1

Topic: SSO - some questions.

If  "technology" on full, with application of the selected server - that as it has to look in the typical organization?
The authentification form as I understood is a mechanism of the server,  (regarding styles).
Generally - the authentification server aspires to give a functionality maximum on control of a user profile as I understood. A private office and an other hogwash.
By the way, not clearly, as it should be combined with remaining functionality of such components, as a private office.
Main point - where it is necessary to store the information on roles/permissions of the user?
On the same server SSO?
*, line not clearly.

2

Re: SSO - some questions.

behind a board wrote:

the authentification Form as I understood is a mechanism of the server,  (regarding styles).

Yes. At what the form can be different depending on from what application came, and in  to system also from what .

behind a board wrote:

Generally - the authentification server aspires to give a functionality maximum on control of a user profile as I understood. A private office and an other hogwash.

No. No. And once again is not present. Server SSO solves only the authorization and authentification task (if possibility of exterior authentification is not given).
Any control of a user profile.
Any private office.
Any other hogwash.

behind a board wrote:

By the way, not clearly as it should be combined with remaining functionality of such components, as a private office.

The private office is in the same place where should. Or in the application. Either separate application. Or the micro-service allocated in a platform of application.

behind a board wrote:

the Main point - where it is necessary to store the information on roles/permissions of the user?
On the same server SSO?

No. SSO it is the mechanism. It can work with the same basis, as a software for authentification performance. As SSO produces a token, authorization happens in application which looks in a token, checks roles,  etc. SSO only produces them.

3

Re: SSO - some questions.

hVostt wrote:

Server SSO solves only the authorization and authentification task (if possibility of exterior authentification is not given)

I will specify about authorization. It is a question of access to demanded application generally, instead of multifunctions of application. It already dares on the side of applications.

4

Re: SSO - some questions.

The innocent person behind a board;
so excites a private office?
It can be and can not be.
State services are an office, but at a minimum api you simply receive  type , , the address...

5

Re: SSO - some questions.

behind a board wrote:

the Main point - where it is necessary to store the information on roles/permissions of the user?
On the same server SSO?

Identity provider for example type Shibbolet as in state services.

6

Re: SSO - some questions.

behind a board wrote:

the authentification Form as I understood is a mechanism most

any. The main thing to put  the pipeline of handling of request and to ask idp  who it and that it.
But it is better  instead of hands.

7

Re: SSO - some questions.

Petro123 wrote:

Che so excites a private office?

I try to understand as correctly.
Photo it is changed here, and email - there - it is strange.

8

Re: SSO - some questions.

behind a board wrote:

it is passed...
I try to understand as correctly.
Photo it is changed here, and email - there - it is strange.

In Google there is an office?
At me there the left data.
Here I also will become authorized through it left))).
And generally, idp the provider Is responsible for correctness of the data .
I.e. you can have a office, and there the.

9

Re: SSO - some questions.

behind a board wrote:

it is passed...
I try to understand as correctly.
Photo it is changed here, and email - there - it is strange.

All here. Anything "there" it is not necessary to do. SSO implements the uniform centralized authentification and authorization for set of applications, and devices.

10

Re: SSO - some questions.

Petro123 wrote:

In Google there is an office?
At me there the left data.

...
If I offer the user  on server SSO, and it enters there the phones/imajly somehow it is strange to suggest to make it once again, but already "at itself".

11

Re: SSO - some questions.

hVostt wrote:

All here. Anything "there" it is not necessary to do.

I do not understand. Server SSO does not suggest to load a profile photo.
But email to hammer - offers.

12

Re: SSO - some questions.

wrote:

But the information on the user, necessary for authorization (e.g. its membership in roles),

I correctly understand, what the role "through a comma" should hammer on server SSO which he then supposes in a token?

13

Re: SSO - some questions.

hVostt wrote:

I Will specify about authorization. It is a question of access to demanded application generally, instead of multifunctions of application. It already dares on the side of applications.

It is a shame to me, but I at all did not understand this phrase.

14

Re: SSO - some questions.

I correctly understand the general circuit?
The user requests a protected resource.
1. Application "looks" - is user authentic?
2. If is not present, asks at SSO is who?
3.SSO through the form leads authentification and in case of success...
4. Produces a token with roles and other .
5. The user  again in application already with a token.
6. Application looks in a token (checking  in a token with a key)...
7. And if finds a role (if it is necessary) - that all apprx.
If it is correct - that where roles register?

15

Re: SSO - some questions.

behind a board wrote:

it is passed...
I do not understand. Server SSO does not suggest to load a profile photo.
But email to hammer - offers.

Server SSO offers methods for authentification passage.
After authentification passage, whether SSO looks it is possible for the given user to use the specified application. If yes, suggests to select a dial-up of security attributes (powers) with which the user is going to come into application.
Anything anywhere there does not boot.

16

Re: SSO - some questions.

behind a board wrote:

I correctly understand the general circuit?
The user requests a protected resource.
1. Application "looks" - is user authentic?
2. If is not present, asks at SSO is who?
3.SSO through the form leads authentification and in case of success...
4. Produces a token with roles and other .
5. The user  again in application already with a token.
6. Application looks in a token (checking  in a token with a key)...
7. And if finds a role (if it is necessary) - that all apprx.
If it is correct - that where roles register?

Correctly. Anywhere, depends on the selected architecture.
At us, for example, all users control in separate application IDM, therefrom through API application SSO takes the information, and also requests the user on login/password.
In application IDM too an input through SSO. smile
Nobody hinders you in application SSO to address for the user information in unique an application DB. In general, here all by design.

17

Re: SSO - some questions.

behind a board wrote:

If I offer the user  on server SSO, and it enters there the phones/imajly somehow it is strange to suggest to make it once again, but already "at itself".

well at us it is is specific, in firm there were business phones and mail.
In state services personal phones and mail.
You do as you want. Possibility such is, since a private office idp  NOT YOURS.

18

Re: SSO - some questions.

behind a board wrote:

If it is correct - that where roles register?

Where you want.
To you told that it is Ivanov Peter Ivanovich.
This main thing.
You can add there roles. But it at will.

19

Re: SSO - some questions.

behind a board wrote:

server SSO?

And what was specific you assume to use implementation? IdentityServer4?

20

Re: SSO - some questions.

Arpanx wrote:

it is passed...
And what was specific you assume to use implementation? IdentityServer4?

https://identityblitz.ru

21

Re: SSO - some questions.

The innocent person behind a board;
https://docs.identityblitz.ru/blitz-idp/storage/
Well here about storages of the registration data
The quite good decision, by the way, to take a ready server if on all parameters it suits you
On IdentityServer4 it is possible  the, but as a matter of fact will be too most)

22

Re: SSO - some questions.

hVostt;
The protocol still to select.
There encoding not simple, therefore hands difficult.

23

Re: SSO - some questions.

Petro123;
Anything difficult)

24

Re: SSO - some questions.

hVostt wrote:

Petro123;
Anything difficult)

SAML?   )

25

Re: SSO - some questions.

I correctly understand, what is normal  any client () on the side service provider-a?
To it you feed endPoints and the client already  all tokens, checks on membership in roles, etc.