How Single Sign-On
Helps Boost Privacy

Older applications do not support modern identity protocols such as SAML and OpenID Connect.

How can single sign-on support be guaranteed for these applications?

One solution could be to route all incoming data traffic to these applications through an access gateway first (e.g. our nevisProxy). This first requests the user to identify themself and only then allows them to access the secured application. A good access gateway will be compatible with many back-end applications, meaning that they can be connected behind the access gateway without any modifications and new programming. The access gateway ‘translates’ the authentication language, so to speak, into that of the back-end application:

• The user tries to access an older local application.
• The Nevis access gateway (on-premise) intercepts the request and forwards the user for authentication by Nevis in the cloud (using Nevis/Azure as an example here).
• The authenticated user can now access the legacy application on site.

Nevis can also secure web applications that do not provide native support for SAML or OpenID Connect. This is often necessary since companies that are migrating to the cloud must support local applications and legacy applications that require alternative authentication mechanisms. These include:

• HTTP header-based authentication
• Form-based authentication
• URL-based authentication
• SAP-SSO logon tickets
• Dynamic X.509 certificates

Federated SSO describes the setup of a trustworthy connection between different companies and third-party providers – in this way exchanging identities and authenticating users across all domains. If two domains are connected, users can authenticate themselves on one domain and then access resources in the other domain without having to log in separately.

We talk about federated SSO if one of the three most important federation protocols is used to implement Single Sign-On functionality:

• SAML
• OpenID Connect
• WS-Federation (no longer in widespread use)

We describe social logins as Single Sign-On mechanisms that are provided by companies such as Google or Facebook. From a technical perspective, these are «federated login mechanisms».

Social login is a special form of SSO in which social network identities are used as authentication. The best-known social logins are:

• Facebook
• Google
• Apple login
• WeChat in China

This function allows the end user to link their basic account with multiple additional identity providers. In this case, two existing user profiles are combined into a single profile. When the accounts are linked, a primary and a secondary account must be specified. As a result, a user can authenticate themself from each of their accounts and will still be recognised by all the linked apps.

This makes it possible to log into every identity provider with creating a separate profile for each one. Users can also use their existing profile to set up a passwordless login.