SSO is used by organizations to make it easy for their users to gain access to their own hosted applications, services hosted by partners, or vendors. It eases the burden on users to manage a separate password for each one of the applications or services they need access to. It also eases the burden on IT teams for password reset across the vast array of applications and services that their users need access to. For more information on SSO, see single sign-on.
What is a directory?
Directories are used by organizations to store information about their users. Because this is central to how most organizations function, directories are also used as the main source for authentication, authorization, and other policy decisions, and for storage of additional information about their users that is relevant to the business.
Because the directory stores data about the user, it is also used to store information used to authenticate the user. This could be with a secure password that is captured for that user at the time of registration, or it could be with a certificate or other credential that can be used to verify that the user is who they claim to be.
In this case, the SSO service is linked to the directory to:
Look up the user to see if the user account exists.
Validate the user's credentials (passwords, certificates depending on the policy) that are stored in the directory.
In a number of cases, the SSO service might be asked to determine if the user is authorized to make the request. In this event, the SSO service looks up one or more attributes relevant to the user through the directory to compare it against its authorization policy that defines what attributes the user must have in order to be able to access the service. This could be as simple as belonging to a specific group or being assigned a role that is specified as being allowed access to the requested resource.
Attribute storage and retrieval
In many cases, the target application (that is, the application for which the SSO service is providing tokens to enable SSO) requires additional attributes to be passed about the user to:
Identify the user to the service.
Limit access to certain aspects of the application.
Customize the user experience for the user within that application.
In those cases, where portions of this type of information are stored within the directory service, the SSO service can retrieve those additional attributes from the directory service during SSO to be appended as claims within the token that is passed to the target service or application.