Category Archives: SSO

Decoding the SSO

I found this a year ago but i am sharing it now!
When i was developing multiple RoR apps about a year ago, there was one basic requirement, that of a SSO solution.

Err…. i hope you guys know what SSO is?
Well for those of you who are clueless, SSO stands for Single Sign-On.

Yes, SSO is one of the most important requirements of modern web apps. SSO enables a user to use multiple apps with a single username/password and the user needs to authenticate only once to use all the connected apps.

Take the example of Google! Have you ever wondered how you can directly access (without requiring to re-enter your credentials) your orkut/picassa account, when a moment back you were using gmail. Yes Google uses SSO!

Now for the decoding part, this is how Google does it:

Have you ever observed closely, what happens whenever you try to access any of the Google services for the first time?
The first request is always redirect to google’s main domain (i.e google.com) along with a set of parameters:
1. service -> which tells the service being requested
2. continue -> which tells the web location where the request should be forwarded after it is authenticated on the main domain

There are a few more parameters, but the above two are the most important.

Once you authenticate yourself on any google service, a cookie is created on the main domain. This cookie is checked whenever you try to access some other google service for the first time.
Once your identification is established on the main domain, another cookie with similar info is set on the service/webapp you are accessing (e.g. mail.google.com / orkut.com / blogger.com)
So, the subsequent requests to the same webapp, need not be redirected to the main domain for authentication!

The reverse happens, when you logout of a google service. The cookie on the current app is removed and then the request is forwarded to main domain to remove the cookie over there as well.
This makes sure that you logout of all the google services at one go!

For more info, on how you can implement SSO in your webapps, refer to these links:

http://www.jasig.org/cas
http://code.google.com/p/rubycas-server/
http://code.google.com/p/rubycas-client/