Access to digital services needs to be protected with user IDs assigned to specific individuals. Facebook requires an e-mail address and password while the French health insurance website ameli.fr requires a social security number and access code.
Our increasing use of applications in our professional and private lives means we need to remember ever more login details.
How many can you remember without making several attempts and resorting to clicking on “Forgot password”? Many people tackle this problem by using the same or easy-to-remember passwords, making them extremely vulnerable to dictionary attacks. Worse still, far too many people write their login details on sticky notes for all to see.
SSO and identity federation have been introduced to address this problem.
Single Sign-On (SSO)
A couple of reminders:
Create stylish call-to-action buttons with Qubely Buttons. Play around An identity is a way of distinguishing one individual from others in a group. For a person, this includes their surname, first name, address and date and place of birth. In IT, the same principle needs to be applied for individuals and machines. Identification is a declarative process which enables a digital identity to be assigned to a person or computer using IP addresses or user IDs such as e-mail, screen name, name, social security number or tax number. A user has numerous digital identities which are not all characterized by the same attributes.
Authentication involves checking the user’s identity to match their real, unique identity with their digital identity. Various authentication factors are used for this:
- What the person knows: password, access code, questions/answers
- Who the person is: biometric data such as fingerprint or retina patterns
- What the person has: cell phone, USB key, smart card
Of course, several factors can be combined to check that the person is who they claim to be, according to the desired level of authentication.
Single Sign-On (SSO)
SSO enables users to access multiple services using one set of login details.
In a university setting, this means that a student logging in to their schedule application can access exam result or online lesson applications without having to enter their login details again.
There are several technologies:
- LDAP server: a directory service storing user information
- CAS system: Central Authentication Service developed by Yale University
- Identity federation
Depending on the situation, Web Single Sign-On (WebSSO) or Enterprise Single Sign-On (eSSO) can be used.
WebSSO provides an authentication framework which is a portal between the user and the application. Designed for Web applications, it is a more integrated approach than simple SSO.
eSSO involves installing an SSO agent (an executable file) on the user’s machine. This automatically provides the user IDs to the applications. eSSO supports practically all types of applications, not just Web ones.
The two technologies can be used together to meet customers’ needs.
SSO: simplicity, lower management costs and increased security
Implementing SSO in businesses has numerous benefits:
- Increased convenience and time savings for users.
- Lower support costs: users have fewer passwords to remember so require less help with creating, deleting or updating their authentication factors.
- Increased security: individual passwords can be strengthened to better withstand attacks.
Identity federation
The pitfalls of users logging in to several different applications can be avoided by:
- coordinating different security domains
- satisfying the need for trust on the part of the user and all the entities concerned, particularly with regard to government or sensitive services
- having a single digital identity or at least being able to effectively manage the users different identities
- only having to log in once to access all services
Single sign-on only focuses on this latter point.
Identity federation provides a response to all of these challenges while maintaining the convenience of SSO.
Preliminary definitions
An Identity Provider (IdP) is an entity which creates, maintains and manages the user’s digital identities and authentication factors. The IdP usually uses an authentication server for the latter. Google, Facebook and Amazon Web Services (AWS) are some of the most popular IdPs while Microsoft Active Directory and OpenLDAP are targeted at companies.
A Service Provider (SP) provides software or IT services to its customers via a network, usually the Internet. This is the case for government, healthcare, banking and insurance services but also non-trusted applications such as TikTok and other social media and e-commerce applications.
What is identity federation?
It is an association between service providers (SP) and identity providers (IdP) across different security domains. Some IdPs are also SPs, such as the French tax, post office and health insurance websites. The word federation conveys the idea of grouping together. Governance rules specify how the IdPs can exchange identity information, creating a trust relationship among the different parties: the user, the SP and the IdP. Different protocols ensure this relationship:
- SAML2
- WS-Federation
- OpenID Connect
When an individual wants to log in to a protected application, they are redirected to the IdP. If authentication is successful, the IdP delivers an access token to the user. This token is a secure digital identity for a single login session which the service provider validates before providing access to the service.
Identity federation can be set up by a multinational company or consortium of companies or associations. The identity attributes exchanged by the IdPs are often unverified and virtual only, such as a screen name or e-mail address. If the digital identity is based on a person’s real identity (vital records), the attributes shared between the IdPs and SPs are real. We talk about federating self-sovereign identities, which is what FranceConnect2 does.
Difference between identification and authentication with and without identity federation or SSO
The user needs to sign in with a user ID and authentication factor (such as a password) specific to each service provider.
With identity federation, the user only needs to sign in with the IdP’s identifier and authentication factor.
Example of identity federation and SSO using FranceConnect
Authentication by trusted IdP
Users have two options for logging in to the French tax website (impots.gouv.fr). They can either create a personal account or log in via the FranceConnect system. This checks the user’s identity with another trusted IdP chosen by the user, like ameli. The user enters their social security number and access code on the ameli.fr website and once they are authenticated, ameli sends the necessary identity information to FranceConnect which validates it with the INSEE National Institute of Statistics and Economic Studies (vital records). The ameli SP plays the role of IdP here. FranceConnect then provides the information to the impots.gouv.fr SP so the user can access the website.
This model also shows how identity federation makes single sign-on (SSO) possible. The user only signs in once to access a range of services including impots.gouv.fr and permisdeconduire.ants.gouv.fr (tax and driver’s license services). It should be noted, however, that an account sometimes needs to be created after logging in via FranceConnect. This is the case for the French pensions website (info-retraite.fr) for example. By logging in via FranceConnect and choosing to sign in on ameli, some user ID attributes are shared such as surname, first name, date of birth, marital status, etc. The user is informed of the full list. They then need to create an info-retraite account and provide their social security number as this information was not provided by ameli due to not being included in the minimum set of shared data.
However, the system is not without its risks
If a malicious individual finds out a user’s ameli user ID and access code, they can log in to all the other services via FranceConnect. Users should therefore:
- Choose a strong password which is more able to withstand attacks, particularly brute force ones.
- Not use the same password all the time. Just one SP is hacked if a person’s digital identity is discovered with their authentication method (like a username/password pair for example). Other passwords need to be hacked to access other service providers.
- Set up strong authentication.
We can help you implement that process, from choosing the solution that best meets your business needs to training the solution administrators and users.
