Skip to content

Single Sign On

Jump to bottom
wjehring edited this page Dec 19, 2022 · 11 revisions

Maturity

Standard

Motivation

Users do not wish to manage and use multiple credentials when navigating data held in disparate systems. At the same time, these systems must only provide access to authenticated and authorised users.

Questions

Inline

Implementation

SSO Service

SIDeR organisations implement SSO server using Keycloak to abstract multiple local solutions e.g. AD.

Token

Token is a JWT.

Use Cases:

1) Client (e.g. Web App outside of contextual launch)

A client can retrieve a token via a URL redirect following the implicit grant pattern.

Client authentication process:

  1. The client checks for existing SSO sessions in the browser. If a session is found, the client will use the corresponding token to authenticate against external web services (e.g. Warden).
  2. a) If no session is found, the client presents the user with identity provider options (e.g. login using Black Pear Auth, login using SIDeR). On selection of an identity provider, the client will redirect the browser to the identity provider's login page. b) If there is an issuer hint in the URL using the auth-redirect page and the iss parameter e.g. https://pyrusapps.blackpear.com/esp/#!/auth-redirect?iss=https://sso.tst.nhs.uk/auth/realms/SIDER and the issuer is recognised by the application, the application will automatically redirect the browser to the identity provider's login page.
  3. On successful login, the identity provider will redirect the browser back to the client's URL with an access token in the URL. This token will be used to authenticate against external web services.

2) URL (e.g. Contextual Launch)

The requestor may provide an authentication token within a url:

https://pyrusapps.blackpear.com/esp/#!/launch?access_token=<jwt_token>

3) Service Endpoint

The requestor must provide an authentication token in an http header.

  • The endpoint must reject any requests without an authentication token (401).
  • The endpoint must reject any requests with an invalid authentication token (401).
  • The endpoint must reject any requests where the authentication token does not provide authorisation to execute the request (403).
  • The token should be provided on the Authorization request header i.e. Authorization: Bearer <jwt_token>.

Somerset Integrated Digital electronic Record

Interoperability patterns

Architectural patterns

Security patterns

Use cases

Clone this wiki locally