Changes
/* Use Cases */
However, OIDC is the more modern protocol and better suited for mobile applications, and therefore recommended by us.
= Use Cases =
== Login ==One use-case is logging in to {{UBIK}} via SSO. Here, we can distinguish between authentication and authorization. === Authentication ===Authentication is the process of verifying the user's identity, in the case of SSO using a central authority called the "Identity Provider" (IdP)or simply "Authority".
In {{UBIK}}, this is implemented by opening a browser so the user can negotiate their login with the IdP, instead of using input fields for the credentials. The {{UBIK}} authentication web service never gets to see the user's credentials - instead, it just verifies the SSO token provided by the IdP and establishes an internal {{UBIK}} session based on this.
=== Authorization ===Authorization is the process of allowing an action to be performed. In the case of SSO, an action is authorized based on the user's identity and rights attested by the Identity Provider. In This means {{UBIK}}, can be customized to assign groups and/or rights to a user can have their interaction based on the information received from the IdP, or even to grant or deny access completely. == Interfacing ==Another use-case is interfacing, where {{UBIK}} interacts with a 3rd party another system authorized by passing their we can call "Service Provider" (SP) on the user's behalf. For authentication (and authorization), the user's SSO token is provided to said 3rd party system the Service Provider as credentials. Since a {{UBIK}} app synchronizes all content with the {{UBIK}} content web service, the latter takes care of the interaction with any 3rd party systemor SP. Thus, the app relays the user's SSO token via the content web service to perform an action in at the 3rd party systemService Provider, on the user's behalf.But we can also use the claims stated in the [[Category:SSO token to evaluate the user's rights within {{UBIK}} itself, without any 3rd party system involved, if required.|Single Sign-On]]
= Architecture and flow (OIDC) =
[[Image:UBIK SSO Architecture.png|thumb]]
