CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Federation and Single Sign-On (SSO)

8 min read

FEDERATION and SSO


This article describes basic concepts of Single Sign-On and Federation, common use cases and implementations, and how SAP Customer Data Cloud can help with SSO and Federation implementation.

Table of Contents

Benefits of Federation and Single Sign-On (SSO)

The concepts of SSO and federation are widely used to define how to authenticate users and access resources on public and private networks and on the devices as well. SSO is a general concept which can be defined as following:  


SINGLE SIGN-ON (SSO) - ability to authenticate (prove identity) once, and then be able to access different authorized resources without needing to authenticate again

The main benefit of SSO is convenience for the user. As different protected resources might belong to different entities, each entity might require its own way of authentication and authorization to allow access to resources. During the course of daily work related or personal activities user would need to access many different resources, and have to remember how to authenticate to each of them. Ability to do it once and not having to do any more authentications for a period of time creates better user experience.


SSO can be implemented in different ways, the widely adopted one is identity federation. It is defined as following:


FEDERATION - trusted mechanism of verifying and transferring identity between service provider (which serves resource you are trying to access) and identity provider (which verified and asserted your identity)

The main benefits of federation are convenience for the user and improved security. The more resources user needs to access, the more complicated it becomes to manage user's identity in all different entities owning those resources. Many users resort to reusing credentials or write them down to keep it manageable, which creates security problem. Tools like password managers, are intended to simplify the process, but are limited to what they can achieve in cross-device and cross-platform environments. Federation solves this by having a single place manage user identities and allowing other entities access to authenticate a user. A user now only needs to have one set of credentials which is much easier to manage and does not need to be reused or written down.


The SAP CDC Developers guide offers more information about how SAP Customer Data Cloud can help with implementation of Single Sign-On.



Common use cases

Social Login

This is widely adopted method of SSO on the internet, which allows use of the popular social networks to authenticate, instead of creating a separate account and credentials on a web site or mobile app. As majority of mobile and web users have an account on one or more social networks, social login allows users to authenticate to web or mobile app using social network credentials.  This eliminates a need to create a separate set of credentials for specific web or mobile app which makes it better user experience. The pioneer of social login was Microsoft with its Passport, but it failed to achieve wide adoption and limited only to Microsoft sites at this time. Right now the adoption of social login is varied by region: Facebook, Google, Twitter in USA, WeChat in China, Odnoklassniki, VKontakte in Russia, or by audience: LinkedIn for sites for professional audiences. Businesses implementing social login benefit by obtaining additional personal and behavioral information about their customers provided by social networks. Several recent publications about user information collected by social networks being used in controversial ways made many businesses rethink their social login strategy, but it is still very commonly adopted method of SSO on the internet

The SAP CDC Developers guide offers more information about how SAP Customer Data Cloud can help with implementation of Social Login.

Enterprise Login

This use case is a standard for corporate networks. User authenticates once to corporate network and can access all authorized resources across whole enterprise landscape. Identities are stored and managed in centralized IAM (Identity and Access Management) repository and IAM governs authentication and authorization for the whole enterprise.  

Global Access

This use case is related to personal data privacy legislations which are already implemented and being added by many countries and regions in the world. Some of those legislations dictate how and where user information can be stored depending on their residency. As the world is tightly connected now and people travel, it makes it challenging providing access to the user who has to have the identity stored in China, to have single sign-on to resources hosted in South America, for example. Global access is the scenario where user needs to be able to access resources across the globe regardless where user's identity is maintained


The SAP CDC Developers guide offers more information about how  SAP Customer Data Cloud can help with implementation of Global Access.


Mainstream Implementations

SAP Customer Data Cloud Single Sign-On

This implementation of SSO provides the best user experience. User can roam from one web site to another and be seamlessly logged in once authenticated on one of the sites. This SSO implementation is used by many clients across the globe to provide seamless user experience, using 3rd party browser cookies. Unfortunately recently browsers started to impose restrictions on 3rd party cookies as they are used by ads and tracking software as well, which made it harder to provide this best type of SSO implementation. Some browser starting to block 3rd party cookies completely. There is an ongoing effort by SAP Customer Data Cloud R&D to keep providing this functionality in this changing browser landscape 

The SAP CDC Developers guide offers more information about how  SAP Customer Data Cloud can help with implementation of Single Sign-On.

WS-Federation/Security Assertion Markup Language ( SAML)

These two federation protocols were created in the beginning of 2000s and based on exchange of signed XML messages between service and identity provider to establish proof of identity on a service provider. WS-Fed is mostly used in Microsoft world, and SAML is widely supported by many vendors and became de-facto standard for the federation.

The SAP CDC Developers guide offers more information about how  SAP Customer Data Cloud can help with implementation of SAML Federation.

OpenID Connect (OIDC)

This protocol is newer and quickly gaining vendor support. It is built on top of OAuth 2.0 authorization framework and is based on token exchange and using tokens to verify identity. Most of newer federated implementations use OIDC as it better supports variety of devices, as well as server to server integrations.  

The SAP CDC Developers guide offers more information about how  SAP Customer Data Cloud can help with implementation of OIDC Federation.

Proprietary Social Login  

Major social networks developed their proprietary versions of federation protocols, mostly based on OAuth standard described above. This was done to expand the networks adoption and promote social login implementation by businesses across the world. These implementations are based on social network specific APIs and SDKs, they are not standardized and each needs to be implemented separately by web or mobile app. SAP Customer Data Cloud provides simple and unified way to implement social login with majority of social networks via single API and SDK via screen-sets or very little development

The SAP CDC Developers guide offers more information about how   SAP Customer Data Cloud can help with implementation of Social Login



Conclusion

This article introduced you to the basic concepts of Single Sign-On and Federation, common use cases and implementations. Now you know what you should consider, if you want to include SSO functionality in your implementation.

If you're interested in learning more on how SAP Customer Data Cloud can help with SSO and Federation implementation, we offer  Implementation Services for SAP Customer Data Cloud


Overlay