Connections Cloud supports two approaches for SSO: a Security Assertion Markup Language (SAML) approach and an Open Authorization (OAuth) approach. Regardless of the specific approach, it is the responsibility of the partner application to provide single sign-on capabilities.
Note: Connections Cloud currently supports both OAuth 1.0a and 2.0 (OAuth 1.0a is the default version). OAuth 2.0 is not backwards compatible with previous versions of OAuth. For more information about OAuth, see the Open Authorization topic in this wiki.
The Connections Cloud team can work with partners for setting a SAML partnership.
Login using Connections Cloud (LuLL) is a delegated authentication mechanism. The partner application delegates or outsources the user authentication to Connections Cloud. After the user is authenticated, it is up to the partner site to manage user's session. The LuLL approach involves two steps.
Step 1: Perform the OAuth dance
Perform OAuth dance every time user visits partner site. The OAuth dance will force the user to log in to Connections Cloud if user never logged in.
The OAuth dance is an authentication process that identifies users using OAuth by requiring the client and the server to send information back and forth.
Step 2: Call identity API
Make an API call to get the user's identity information.
This call returns the information below, which is the same information that SAML payload provides.
- Subscriberid is the unique identifier that uniquely identifies the user.
- The rest of the fields are mutable; so partner applications should make a decision based on the subscriberid field only.
Comparison of the two approaches
The OAuth/LuLL approach provides a way to easily perform SSO without managing multiple secrets (one for SAML and another for OAuth). Also there is less operational overhead.
An advantage to the SAML-based approached is that it does not force the partner applications to perform the OAuth dance each time a user visits the partner website, even though the OAuth access token might be valid for the user.
Parent topic: Application integration for IBM Connections Cloud