Giving away passwords!!! We usually don’t do that, and it is rule no: 1 in your security practices. What if a website needs to make use of other services? Here, they must use SSO technology instead of asking for passwords.
Being a user, it is essential to understand how a website/application authenticates you is very crucial. You must evaluate on terms like – do they have the right permissions? Have you provided them with permission to access it on your behalf? This is where the importance of SSO comes into the picture. They help streamline this process and always be aware of how a company or user uses or maintains your data.
In this article, we have covered details on SSO and how it works with WordPress and WP Engine.
What is Single Sign-On (SSO)
Single Sign-On is an authentication method that allows users to authenticate multiple websites and applications using one set of credentials. In more simple terms, we will tell you some familiar phrases here like: “Login with your Google Account”, “Login with your LinkedIn Account”, and “Login with your Facebook Account” – we are using the SSO functionalities offered by Google, LinkedIn, and Facebook.
How Does SSO Work?
SSO works based on the relationship set up between an application (service provider) and an identity provider. The concept is completely based on a certificate that is exchanged between the service provider and the identity provider. The certificate is used to sign the identity information which is being sent by the identity provider to the service provider so that the service provider can trust that the information is from an authenticated resource. In SSO, the identity information is considered as tokens that contain identity information of the user, such as username or email address.
The flow of the login process,
- The user browsers to the application they need access (service provider)
- The service provider will send a token to the identity provider that would contain identity information to the SSO system to authenticate the user
- The identity provider checks whether the user has been authenticated already, in that case, the user will be granted access to the application/website (service provider)
- If the user hasn’t logged in, they will be requested to do so by providing the identity information. This might also include an extra layer of security like any form of authentication (OTP)
- After validating the information, a token is sent back to the service provider to confirm the authentication
- The token is passed through the user’s browser and is granted access to the service provider
WordPress with SSO
WordPress does not have the ability for Single Sign-On (SSO) and can be implemented using SSO technology. Today, developing a modern WordPress website does not stop with just producing the content. It is something more than that where the website needs to get integrated into different digital channels for various purposes which works under an API ecosystem.
For example: If you are building a WordPress based dashboard, we must get the website integrated into any data insight platform like Tableau. To access the data from Tableau, the usual method is, the user needs to log in to their Tableau account to access the dashboard. Here comes the SSO technology where it can play its role effectively. With this technology, the user can access Tableau online from the WordPress website. In this scenario, the SSO concept works between Tableau as the service provider and WordPress as the identity provider.
One of the common methods to pass authentication is OAthu. OAthu is all about authorization and not about authentication. It acts as an authorization token between the user and the service provider. It is an authentication framework that allows you to approve one application that is interacting with the other one on your behalf without entering the login credentials.
OAuth 2.0 is one of the versions of OAuth and is a protocol that offers a set of guidelines while transferring sensitive information without exposing the credentials. It is designed for granting access to a set of resources like remote APIs or user data. OAuth2.0 uses “Access Tokens” which represent the authorization for accessing the resources on behalf of the end-user.
WordPress does not have the functionalities of OAuth 2.0 but can be achieved in the form of a plugin.
Click here to view this video and get an overview of OAuth 2.0. This may help you to understand its workflow in a better way.
Adding SSO to WordPress allows users to log in to multiple websites using the same credentials. This would help in improving user experience as they need not have to keep resetting their passwords instead, they can use the existing credentials. If you are a website owner, this would help you verify your user’s identities at the time of login through a trusted provider, which eventually helps improve your WordPress security.
SSO + WP Engine
The SSO feature allows users to use their own identity providers like Active Directory, Okta, and more to authenticate and log in to the WP Engine’s User portal. Here, you can set up the security rules as per your process and security practices. WP Engine uses SAML 2.0 to offer SSO abilities. WP Engine uses email to route authentication to the identity system.
After integrating the SSO ability, you can use the SAML application to push notifications to WP Engine and you will be automatically logged in to the WP Engine’s User Portal. Here, users will also have the ability to access the WordPress admin dashboard, to which the users have access.
The email address on the WP Engine should match the one provided in the identity system and should also use the domain for which the SSO has been enabled. On meeting these two requirements, the user will be automatically requested to log in with SSO and can also log in from the identity app. This actually simplifies the process to grant and revoke access to mission critical websites and sets up security practices based on the process.
SSO is considered to be one of the most overlooked aspects. We expect websites should seamlessly integrate our credentials across sites and pages, and we take this ability for granted. In simple terms, SSO is a nutshell and is a key for opening multiple vaults. The market has various service and identity providers to create an efficient SSO process for your website users. But, implementing SSO capabilities on WordPress would be the best as it would produce an uninterrupted user experience.
Are you looking for guidance on implementing SSO on your website? A professional digital agency can help you with better clarity. This would help to choose the right strategy as well as implement reasonable security practices based on your internal process.
If you are looking for professional assistance, you can contact ColorWhistle by sending us a message or call us at +1 (919) 234-5140, we’ll get back to you at the earliest. We provide services tailored to your requirements that suit your business.