Single Sign-On Overview
Single Sign-On (SSO) is an authentication scheme that allows users to log in with a single credential (usually username and password) to multiple software systems. You can learn more about SSO here.
SAML stands for Security Assertion Markup Language. It is an XML-based standard for exchanging authentication information between security domains. The most important application of SAML is the Single Sign-On. Sabre SSO utilises SAML 2.0 as its data format. More information can be found in the following sources:
Important SAML definitions:
Identity Provider - provides the identities (authenticates a user). Sabre Red 360 is the identity provider for Red Apps.
Service Provider - provides the service. This is Red App server-side service, which will consume the assertion.
Service Provider ID - a unique identifier for Service Provider.
SSO in the context of Red Apps
Red Apps can use Sabre SSO for user authentication and authorization instead of additionally requesting credential from the user after he has already logged into Sabre Red 360. Sabre SSO provides vendor-agnostic means for Red Apps to validate access to their server-side services. In this case, Sabre (with its user authentication and authorization mechanism) acts as Identity Provider and Red App acts as Service Provider.
There are currently two SSO types supported by Sabre Red 360:
SSO Service - Allows you to retrieve a SAML assertion using service. In this case, the Red App is responsible for passing the assertion to the service it is trying to establish a connection with. The SSO service is currently only available in the Sabre Red 360 desktop client.
Web SSO - once SSO is configured, Red App can use the configured link to initialize SSO flow and in this case, it is Sabre, who is responsible for both generating the SAML assertion and posting it to the specified address for validation. This works in both Sabre Red 360 desktop and web client.
The most important difference between SSO Service and Web SSO is how the SSO flow is initiated. In the case of Web SSO, the Red App initiates the SSO flow by opening a link which leads to user authentication and posting an assertion to Red App server-side service. In the case of the service, it is the Red App itself that has to send to Red App server-side service the assertion it received from the SSO Service (the service is responsible for user authentication).