Federated SSO overview

Federated Single sign on (SSO) enables users that have a Cloud Identity Service account to seamlessly access services that are provided by one or more partner organizations, without a separate login at the partner site.

When a user clicks a federated sign-on URL, Cloud Identity Service constructs a digitally signed token that can be verified (and therefore trusted) by the partner organization. This token is submitted by the user's browser to the partner's Single Sign-on URL where a session is created.

A federated partner relationship involves two distinct roles for the two parties that are involved, the identity provider (IdP) and the service provider (SP). The identity provider supplies a trustworthy identity in the form of a digital token. The service provider validates the digital token, creates a session for the user, and allows the user to access their application environment. Cloud Identity Service is the identity provider and the partner is the service provider.

A single Cloud Identity Service environment can support multiple federation partners. For each federated sign-on URL, connection details that describe the partner federation properties must be defined. Each connection must have a public and private key pair that are provided by a personal certificate and a signer certificate.

Cloud Identity Portal provides pre-configured templates for a number of the most popular partner application services that support a federated single sign-on using SAML 2.0. If no template exists for the partner you want to create a connection for, then a customized configuration can be used.

Key management

Each connection must have a public and private key pair. These keys are provided by a personal certificate and a signer certificate.

A signer certificate represents a certificate and public key that is associated with some personal certificate. The purpose of the signer certificate is to verify personal certificates. The owner of the private key is able to establish connections with partner application services. The signer certificate explicitly trusts connections that are made to or by the owner of the associated personal certificate.

Only one personal certificate is enabled in Cloud Identity Portal. You do not have to explicitly select the personal certificate to use when you define a connection. By default, the enabled personal certificate is used for every connection you create. For every connection you create, you must select the appropriate signer certificate. Signer certificates are normally provided by service providers. You can import signer certificates. You can also create self-signed certificates and keys for low-sensitivity, non-production, or other rapid-use requirements.

Connection management

You can create any number of connections to support any number of federated partners. A number of pre-configured templates are provided for some of the most popular partner application services. You use these templates to create connections to your federated partners. Templates pre-configure as many of the partner connection details as possible. If no template exists for a partner, or you want to create a connection to an internal application or service, you can create a connection by using a generic template. Each connection that is successfully created generates a sign-on URL. This URL is used to initiate a Single Sign-on to your partner.

Some providers allow for the creation of user records on the service provider side at the first successful login attempt by a user. The creation of user records is called autoprovisioning.