DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • Integration Security and Safety When Connecting With External Systems
  • Does Your App Accept Digital Wallets?
  • Harnessing the Power of APIs: Shaping Product Roadmaps and Elevating User Experiences through Authentication
  • Data Governance – Data Privacy and Security – Part 1

Trending

  • How Kubernetes Cluster Sizing Affects Performance and Cost Efficiency in Cloud Deployments
  • Implementing Explainable AI in CRM Using Stream Processing
  • Designing a Java Connector for Software Integrations
  • Securing the Future: Best Practices for Privacy and Data Governance in LLMOps
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. Deployment
  4. How to Integrate SSO Into Your Application

How to Integrate SSO Into Your Application

Single Sign-On (SSO), has become a very popular method of authentication. Read on to learn about the two different methods available for implementing SSO.

By 
Izzy Azeri user avatar
Izzy Azeri
·
Nov. 21, 17 · Opinion
Likes (6)
Comment
Save
Tweet
Share
27.6K Views

Join the DZone community and get the full member experience.

Join For Free

If you're living in the 21st century, you've likely used a mobile app or cloud app which requires some form of authentication. Often times, you'll get two choices, a Single Sign-On (SSO) option using a login you already use frequently, let's say Google or GitHub for instance, or to create your own account and password for that specific application. The latter is more cumbersome but many apps may not have the former option.

If you're a modern developer and you don't already have SSO implemented for your application, you really should. If you're using it for an app you're distributing, you know that end users are fickle, and if the path they need to take to do something isn't also the path of least resistance, there's a chance they might just give up and move on. With SSO, you can kill two birds with one stone: you can require authorization (which helps you gather user-specific data), and you can do so without negatively impacting your app's user experience. If you're working on something for internal use, SSO allows your users to easily manage their many credentials and reduce the amount of time your help desk spends on assisting with lost passwords.

So, how do you implement SSO? You could easily roll your own SSO solution, but given SSO probably isn't your core focus, as well as the complexity required, the chances are that you should just pay a third party and find something you can easily integrate with your app. In this article, we'll cover the things you need to consider when selecting an SSO provider for your app.

Depending on your use case, you might need to implement more than one SSO strategy. Two of the most common are SAML and OAuth (either version 1.0 or 2.0), though you might end up needing to implement other types of authorization flows as well. In general, cloud-based tools rely on SAML, while many social providers use OAuth 1.0/2.0. For example, you might need to integrate with Heroku, which uses the SAML 2.0 protocol, but the Google APIs support OAuth 2.0.

Many providers will support commonly-used protocols and allow you to implement custom flows, but be sure that this is the case so that you don't discover later on that you can't use a key cloud app with your SSO solution.

This is an easy one: does the provider you're considering support the apps you want it to integrate with? For example, if you want SSO to Digital Ocean, Mini Orange offers out-of-the-box support, whereas Okta and PingFederate require custom integration.

Therefore, if you're looking for easy integration without setting up custom authorization flows, move on (preferably before you sign on any dotted lines).

Some vendors will customize integrations for you. If this is an option, ask upfront how long this process takes (and how much) given the number of products you want to be integrated.

SSO means that there's one point-of-entry to multiple places. With one set of credentials, unauthorized users could potentially access many different apps. As such, it's important that your SSO provider comes with robust security for the SSO endpoint. At a minimum, your provider should offer multi-factor authentication in conjunction with SSO (or, at the very least, some type of second-factor authentication).

Better yet, look for a tool that offers step-up authentication. What this means is that you have the flexibility to add a second factor to the apps that need extra protection for whatever reason. This means that your users have to provide additional credentials where required, yet they don't have to jump through additional hoops when it's not strictly necessary.

If there's a tool that meets all of your other needs, but it doesn't include second-factor/multi-factor/step-up authentication, that doesn't mean that you should move on and look at other products. You can check to see if it's compatible with other security solutions, and, if so, what the cost of doing so would be. This adds a layer of complexity to your implementation, but, depending on your organization's needs, this might be worth it.

There's a lot to cover in this category, but, basically, what this comes down to is, "How easy is it to manage your users and what they access?" The ability to provision and de-provision users is a given, but how granular is your control? Does the provider offer role-based access management? Can you group users, assign them roles, and set permissions on the fly? If the provider offers automation for such processes, that's even better. This is especially important if you are integrating SSO into your internal apps.

Furthermore, check for support based on your existing usage. Today, company infrastructure isn't limited to just a set of computers and servers in a single physical location. You'll probably have things like cloud apps and VPNs, but you should also consider your employees' devices. Bring Your Own Device (BYOD) is increasingly common, and this is another entry point that you'll need to consider.

Your provider is only as good as its uptime. The usual advice is to look for a provider that guarantees an uptime approaching 100% but depending on your use case, this generalization might not be enough.

You've probably seen a chart of availability percentages and what they mean regarding downtime, but let's pull out several rows to use as examples:

Availability Percentage Downtime per Year
99% 3.65 days
99.9% 8.76 hours
99.99% 52.56 minutes

Obviously, the higher the availability percentage, the more likely you are to pay for your service. If you don't have a mission-critical service, then you might be just fine with an SLA offering 99% uptime. However, if you have a shopping app, you might spring for higher uptime guarantees (because, let's face it, while the probability that something goes down isn't uniform, you don't want to deal with technical issues on Black Friday/Cyber Monday).

Though this item seems superficial compared to the others on this list, user experience matters. Some tools force you into a pre-existing design. If that design is good and it works for your use case, that's great. However, if it's not, then you have no way to change it.

A good SSO tool should, at the very least, allow admins to customize the user experience, including branding and feel. Ideally, you should also be able to implement custom conditional factors based on things like location, IP address, and so on.

Finally, with many users logging in to their accounts from a wide variety of device types, your provider should be able to provide a good experience for your users regardless of whether they're on desktops, laptops, or smartphones.

If you're looking for an SSO provider, there's a lot of 3rd-party alternatives that you can use. However, by carefully considering the needs of your team and your app, you can narrow down the field to find the option that's best for you. 

mobile app Integration authentication security

Published at DZone with permission of Izzy Azeri, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Integration Security and Safety When Connecting With External Systems
  • Does Your App Accept Digital Wallets?
  • Harnessing the Power of APIs: Shaping Product Roadmaps and Elevating User Experiences through Authentication
  • Data Governance – Data Privacy and Security – Part 1

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!