Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Improve Single Sign-On With Back-Channel Authentication

DZone's Guide to

Improve Single Sign-On With Back-Channel Authentication

In this post, we’ll be discussing how the back-channel single sign-on (SSO) flow can help to improve user experience and reduce latency.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Single Sign-On(SSO) is a widely used solution in many enterprise systems. SSO enables users to provide their credentials once and obtain access to multiple applications without being prompted for credentials every time. With this post, I’ll be discussing an improvement that can be made to the front channel (browser facing) SSO flow in order to improve user experience and reduce latency. After an SSO login to a service provider (a web application), the browser redirection to an identity provider can be avoided during subsequent logins with back-channel authentication.

Why Should You Consider Using Back-Channel Authentication?

The main motivation behind replacing front-channel authentication with back-channel authentication is to improve the user experience. When front-channel authentication is used, there will be browser redirections to the identity provider (IdP) to complete the authentication flow. These browser redirections are meaningless for the end users and introduce significant reductions in speed, as well.

Back-channel authentication allows for server-to-server communication and thus removes the need for browser redirections. Many popular and widely used service providers use back-channel authentication when accessing their services.

A well-known example is Google. You can try login into Gmail and then access Youtube to notice that the authentication to YouTube happens via a back-channel. That is, you will be able to access your YouTube account without any other redirections. So, back-channel authentication is a widely used improvement to provide a seamless user experience when accessing multiple services.

When there are browser redirects among your applications, you need to have a security model that ensures safe redirections. Moreover, redirects affect mobile users more significantly because they are using less reliable mobile networks. By enabling back-channel authentication you can have the flexibility to reduce the restrictions on the security model as well.

Messages that are transmitted via a front-channel are usually signed and often encrypted. These precautions are needed because the messages transit in a potentially hostile browser environment. So, when you move to a back-channel protocol, you can rely on mutually authenticated TLS (Transport Layer Security) for end-to-end security as the communication is point-to-point.

So, if you have a set of SSO enabled services, you should consider back-channel authentication as an option to improve performance and user experience.

When Can You Use Back Channel Authentication?

In order to enable back channel authentication, your service provider applications and the identity provider need to fulfill the following conditions.

  • SSO is enabled among the service provider applications.
  • All service provider applications use federated login with the identity provider.
  • Redirection to the identity provider from any of the web applications is only needed when the user is not authenticated.
  • Each web application performs back-channel authentication to check whether the user has a valid session before redirecting the user to the identity provider.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,web application security ,single sign on ,sso ,back-channel authentication

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}