Design SSO for a B2B product where each customer brings their own identity provider.
Key Talking Points
- ✓Support SAML 2.0 and OIDC; store per-tenant IdP metadata, certificates, and entity/client IDs.
- ✓Validate every assertion: signature, issuer, audience, NotBefore/NotOnOrAfter, and InResponseTo — reject unsigned assertions (guard against SAML signature-wrapping).
- ✓Home-realm discovery: map an email domain → the right tenant/IdP.
- ✓JIT user provisioning from IdP claims; map IdP groups → app roles; SCIM for deprovisioning.
- ✓Session + Single Logout (SLO); short-lived sessions with refresh.
- ✓Secure default for tenants without an IdP: password + MFA.
- ✓Don't trust IdP-initiated flows blindly; prefer SP-initiated where possible.
Enterprise SSO (Single Sign-On) lets customers log in via their own corporate Identity Provider (IdP — e.g. Okta, Microsoft Entra ID, Google Workspace) instead of managing passwords in your app. The two dominant protocols are SAML 2.0 (XML-based, common in legacy enterprise) and OIDC (OpenID Connect — JSON/JWT-based, modern and easier to implement). Your system must support both.
The critical security requirement: rigorously validate every assertion. Most enterprise-SSO breaches stem from skipped validation. For SAML, this means verifying the XML signature, the Issuer, the Audience (must be your SP entity ID), the NotBefore/NotOnOrAfter time window, and the InResponseTo field (to prevent replay). Be especially vigilant about SAML signature wrapping — an attack where a valid signed element is reused in a different context to forge a forged assertion that still passes a naive signature check. For OIDC, validate the JWT signature, iss, aud, and exp claims.
References