External Authentication - Single Sign-On(SSO)
- Panagiotis Papanastasiou
- Oleg Melnykov (Deactivated)
- Konstantinos Parisopoulos (Deactivated)
The interworks.cloud platform can be integrated with external authentication services, providing registration/login capabilities for Storefront users who become authenticated through a service or external Identity Providers(IdPs). Such services can be used to identify users maintained in external user stores and map them to BSS/Storefront users providing access to the interworks.cloud platform when logged in (authenticated) from these external sources.
Understanding the External Authentication
To have a better understanding of the external authentication process please check the three following definitions, as well as the "External Authentication Example" that follows.
- External authentication is the use of third-party authentication sources, such as identity providers, to decide whether a user should be allowed access to a system, as well as what level of access an authenticated user enjoys on a system.
- Identity provider (IdP or IDP) is a system entity that creates, maintains, and manages identity information while providing authentication services to relying applications within distributed networks. Identity providers offer user authentication as a service and the relying party applications, such as web applications, outsource the user authentication step to them. An identity provider is also considered a trusted provider that lets you use single sign-on (SSO) to access other websites and in general, it can facilitate connections between cloud computing resources and users, thus decreasing the need for users to re-authenticate.
- Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. SSO enhances usability by reducing password fatigue. It also provides better security by decreasing the potential "attack surface". SSO can be used by enterprises, smaller organizations, and individuals to ease the management of various usernames and passwords.
External Authentication Example
When a user requests to log-in to a web application (Storefront) he has the choice of logging into our Storefront with an external authentication service. When the preferred external authentication service is chosen, the user is being redirected to the login page of the authentication service in order to enter his corresponding credentials. Upon successful authentication, the external service redirects the user back to the original web application along with some necessary information about the user. As a result, the web application utilizes those information to verify the successful authentication of the user by the external authentication service and at the same time gather more information so as to associate him to a BSS/Storefront user, if he is already registered on BSS/Storefront, or prompt him to register an account with the acquired information from the external authentication service.
Categories of Identity Providers
The identity providers are split into two main categories. The Social IdPs (1) and the Enterprise IdPs (2).
- You most probably have used Social IdPs in your personal life when you for example login to a web application platform with your Google or Facebook credentials instead of registering a new account on that platform. These providers are also known as global or common providers since their reach is widespread on the Internet.
- On the contrary, the Enterprise IdPs are utilized in recent years by (B2B) organizations and offer the best security possible. Since they are more oriented towards providing authentication services to organizations, they have become the preferred choice by many enterprises, when it comes to managing and keeping secure the corporate usernames and passwords.
External Authentication Administration
The process of external authentication mandates that both involved systems(external IdP and our BSS) must be manually configured to communicate with each other over a "trust-link", since this "trust-link" relation is not automatically created. Therefore, you can begin configuring and enabling the external authentication features for Storefront, by following the guide below:
Go to: BSS Setup > Administration > System Options
Click on the "Storefront Login Settings" link, located under the Authentication section of the page.
You can choose which Identity Provider you wish to setup and enable from the list of Enterprise IdPs that appears (Social IdPs will follow during the upcoming months).
For configuring and enabling any of the following Enterprise Identity Providers please continue to the corresponding guide from the bullet list that follows:
- auth0 guide → auth0 (OIDC)
- Azure AD guide → Azure AD (OIDC)
- Azure AD B2C guide → Azure AD B2C (OIDC)
- Token-Based SSO guide → Token-Based SSO
- Okta guide → Okta (OIDC)
For configuring and enabling any of the following Enterprise Identity Providers please continue to the corresponding guide from the bullet list that follows:
- Google guide → Google (OIDC)
External Authentication on Storefront (V4)
After enabling your preferred identity provider, you will be able to use it as an alternative means to log in to Storefront.
You can choose your identity provider from the list named "External Authentication" and by doing so, you are being redirected to the login page of the external authentication service in order to enter your personal credentials in accordance with the chosen IdP, instead of your local Storefront credentials.
The two following images are examples of how the External Authentication list looks like on the Storefront's login/sign-in page.
Basic Template View
Nebula Template View
Managing Local & External Login Accounts via Storefront
You can manage your active External Authentication Provider accounts as well as your active Local Login account by following the guidelines of the Managing External & Internal Login Accounts in Storefront page.