Web Single Sign-On and Its Different Protocols

The escalation of web resources and applications on the internet has led to an increase in numbers of accounts (including usernames and passwords) that users have to create and remember. Inconvenience emanate from having multiple accounts and proclivity of websites to suffer from cyber attacks, in which users credentials are exposed, resulted in organizations to adopt web single sign-on solution(WSSO).

Today, many organizations force users to remember multiple authentication credentials for each website. To save themselves from creating new credentials usually they use the same passwords for most of the accounts they have or choose easy to remember passwords or keep a list of all usernames and passwords with them. Here, web SSO protocols allow a single set of credentials for different websites and applications. SSO protocols make it easy for users to authenticate to different websites of the same organization using one password. There are mainly three protocols: SAML Web Browser SSO Protocol, openID, and WS-Federation Passive requestor Profile. The article will explain each of the protocols in detail.

Let’s start with SAML  protocol.

SAML web browser SSO protocol:

SAML stands for security assertion markup language. It was developed by the organization for advancement of structural information standards(OASIS) which is responsible for developing more web standards than any other organization. SAML is based on extensible markup language(XML). It is responsible for authorization and authentication data between two different domains. Many identity and access management products support SAML protocol.

The core of this protocol consists of security assertion. It defines the general request, messages, and syntax for transferring assertions. Assertions are simply an XML packages that carry SAML requests about the user. The covering of assertions and protocols are lying under an another protocol called binding.

A binding specifies how SAML protocol map with other common protocols such as HTTP or SOAP(simple object access protocol). Bindings use standard protocols and allow SAML deployed systems to transfer messages.

WS-federation passive requestor profile:

It is almost similar to SAML protocol. In this, the WS specification is an architecture that aims to provide an extendable and flexible framework, solving general security issues. The standard is developed by Microsoft, IBM, and other companies. The WS-federation language is a part of WS specifications that addresses the SSO problems for both web services and browser-based applications. Like SAML protocol, the system is based on different components( WS-security policies, WS-trust,  WS- security frameworks, etc.) Unlike WS federation and SAML protocol, openID is an open source protocol with a community-based standardization.


Unlike WS federation and SAML protocol, openID is an open source protocol with a community  based standardization. The protocol was invented by Brad Fitzpatrick. Many big organizations support openID- Microsoft’s identity management tool, AOL etc. are some software that supports openID protocol.

WS federation and SAML protocols are flexible, the solutions provide lots of customization options to the organization while deploying. On the other hand, openID is lightweight and user-centric web protocol. The solution has a decentralized architecture that advantages the existing DNS( Domain name server) services. Users with their own domain name can deploy openID IP, or users without domain can register themselves with companies they trust. openID piggybacks on DNS in solving IP discovery issues together with web single sign-on.

So, these are the three protocols on which web SSO works. The benefits of Web SSO are abundant. Users can easily, yet securely authenticate themselves to multiple resources that belongs to the same domain. User experience is enhanced by eliminating the need of creating usernames and passwords for each related websites. The concept also lowers support call and thus saves administrative costs.