iam:auth:sso

About

Single Sign-On (SSO, trusted sign-on) is the ability:

SSO is also known as:

Single sign-on (sso) is conceptually pretty simple ¹⁾.

If you know the oauth flows, it's basically a indirect oauth flow, where the authorization point sets its own session cookie.

In this flow, there are:

The user visits domain1.com.
domain1.com sees that it has no session cookie scoped to the domain domain1.com
domain1.com redirects to sso.com
sso.com presents the login page
Upon successful identification, sso.com redirects back to domain1.com via:
- a callback Url (like domain1.com/ssologin)
- with a session cookie scoped to the domain sso.com
- with a query parameter where the value is:
  - the access token encrypted with a shared secret key between domain1.com and sso.com
  - or an authorization code that permits to retrieve the access token later
domain1.com takes:
- the encrypted access token, decrypts it with the shared key.
- or the code, asks the access token to the token endpoint
domain1 sets its own session cookie for the user with the time out dictated by sso.com.

¹⁾