes for SSO tokens. For any application that is set up to trust the token, it will allow you to log in to that application as the authenticated user. SSO makes it easier and more secure to use different applications, because you only need to log in once and you only do so on the trusted login site.
Authentication and authorization are separate in SSO. The first time a user connects to one of the applications, the user must authenticate by logging in. While the token is valid (usually in 24 to 48 hours), the user does not need to authenticate again. Instead the previously obtained token is used to authorize access to the application.
CHOOSING AN IDENTITY PROVIDER
There are several SSO standards available. Compass supports the following:
- OpenID Connect (OIDC)
- Security Assertion Markup Language 2.0 (SAML2)
- Lightweight Third-Party Authentication 2 (LTPA2)
Of these, OIDC and SAML2 have a user experience that is more friendly, consistent and configurable than LTPA2. These two provides automatic browser redirects to the identity provider login site. So, when the use tries to access a site and needs authentication, they will be taken to this login site. The login site is usually customizable, which allows the enterprise to provide a consistent login page that provides information about your enterprise and what applications might be available to the user.
So, what single sign on provider does your company use? Will it work with Compass? I’d love to hear if you think Compass needs to support additional SSO features or technologies.