The php[architect] site has a new post today sharing an article from their August 2017 issue by author (and member of thePHP.cc) Arne Blankerts: "Single Sign On - You’re Probably Doing It Wrong ".
Requiring users to log in individually to all the websites they need for their work is more than merely annoying: It wastes a lot of time and turns maintaining log-in credentials and permissions into a nightmare for the administrative staff. Let’s see if we can fix that with a single sign-on service.
The article talks about the basics of single sign on and what kind of benefits it brings to the table. They also talk about the single point of failure it introduces and some of the problems that can cause. The article then discusses the choices involved in implementing it: Should it support authentication, authorization or both? Should OAuth be involved? What about SAML? Other alternatives are also offered including JWTs, tokens/callbacks and client side certificates. The article ends with the suggestion that a proxied approach, one that authenticates on the first request but the session is then trusted by other services, is one of the better ways to go (but isn't without its own issues either).