Auth

SSO introduction

SSO (Single Sign-On) is a technology that enables users to log into multiple apps with one login, boosting security by reducing password fatigue, streamlining access for better productivity, and giving IT central control for easier management and compliance. It's crucial because it improves user experience by eliminating forgotten passwords and enhances security by minimizing risks from weak, reused passwords, while simplifying IT's job to manage access centrally.

Why is SSO Important

Enhanced Security

  • Fewer Passwords: Reduces password fatigue, meaning users are less likely to create weak or reused passwords.
  • Centralized Control: IT can manage access, enforce strong policies (like Multi-Factor Authentication), and quickly disable access for departing employees from one place.
  • Reduces Shadow IT: Helps IT monitor and control which apps employees are using, minimizing risks from unauthorized apps.

Improved Productivity & Experience

  • Frictionless Access: Users save time logging in repeatedly, allowing them to focus on their work.
  • Better Adoption: A seamless login experience encourages users to adopt and use more applications.

Simplified IT Management

  • Reduced Support Costs: Fewer forgotten passwords mean fewer help desk tickets.
  • Streamlined Onboarding/Offboarding: Quick provisioning and de-provisioning of access for new and departing staff.
  • Better Compliance & Auditing: Centralized logging of access attempts simplifies audits for regulations like GDPR or HIPAA.

How we do SSO at 21RISK

At 21RISK we use the OAuth 2.0 Authorization Code Flow, with Proof Key for Code Exchange (PKCE). You can read more about the standard here .

  1. Initiation : When a user clicks "Login", 21RISK generates a cryptographically random secret called a code_verifier and hashes it to create a code_challenge .
  2. Redirect : The user is redirected to the Identity Provider (e.g., Azure AD) along with the code_challenge . We request the following scopes openid email profile .
  3. Authentication : The user enters their credentials at the Identity Provider's secure login page.
  4. Callback : Upon success, the Identity Provider redirects the user back to 21RISK with a temporary authorization_code .
  5. Exchange : The 21RISK server sends this authorization_code plus the original code_verifier directly to the Identity Provider's token endpoint.
  6. Verification : The Identity Provider verifies that the code_verifier matches the initial code_challenge . This ensures the authorization code wasn't intercepted.
  7. Session : If valid, the Identity Provider returns an ID Token. 21RISK validates this token and establishes a secure session for the user.

Multi-Page Application

21RISK is a Multi-Page Application, not a Single Page Application (SPA). We use secure HTTP-only Cookies to store state, nonce, and the PKCE. This protects the implementation against:

  • CSRF
  • Login mixup attacks
  • Wrong authorization server returning to your callback
  • Attacker forcing a victim user to log in as someone else
  • Replays of the ID token
  • Token substitution (attacker injects their own ID token)
  • Stolen ID token injection

To read more about our SOC2 Type 2 certification and IT security in general at 21RISK, please consult our compliance docs here

previous Manage sites
next Setting up SSO with Microsoft Entra