Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Back-Channel Authentication as an improvement to Single Sign On

DZone's Guide to

Back-Channel Authentication as an improvement to Single Sign On

In this post, we’ll be discussing how the back-channel single sign-on (SSO) flow can help to improve user experience and reduce latency.

· Security Zone ·
Free Resource

Protect your applications against today's increasingly sophisticated threat landscape.

Single Sign-On(SSO) is a widely used solution in many enterprise systems. SSO enables users to provide their credentials once and obtain access to multiple applications without being prompted for credentials every time. With this post, I’ll be discussing an improvement that can be made to the front channel (browser facing) SSO flow in order to improve user experience and reduce latency. After an SSO login to a service provider (a web application), the browser redirection to an identity provider can be avoided during subsequent logins with back-channel authentication.

Why Should You Consider Using Back-Channel Authentication?

The main motivation behind replacing front-channel authentication with back-channel authentication is to improve the user experience. When front-channel authentication is used, there will be browser redirections to the identity provider (IdP) to complete the authentication flow. These browser redirections are meaningless for the end users and introduce significant reductions in speed, as well.

Back-channel authentication allows for server-to-server communication and thus removes the need for browser redirections. Many popular and widely used service providers use back-channel authentication when accessing their services.

A well-known example is Google. You can try login into Gmail and then access Youtube to notice that the authentication to YouTube happens via a back-channel. That is, you will be able to access your YouTube account without any other redirections. So, back-channel authentication is a widely used improvement to provide a seamless user experience when accessing multiple services.

When there are browser redirects among your applications, you need to have a security model that ensures safe redirections. Moreover, redirects affect mobile users more significantly because they are using less reliable mobile networks. By enabling back-channel authentication you can have the flexibility to reduce the restrictions on the security model as well.

Messages that are transmitted via a front-channel are usually signed and often encrypted. These precautions are needed because the messages transit in a potentially hostile browser environment. So, when you move to a back-channel protocol, you can rely on mutually authenticated TLS (Transport Layer Security) for end-to-end security as the communication is point-to-point.

So, if you have a set of SSO enabled services, you should consider back-channel authentication as an option to improve performance and user experience.

When Can You Use Back Channel Authentication?

In order to enable back channel authentication, your service provider applications and the identity provider need to fulfill the following conditions.

  • SSO is enabled among the service provider applications.
  • All service provider applications use federated login with the identity provider.
  • Redirection to the identity provider from any of the web applications is only needed when the user is not authenticated.
  • Each web application performs back-channel authentication to check whether the user has a valid session before redirecting the user to the identity provider.

Rapidly detect security vulnerabilities in your web, mobile and desktop applications with IBM Application Security on Cloud. Register Now

Topics:
security ,web application security ,single sign on ,sso ,back-channel authentication

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}