Single Sign-On
Users authenticate using Blitz Identity Provider and not within each application. So you eliminate password chaos: users do not collide with different forms of login/password inputs, do not get tired of repeatedly entering the logins and passwords when switching between applications, they do not need to remember a lot of passwords.
With the Blitz Identity Provider software you can automatically log in to applications after domain authentication. So it is enough to sign into the domain – and when accessing your web applications you will not need to re-enter your login and password.
The Single Sign-On technology does not require to install special programs on the user’s devices. It works with any popular user operating systems and device types (PCs, tablets, smartphones).
Multi-purpose Single Sign-On
It matters who enters your applications – company employees, customers or subscribers. Each category of users has its own characteristics.
If your applications are for company employees, then the security is a key task. When accessing internal resources (Intranet) employees will use the company’s authentication methods, even to the detriment of convenience.
On the contrary, ease of use is the crucial thing for customers or clients. The authentication and access technologies in your Internet resources should not irritate users and the login process should be as convenient and simple as possible.
The authentication server Blitz Identity Provider is a great tool for organizing access to both Intranet and Internet resources. For each application you can configure your access rules and use the most appropriate login methods. For example:
- For the corporate environment you can require strong authentication using smart cards / USB tokens or HOTP / TOTP hardware tokens. You can allow login to web applications after authentication in the corporate domain;
- You can allow Internet users can to enter through social networks (Facebook, Google). Users can protect their accounts using SMS-codes or special mobile applications (Google Authenticator, Duo Mobile) if they want it.
Supported SSO technologies
SAML 1.0, SAML 1.1, SAML 2.0
The Blitz Identity Provider authentication server supports SAML, a widely used protocol that allows you to connect almost any popular corporate software or cloud application to the identity provider. The application you need does not support SAML? In some cases SAML can be an additional option or you may need to install an integration connector / plug-in.
Blitz Identity Provider allows you to use both Single Sign-On (SSO) modes provided by SAML:
- The application initiates an SSO. For this the application accesses the Blitz Identity Provider authentication server with a request for user authentication. After successful authentication the application receives a special XML document containing the user data (SAML assertions) from the Blitz Identity Provider.
- The identity provider initiates an SSO. Here the user first enters his Blitz Identity Provider profile, and then goes to the application he needs. Blitz Identity Provider authenticates the user to the application, sending the needed authentication data.
OpenID Connect 1.0 and OAuth 2.0
Compared to SAML, OpenID Connect (OIDC) / OAuth 2.0 is a newer authentication protocol, initially oriented to work with web applications throughout the Internet. If you are creating a new application it is much easier to connect it to the OIDC authorization service. For developers of HTML5 / JavaScript applications or IOS / Android mobile applications OIDC has also a number of additional advantages.
The Blitz Identity Provider authentication server allows using OIDC / OAuth 2.0 in the following scenarios:
- The application wants to identify the user. To do this, it redirects the user to Blitz Identity Provider, where authentication takes place. After that, Blitz Identity Provider authentication server returns the user to the application and passes a special token (ID token). Having received this token, the application identifies the user.
- The application wants to call API of another application. Here the application receives from the Blitz Identity Provider an access token permitting to call API of another application on behalf of a specific user. The Blitz Identity Provider issues this token only after the user explicitly allowed the application to receive data about him. An access token is a kind of ticket that is used by an application when accessing a resource that provides data. Of course, the user can at any time revoke this permission.
Web proxy for securing SSO in legacy web applications
SAML and OIDC allow you to connect most applications. But what if the organization’s web application does not support these protocols and can not be updated?
For this case Blitz Identity Provider provides the following integration scenario:
- Access to the legacy web application should be configured through a web proxy.
- Carrying out the integration of the web proxy with the Blitz Identity Provider using the special Simple protocol.
- Web proxy intercepts the authentication request by the web application and makes a request to Blitz Identity Provider.
- Blitz Identity Provider identifies and authenticates the user. If successful, Blitz Identity Provider passes user’s login and password through a web proxy to the web application. The very first time when Blitz Identity Provider does not know the user’s login / password for the web application, it asks the user for this information.
Automatic login to applications after successful domain authentication
“Why should I enter the password once again when accessing the application if I just successfully passed the authentication when entering the operating system?”
This is a good question that many employees are asking. To exclude a repeated password request, the Blitz Identity Provider provides an automatic login feature. If the user has authenticated when entering the operating system (domain authentication) using a Kerberos server (for example, an Active Directory domain controller), then access to the web application through the Blitz Identity Provider will be granted automatically.
The SSO mechanism in Blitz Identity Provider in this case is based on SPNEGO technology and the GSSAPI standard. You can take advantage of automatic login both on PCs running Windows, and on workstations based on macOS and Linux.
A single account for all application types
You can connect to Blitz Identity Provider not only web applications. Blitz Identity Provider is already compatible with many enterprise desktop applications and native mobile applications. For example, the Blitz Identity Provider is compatible with MS Office 365 and G Suite.
Blitz Identity Provider can act as an OAuth 2.0 server. If you are developing a native mobile application, Blitz Identity Provider will help you quickly to implement the function of binding applications and devices to user accounts, controlling access to server APIs.