Skip to content

Enterprising SSO

Enterprise Federation – also referred to as SSO – allows you to leverage the Identity Provider (IdP) already employed by an Enterprise. Valuable in some B2C application scenarios, this facility paves the way for making B2B and B2B2C opportunities a reality, opening the door to additional lines of revenue!

Hi, I’m Peter Fernandez, an Innovator, Architect, Consultant, Engineer, and Principal Developer Advocate at Auth0 by Okta. I’d like to share with you some of my experience building user authentication, using Enterprise Federation, into modern applications and how easy it is to do that using the Auth0 platform.

User Authentication using SAML….

User authentication in a federated context typically utilizes the SAML protocol. SAML is an industry standard designed to facilitate an enterprise-trusted relationship where a 3rd party can authenticate against the IdP used by an organization. When it comes to integrating the protocol there is a lot to understand. Both ends of a login conversation speak SAML, and when they do, a valid user-authenticated context is determined by the use of a SAML Assertion rather than a UserID and a Password. SAML essentially pioneered SSO, and can also leverage the likes of MFA and Passwordless too.

….or OpenID Connect

Federated user authentication can also support the use of OpenID Connect. OpenID Connect – a.k.a. OIDC – is an industry standard alternative to SAML that requires far less configuration from a trust perspective, yet still provides sufficient security for many enterprise use cases. OIDC is typically a lot easier to manage than SAML. However, there is still just as much to understand when it comes to integrating the protocol. When both ends of a login conversation speak OIDC, a valid user-authenticated context is determined by the use of a JWT format ID Token rather than a UserID and a Password. OIDC also enables the likes of Social authentication. Like SAML, OIDC supports SSO, and can leverage the likes of MFA and Passwordless too.

Authentication via the Browser

Enterprise authentication typically requires the use of browser-based workflows – where an application navigates to the federated IdP in order to obtain either an Assertion or a JWT format ID Token, following successful user authentication. Not only does this require the potential re-architecting of existing application logic, it also requires that developers understand the subtle nuances and vaguaries of each federated providers’ implementation.

SP Initiated…

In SAML, the Service Provider – a.k.a. the SP – is the entity that receives and accepts the (SAML) assertion generated by the IdP. One can typically think of the SP as a Web Service – i.e. a Web Application – that can talk SAML protocol. With SP-initiated workflow, it’s the Service Provided Enterprise – the Web Service/Application – that solicits the authentication request with the IdP.

…vs IdP Initaited

In a SAML IdP-initiated workflow, the converse is true: the IdP is the entity that initiates the authentication request, delivering a (SAML) assertion to the SP in an unsolicited fashion. IdP-initiated flows are valuable in providing support for externalized SSO scenarios, where a user may come to an application via the likes of an external web portal or dashboard interface.

Build it yourself?

You could build support in-house, yourself. That’s true. Click on the image to read more about doing just that, and watch the recording of my related webinar here. If your team has the resources, time, capacity, knowledge, and expertise in developing SSO; deploying Attack Protection; leveraging OIDC and/or SAML for Authentication, Social and/or Enterprise Federation; implementing Passwordless and/or MFA, and/or (optionally) OAuth 2.0 for API Authorization – then it’s definitely an option. But what if there was a better way?

Federate using Universal Login

Auth0 Universal Login allows you to create a fully customized user authentication experience that includes Enterprise Federation at the push of a button! And one that supports features like SSO and MFA, right out-of-the-box too! Integrate Universal Login as part of your login workflow, and let us focus on providing seamless access to all of the capabilities supported by the Auth0 platform – whilst you focus on building the core experience of your application.

Connectivity out-of-the-box

 Leverage the IdP already used by an organisation with ease via a wide range of readily available Enterprise Connections. All at the flip of a switch! You can even set up Auth0 as either a SAML Service Provider, a SAML Identity Provider, or some combination of both; see here for more details.

Out-of-the-box Organization too

 Employ Organizations to provide ready-made B2B support, where user isolation and application branding can be configured on a per organisation basis.

MFA

Add MFA for enhanced security – even if it’s not provided by the federated IdP! With Auth0 Adaptive MFA, you can fine-tune the user authentication process using intelligent multi-factor access management that dynamically fits customer login behaviours. All whilst satisfying your business needs.

Extensibility

 Customize identity flows with visual drag-and-drop Actions to build functionality that will address your unique requirements.

Integrate with ease

With a variety of out-of-box options provided by a wide range of SDKs, you can build an initial integration with Auth0, written in any programming language and supporting any technology stack, in a matter of hours. Click on the image to visit the Auth0 SDK website and discover how to integrate with ease.

Read more on the Auth0 Blog

Read more about Federation and why it can be your secret weapon for B2B, on the Auth0 Blog. We even provide guidance on setting up Auth0 as the SAML Service Provider and/or the SAML Identity Provider for SAML IdP initiated workflows and the like; see here for more details. The Auth0 Blog also provides numerous other articles on how Auth0 makes life easier when it comes to building Customer Identity & Access Management.

Architected Scenario Guidance

Whatever scenario you’re building for, Auth0 has comprehensive guidance to help you navigate through the design decisions often faced when building a Customer Identity & Access Management solution. Let our architecture scenario guidance for both B2C and B2B help you prepare for any eventuality.

Stay informed

Helpful Identity & Access Management articles that are timely and relevant, whatever your level of experience. Whether you prefer to learn by reading, listening, watching videos, cloning repos, copying code, or attending a workshop or conference: content is everywhere and made for developers like you. Click on the image to subscribe to the newsletter today!

Begin the journey…

Sign up here, and create a free Auth0 Tenant to begin your journey. Play with prototyping an integration of your existing code – or develop something new; experience the Okta Customer Identity Cloud, powered by Auth0, in a way that best suits you.

…or try a Demo.

If you’re looking for some inspiration, why not take a look at some of the pre-build demos at demo.okta.com – where you can test-drive sample integrations for both the Okta Customer Identity Cloud and the Okta Workforce Identity Cloud too!