User Authentication in Directories
7 minutes to readCaspio Directories is a method of user authentication in which you verify user identities using a directory. Directories serve as key components for authentication, acting as central repositories for user information. Users authenticate themselves by validating their credentials against the information stored in a given directory. This crucial mechanism ensures secure and controlled access to digital resources, making directory authentication a cornerstone of effective identity management.
Important definitions
Single Sign-On (SSO) is an authentication process that allows users to access multiple applications with just one set of sign-in credentials. With SSO, once a user signs in to one application, they are granted automatic access to other connected systems without having to re-enter their username and password for each individual system. It simplifies and streamlines the user’s access to diverse services, enhancing convenience and security.
Single Logout (SLO) is a mechanism within authentication systems, such as Single Sign-On (SSO), that enables a user to sign out from multiple connected applications or systems simultaneously with just one action. When a user initiates a sign-out process in one application, Single Logout ensures that the user’s session is terminated across all the other connected applications or services, enhancing security and convenience by ensuring a synchronized and comprehensive sign-out experience.
SAML (Security Assertion Markup Language) is an open security standard used for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It enables secure single sign-on (SSO) and allows users to access multiple applications using a single set of credentials.
Identity Provider (IdP) is responsible for authenticating users and providing identity information to service providers. In the context of SAML, the IdP confirms the user’s identity and generates security tokens (SAML assertions) containing user information. These assertions are then sent to the service provider, allowing users to access their services.
Service Provider (SP) is a system or application that provides services to users. In SAML, it relies on the Identity Provider for authentication and authorization. The SP consumes the SAML assertions provided by the IdP to grant access to its resources or services based on the user’s identity and the permissions associated with that identity.
Session refers to the duration in which a user interacts with a specific application or software. It begins when a user accesses the application and ends when the user signs out, the application is closed, or after a certain period of inactivity.
External Identity Provider is a service that the Directory relies on to authenticate users. Examples of such external IdPs for the Directory include Microsoft Entra ID, Okta, or OneLogin.
Directory Session is created by the directory after successful authentication.
Application Session is created by a connected application after successful authentication.
External Identity Provider Session is created by an external IdP after successful authentication.
Directory as an identity provider
Supported standard
The directory serves as the identity provider following the SAML 2.0 standard for both Caspio applications and third-party applications. Meanwhile, Caspio applications and third-party apps function as service providers following SAML 2.0.
Authentication flow
The authentication flow with directory works as follows:
- When users try to access an application, they are directed to the directory’s sign-in page.
- After successfully signing in, a session is created within the directory, and the application is notified of the user’s sign-in.
- The application then generates its own session to manage user access.
- The user is directed to the requested application page.
Both Caspio applications and third-party apps create separate sessions to regulate how users interact with them. Caspio Directories confirm user identities but do not control how the application manages each user’s session.
Single logout for connected apps
The directory supports single logout (SLO) for both Caspio applications and third-party applications. SLO allows users to end all their sessions with just one sign-out action. It works in these ways:
- If a user signs out from an application:
- The application redirects the user to the directory sign-out destination to end the directory session.
- Then, the directory checks if there are any other connected apps with configured SLO. Directory redirects to the sign-out destination of the connected applications.
- When the chain of sign-out redirections for connected applications is finished, the directory ends its session and redirects back to the application which requested the sign-out to end the application session.
- If a user signs out from the directory:
- The directory checks if there are any other connected apps with configured SLO. Directory redirects to the sign-out destination of the connected applications.
- When the chain of sign-out redirections for connected applications is finished, the directory ends its session.
To make SLO work, specific sign-out URLs must be provided in both the directory and the connected apps. If these URLs are not provided, signing out from the application or directory will not end other sessions.
For Caspio applications, SLO is set up by default and does not require any additional configuration.
Directory with external identity providers
Supported standard
External Identity Provider is an identity provider as per the SAML 2.0 that authenticates users to Directory. When an external IdP is used as a sign-in method, Directory acts as a service provider for external IdP and identity provider for Directory-protected applications.
Authentication flow
The authentication flow with external IdP works as follows:
- When users try to access an application, they are directed to the directory’s sign-in page.
- If they use external IdP as a sign-in method, they are directed to the external IdP’s sign-in page.
- After a successful sign-in via the external IdP, an external IdP session is created, and the directory gets informed about the authentication.
- The directory then starts its own session and informs the application about the user’s authentication status.
- Subsequently, the application creates its own session to control user access.
- The user is directed to the requested application page.
Both Caspio applications and third-party apps create separate sessions to regulate how users interact with them. External IdPs and Directories verify users but do not directly manage the application’s sessions.
Single logout for external IdPs
Directory enables single logout (SLO) for external Identity Providers (IdPs), and it works in the following ways:
- If a user signs out from an IdP:
- The IdP redirects the user to the directory sign-out destination to end the directory session.
- Then, the directory checks if there are any other connected apps with configured SLO. Directory redirects to the sign-out destination of the connected applications.
- When the chain of sign-out redirections for connected applications is finished, the directory ends its session and redirects back to the IdP which requested the sign-out to end the IdP session.
- If a user signs out from the directory:
- The directory checks if there are any other connected apps with configured SLO. Directory redirects to the sign-out destination of the connected applications.
- When the chain of sign-out redirections for connected applications is finished, the directory ends its session and redirects to the IdP sign-out destination to end the IdP session.
To make single sign-out work, specific sign-out URLs must be provided in both the directory and the external IdP. These URLs must also be given in the connected applications to ensure that sign-out happens in a sequence: from the external IdP to the directory and then to the application. If these URLs are not provided, signing out from the external IdP, directory, or application will not affect other sessions.