SSO & Federation
SAML, OIDC federation, identity providers (Okta, Entra ID)
Single Sign-On (SSO) allows users to authenticate once and access multiple applications without re-entering credentials. SAML 2.0 is the dominant enterprise SSO standard, using XML assertions passed via browser redirects between the Service Provider (SP) and Identity Provider (IdP). OIDC federation uses JWT-based ID tokens and is preferred for modern, API-first applications. Enterprise IdPs — Okta, Microsoft Entra ID (Azure AD), Ping Identity, Auth0 — act as the central authentication authority for thousands of connected applications.
Key Points
- SAML SP-initiated flow: user accesses SP → SP redirects to IdP with AuthnRequest (deflated, base64-encoded XML) → IdP authenticates → IdP POSTs SAMLResponse to SP ACS URL — all via browser redirects, no direct SP-IdP connection needed.
- SAML IdP-initiated flow: user starts at IdP portal, selects app → IdP sends unsolicited SAMLResponse to SP — simpler but vulnerable to CSRF if SP does not validate the InResponseTo field.
- OIDC federation: an IdP acts as OIDC provider; the federated app (SP) registers as a Relying Party (RP) with client_id/client_secret; users authenticate at the IdP and receive an ID Token (JWT) at the RP.
- Entra ID (Azure AD) App Registrations support both SAML (enterprise apps) and OIDC (modern apps) — a single Entra ID tenant can federate with thousands of SaaS applications and on-premises ADFS.
- Just-In-Time (JIT) provisioning: when a user first SSOs into an SP, the SAML assertion attributes (email, role, department) automatically create the user account in the SP — eliminating pre-provisioning steps.
- SCIM (System for Cross-domain Identity Management, RFC 7644) automates user provisioning and deprovisioning — when HR offboards an employee in Workday, SCIM propagates the deactivation to all connected SaaS apps within minutes.
- Group claims in SAML/OIDC assertions map IdP groups to SP roles — e.g., Entra ID group `Engineering` → Jira project role `Developer`; configure claim mappings in the IdP app registration.
- Identity federation across organisations (B2B): Entra ID B2B allows guest users from partner tenants to access your applications using their home organisation credentials — no separate user account creation needed.
Real-World Example
Slack supports SAML SSO for enterprise customers (via Okta, Entra ID, Ping) and OIDC for workspace app integrations — when a Fortune 500 company offboards an employee in Entra ID, SCIM deprovisions the Slack account within 2 minutes.