Ncloud Single Sign-On concept

release/20240425
English

Ncloud Single Sign-On concept

Article Summary

Share feedback

Thanks for sharing your feedback!

Available in Classic and VPC

Before learning how to integrate Ncloud Single Sign-On, this section describes some concepts required for Ncloud Single Sign-On integration. The following are the main concepts to be explained.

OAuth 2.0 definition
OAuth 2.0 roles
OpenID Connect
Access Token
Refresh Token
ID Token
OAuth 2.0 authentication flow
SAML 2.0 definition
SAML 2.0 roles

OAuth 2.0 definition

OAuth 2.0 is an open standard authorization protocol for granting permissions. OAuth 2.0 delegates permission for an application to access a resource server on behalf of a user who owns the resource.

OAuth 2.0 roles

The roles defined in OAuth 2.0 are as follows:

Role	Definition
Resource Owner	User who can approve access to protected resources. The resource owner owns the protected resource and the client with access permission accesses the resource on behalf of the resource owner.
Client	An application that receives an access token as a credential instead of the resource owner to access protected resources
Identity Provider	A server that authenticates the resource owner and issues an access token to the client based on the resource owner's authorization approval
Resource Server	A server that verifies and responds to access requests when a client accesses a resource using an access token, and provides protected resources

OpenID Connect

OpenID Connect is a protocol that is based on OAuth 2.0 and issues an ID token containing user information from IdP when issuing a token.

Access Token

Access token refers to a string issued by the IdP that serves as a credential indicating the client's authorization to access protected resources. Clients can access the resource server using an access token.

Refresh Token

Refresh Token is a token issued by IdP used to extend the expiration time of an expired access token or to issue additional access tokens with the same or narrower scope. When the client sends the access token issuance API including the refresh token to the IdP, it verifies that it has not been forged or altered and issues an access token.

ID Token

An ID token is a JWT format token that contains user information and is issued by the IdP along with an access token if you include id_token in scope when requesting token issuance.

OAuth 2.0 authentication flow

The flow of the OAuth 2.0 authentication protocol is as follows:

Authorization code flow
PKCE flow
Implicit flow

Note

This section describes the OAuth 2.0 flow, from the resource owner initiating the flow to the client accessing the protected resources. For more information on the API used in the flow, see Ncloud Single Sign-On integration API.

Authorization code flow

The authorization code flow is the most common authentication flow, and the description of the flow is as follows:
sso-integration-info_scenario1_ko

The resource owner clicks the login button to initiate the flow.
The client sets the response type to code to access the protected resource and requests permission.
The IdP sends the resource owner the consent page and login page for providing privacy information.
The resource owner approves the granting of permission by agreeing and logging in.
The IdP sends the authorization code to the client.
The client requests the issuance of an access token from the IdP using the authorization code.
The IdP verifies the authorization code and issues a token.
The client with the access token accesses the resource server and requests the protected resource.
The resource server delivers the requested resource to the client.

PKCE flow

The PKCE flow is an authorization code flow that enhances security when proceeding with the flow, and the description of the flow, including PKCE, is as follows:
sso-integration-info_scenario2_ko

The resource owner clicks the login button to initiate the flow.
The client generates a code verifier and code challenge.
If you include the code challenge and code challenge method created by the client in the authorization request, the IdP will store the values.
The IdP sends the resource owner the consent page and login page for providing privacy information.
The resource owner approves the granting of permission by agreeing and logging in.
The IdP sends the authorization code to the client.
The client requests the issuance of an access token from the IdP by including the code verifier and authorization code.
The IdP compares the saved code challenge and code verifier to verify whether they match or not.
If the two values match, the IdP issues an access token.
The client with the access token accesses the resource server and requests the protected resource.
The resource server delivers the requested resource to the client.

Implicit flow

The implicit flow is suitable for client environments where it is difficult to securely store and manage credentials, and the flow is described as follows:
sso-integration-info_scenario3_ko

The resource owner clicks the login button to initiate the flow.
The client sets the response method to token and requests authorization.
The IdP sends the resource owner the consent page and login page for providing privacy information.
The resource owner approves the granting of permission by agreeing and logging in.
The IdP issues an access token.
The client with the access token accesses the resource server and requests the protected resource.
The resource server delivers the requested resource to the client.

SAML 2.0 definition

SAML 2.0 is a web-based, open standard authentication protocol. SAML 2.0 is a standard information format used when exchanging user authentication and authorization information between applications, allowing IdPs and SPs to securely exchange and authenticate user information.

SAML 2.0 roles

The roles defined in SAML 2.0 are as follows:

Role	Definition
Service Provider (SP)	The entity that provides the service. It mainly refers to the application or service that the SSO user wants to use and requests the user's authentication information from the Identity Provider (IdP).
Identify Provider (IdP)	A system that verifies the user's authentication information requested by the Service Provider (SP) and provides the user's authentication information to the Service Provider (SP)
SAML Request	It refers to a request message to exchange authentication information between the Identity Provider (IdP) and the Service Provider (SP) and includes information to create SAML Assertion (authentication information).
SAML Response	It refers to a response message to exchange authentication information between the Identity Provider (IdP) and the Service Provider (SP) and includes SAML Assertion (authentication information) and other necessary metadata. Through this, the IdP verifies the user's authentication information and provides the authentication result to the SP.
SAML Assertion	It is an XML document containing the user's authentication information, such as ID, authentication time, and authentication method. It is transferred from the Identity Provider (IdP) to the Service Provider (SP). Through this, the SP verifies the user's authentication.
ACS URL	The URL used by the Service Provider (SP) to provide Assertion Consumer Service (ACS)

Was this article helpful?

What's Next

Ncloud Single Sign-On scenarios

Table of contents

OAuth 2.0 definition
OAuth 2.0 roles
OpenID Connect
Access Token
Refresh Token
ID Token
OAuth 2.0 authentication flow
SAML 2.0 definition
SAML 2.0 roles