Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
How single sign-on works with a directory | Ping Identity
Identity Fundamentals
Expand All | Collapse All
Identity and Access Management
Identity Providers and Service Providers
Centralized vs Decentralized Identity Management
Zero Trust Security
Authentication
Single-factor, Two-factor, and Multi-factor Authentication
Passwordless Authentication
FIDO (Fast Identity Online)
Risk-based Authentication
Certificate-based Authentication
Token-based Authentication
Single Sign-On (SSO)
Federated Identity Management
Continuous Authentication
CHAP Authentication
Authorization
Authentication and Authorization Standards
SAML
OAuth
OpenID Connect (OIDC)
Identity Orchestration
Authentication and Authorization Protocols
LDAP
SCIM
WebAuthn
Kerberos
WS-Trust

What is Single Sign-On?


SSO is used by organizations to make it easy for their users to gain access to their own hosted applications, services hosted by partners, or vendors. It eases the burden on users to manage a separate password for each one of the applications or services they need access to. It also eases the burden on IT teams for password reset across the vast array of applications and services that their users need access to. For more information on SSO, see single sign-on.

 

 

What is a directory?

Directories are used by organizations to store information about their users. Because this is central to how most organizations function, directories are also used as the main source for authentication, authorization, and other policy decisions, and for storage of additional information about their users that is relevant to the business.

 

Authentication

Because the directory stores data about the user, it is also used to store information used to authenticate the user. This could be with a secure password that is captured for that user at the time of registration, or it could be with a certificate or other credential that can be used to verify that the user is who they claim to be.

 

In this case, the SSO service is linked to the directory to:

 

  • Look up the user to see if the user account exists.

  • Validate the user's credentials (passwords, certificates depending on the policy) that are stored in the directory.

     

Authorization

In a number of cases, the SSO service might be asked to determine if the user is authorized to make the request. In this event, the SSO service looks up one or more attributes relevant to the user through the directory to compare it against its authorization policy that defines what attributes the user must have in order to be able to access the service. This could be as simple as belonging to a specific group or being assigned a role that is specified as being allowed access to the requested resource.

 

Attribute storage and retrieval

In many cases, the target application (that is, the application for which the SSO service is providing tokens to enable SSO) requires additional attributes to be passed about the user to:

 

  • Identify the user to the service.

  • Limit access to certain aspects of the application.

  • Customize the user experience for the user within that application.

     

In those cases, where portions of this type of information are stored within the directory service, the SSO service can retrieve those additional attributes from the directory service during SSO to be appended as claims within the token that is passed to the target service or application.

Related Resources

Capability

Single Sign-on Solution

   

Capability

Directory

   

Blog

Top Benefits of SSO and Why It’s Important for Your Business

   

Start Today

Contact Sales

sales@pingidentity.com

+1 877-898-2905

See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.