Overview of the EmpowerID SSO Client

If your organization uses Web applications that require authentication, but do not offer support for federated Single Sign-On (SSO), EmpowerID can provide SSO to those applications through its browser extension application, the EmpowerID SSO Client. Users simply install the client on their favorite browser and browse their applications. If those applications have been mapped in EmpowerID and if those users have claimed accounts in those applications, the client application seamlessly logs them in. The end result is that users who authenticate in your environment experience SSO regardless of the type of Web applications to which they navigate. Whether they be SAML applications, WS-Fed applications, or forms auth applications, known in EmpowerID as both "Forms SSO apps" and "Browser Extension apps." With EmpowerID, the user experience remains the same.

How does the SSO Client work?

When a user logs in to EmpowerID, the EmpowerID Web application calls the EmpowerID Restful API, passing to it an OAuth token that returns data about the user. Among that data includes the definitions for every Web application that exists in EmpowerID and whether the user has accounts that EmpowerID knows about in those applications. These application definitions can include SAML applications like Salesforce.com, WS-Fed applications like Office 365, applications that are URL subcomponents of parent applications, as well as Browser Extension SSO apps, like Amazon.com. EmpowerID differentiates Browser Extension SSO applications from other type of applications in the following ways:

  • Browser Extension SSO apps have an SSO Domain. This is the root domain of the application, such as http://www.myappdomain.com.
  • Browser Extension SSO apps have one or more SSO Application Pages. These are the login pages for the application, such as http://www.myappdomain.com/login. The URLs associated with these pages trigger the SSO Client.
  • Browser Extension SSO apps have SSO Application Credentials. SSO Application credentials are the user names and passwords of each person who has claimed an account in a given Browser Extension SSO app.

If the user has claimed an account in an Browser Extension SSO application, EmpowerID places an icon for that application on the user's Personal Applications page. The icon is linked to the application's login page. Clicking it opens a new browser tab addressed to the application's login page (SSO application page), which triggers the SSO Client. The SSO Client, in turn, retrieves the user's credentials, inserting them into the page and submitting them to the application. If the credentials are current, the user is granted access.

In addition to clicking an application icon from within EmpowerID, users can browse directly to the application. If they are in a current authenticated session with EmpowerID, their experience is the same: The login page triggers the SSO Client and the user's credentials are submitted to the application.


How do users claim accounts for Browser Extension SSO applications?

With the appropriate access assignments, users can claim accounts for any application that is mapped in EmpowerID. They simply need to browse those applications in the IT Shop and request access. When they do so, they enter their personal credentials for the application and submit their request. These access requests are "self-service" requests, meaning administrators and managers do not need to approve them. Once users have submitted credentials, icons for each application appears on their Personal Applications page.

To facilitate access to Browser Extension SSO applications, EmpowerID provides a number of Management Roles that you can assign to your users. At a minimum, users need to have the IT Shop Limited Access and SSO Apps Limited Access roles. These roles give users the ability to shop for an claim Browser Extension SSO Apps. Beyond these two Management Roles, EmpowerID provides the IT Shop Full Access and SSO Apps Full Access roles for greater capabilities. The roles you assign your users depends on their access needs. To view the access granted by a particular role, expand the relevant drop-down.

  • IT Shop Limited Access

    Users with this Management Role have limited access to the IT Shop workflows and user interfaces to allow access requests and resource management.

    Assignment Type Resource Type Resource Access Level Assignment Description
    Direct Control (User Interface) IT Shop Workflows Viewer Direct Assignment to IT Shop Workflows as Viewer.
    Direct Control (User Interface) Shopping Cart Viewer Direct Assignment to Shopping Cart as Viewer.
    Direct Pages and Reports IT Shop Request Access Viewer Direct Assignment to IT Shop Request Access as Viewer.
    Direct Workflow ClaimSSOAccount Initiator Direct Assignment to ClaimSSOAccount as Initiator.
    Direct Workflow CreateApplicationUser Initiator Direct Assignment to CreateApplicationUser as Initiator.
    Direct Workflow CreateAsset Initiator Direct Assignment to CreateAsset as Initiator.
    Direct Workflow CreateAssetMailbox Initiator Direct Assignment to CreateAssetMailbox as Initiator.
    Direct Workflow CreateGenericAsset Initiator Direct Assignment to CreateGenericAsset as Initiator.
    Direct Workflow ProvisionAssetForPerson Initiator Direct Assignment to ProvisionAssetForPerson as Initiator.
    Direct Workflow UpdateAccountGroupMembership Initiator Direct Assignment to UpdateAccountGroupMembership as Initiator.
    Direct Workflow UpdateDirectAssignmentTimeConstraint Initiator Direct Assignment to UpdateDirectAssignmentTimeConstraint as Initiator.
    Direct Workflow UpdatePersonApplicationGroupMembership Initiator Direct Assignment to UpdatePersonApplicationGroupMembership as Initiator.
    Direct Workflow UpdatePersonDirectAssignment Initiator Direct Assignment to UpdatePersonDirectAssignment as Initiator.
    Direct Workflow UpdatePersonGroupMembership Initiator Direct Assignment to UpdatePersonGroupMembership as Initiator.
    Direct Workflow UpdatePersonManagementRoleAssignments Initiator Direct Assignment to UpdatePersonManagementRoleAssignments as Initiator.
    Direct Workflow UpdatePersonManagementRoles Initiator Direct Assignment to UpdatePersonManagementRoles as Initiator.
  • IT Shop Full Access

    Users with this Management Role have full access to the IT Shop workflows and user interfaces to allow access requests and resource management.

    Assignment Type Resource Type Resource Access Level Assignment Description
    Direct Control (User Interface) IT Shop Workflows Viewer Direct Assignment to IT Shop Workflows as Viewer.
    Direct Control (User Interface) Shopping Cart Viewer Direct Assignment to Shopping Cart as Viewer.
    Direct Pages and Reports IT Shop I Manage Viewer Direct Assignment to IT Shop I Manage as Viewer.
    Direct Pages and Reports IT Shop My Access Viewer Direct Assignment to IT Shop My Access as Viewer.
    Direct Pages and Reports IT Shop Request Access Viewer Direct Assignment to IT Shop Request Access as Viewer.
    Direct Workflow AddBusinessProcessTaskComment Initiator Direct Assignment to AddBusinessProcessTaskComment as Initiator.
    Direct Workflow AddCommentToTask Initiator Direct Assignment to AddCommentToTask as Initiator.
    Direct Workflow ClaimBusinessProcessTask Initiator Direct Assignment to ClaimBusinessProcessTask as Initiator.
    Direct Workflow ClaimSSOAccount Initiator Direct Assignment to ClaimSSOAccount as Initiator.
    Direct Workflow CreateApplicationUser Initiator Direct Assignment to CreateApplicationUser as Initiator.
    Direct Workflow CreateAsset Initiator Direct Assignment to CreateAsset as Initiator.
    Direct Workflow CreateAssetMailbox Initiator Direct Assignment to CreateAssetMailbox as Initiator.
    Direct Workflow CreateGenericAsset Initiator Direct Assignment to CreateGenericAsset as Initiator.
    Direct Workflow ProvisionAssetForPerson Initiator Direct Assignment to ProvisionAssetForPerson as Initiator.
    Direct Workflow RemoveBusinessProcessTaskDelegate Initiator Direct Assignment to RemoveBusinessProcessTaskDelegate as Initiator.
    Direct Workflow SetBusinessProcessTaskDelegate Initiator Direct Assignment to SetBusinessProcessTaskDelegate as Initiator.
    Direct Workflow TerminateWorkflow Initiator Direct Assignment to TerminateWorkflow as Initiator.
    Direct Workflow UnclaimBusinessProcessTask Initiator Direct Assignment to UnclaimBusinessProcessTask as Initiator.
    Direct Workflow UpdateAccountGroupMembership Initiator Direct Assignment to UpdateAccountGroupMembership as Initiator.
    Direct Workflow UpdateDirectAssignmentTimeConstraint Initiator Direct Assignment to UpdateDirectAssignmentTimeConstraint as Initiator.
    Direct Workflow UpdateManagementRoleAssignments Initiator Direct Assignment to UpdateManagementRoleAssignments as Initiator.
    Direct Workflow UpdatePersonApplicationGroupMembership Initiator Direct Assignment to UpdatePersonApplicationGroupMembership as Initiator.
    Direct Workflow UpdatePersonDirectAssignment Initiator Direct Assignment to UpdatePersonDirectAssignment as Initiator.
    Direct Workflow UpdatePersonGroupMembership Initiator Direct Assignment to UpdatePersonGroupMembership as Initiator.
    Direct Workflow UpdatePersonManagementRoleAssignments Initiator Direct Assignment to UpdatePersonManagementRoleAssignments as Initiator.
    Direct Workflow UpdatePersonManagementRoles Initiator Direct Assignment to UpdatePersonManagementRoles as Initiator.
  • SSO Apps Limited Access

    Grants limited access to the SSO and vaulted credential workflows and user interfaces to allow a user to sign in to SSO applications.

    Assignment Type Resource Type Resource Access Level Assignment Description
    Direct Pages and Reports SSO Applications Page Viewer Direct Assignment to SSO Applications Page as Viewer.
    Direct Workflow ClaimSSOAccount Initiator Direct Assignment to ClaimSSOAccount as Initiator.
    Direct Workflow DeleteOwnSSOAccount Initiator Direct Assignment to DeleteOwnSSOAccount as Initiator.
    Direct Workflow UpdatePersonSecrets Initiator Direct Assignment to UpdatePersonSecrets as Initiator.
    Direct Workflow EditFormsSSOCredentials Initiator Direct Assignment to EditFormsSSOCredentials as Initiator.
    Direct Workflow UpdateFormsSSOCredentialSharedPeople Initiator Direct Assignment to UpdateFormsSSOCredentialSharedPeople as Initiator.
    Direct Workflow ResetMasterPassword Initiator Direct Assignment to ResetMasterPassword as Initiator.
  • SSO Apps Full Access

    Grants full access to the SSO and vaulted credential workflows and user interfaces to allow a user to sign in to SSO applications.

    Assignment Type Resource Type Resource Access Level Assignment Description
    Direct Control (User Interface) Shared Credentials Tab Viewer Direct Assignment to Shared Credentials Tab as Viewer.
    Direct Pages and Reports SSO Applications Page Viewer Direct Assignment to SSO Applications Page as Viewer.
    Direct Pages and Reports Saved Credentials Page Viewer Direct Assignment to Saved Credentials Page as Viewer.
    Direct Workflow ClaimSSOAccount Initiator Direct Assignment to ClaimSSOAccount as Initiator.
    Direct Workflow DeleteOwnSSOAccount Initiator Direct Assignment to DeleteOwnSSOAccount as Initiator.
    Direct Workflow UpdatePersonSecrets Initiator Direct Assignment to UpdatePersonSecrets as Initiator.
    Direct Workflow EditFormsSSOCredentials Initiator Direct Assignment to EditFormsSSOCredentials as Initiator.
    Direct Workflow UpdateFormsSSOCredentialSharedPeople Initiator Direct Assignment to UpdateFormsSSOCredentialSharedPeople as Initiator.
    Direct Workflow UpdateExternalCredentials Initiator Direct Assignment to UpdateExternalCredentials as Initiator.
    Direct Workflow UpdateExternalCredentialSharedPeople Initiator Direct Assignment to UpdateExternalCredentialSharedPeople as Initiator.
    Direct Workflow ResetMasterPassword Initiator Direct Assignment to ResetMasterPassword as Initiator.
  • SSO Application Developer

    Users with this Management Role can create and manage apps and SSO connections.

    Assignment Type Resource Type Resource Access Level Assignment Description
    Direct Control (User Interface) Shopping Cart Viewer Direct Assignment to Shopping Cart as Viewer.
    Direct Pages and Reports FindProtectedApplicationResourceApplication Page Viewer Direct Assignment to FindProtectedApplicationResourceApplication Page as Viewer.
    Direct Pages and Reports Create Application Page Viewer Direct Assignment to Create Application Page as Viewer.
    Direct Pages and Reports View Group Page Viewer Direct Assignment to View Group Page as Viewer.
    Direct Pages and Reports Create SAML AuthN Request Viewer Direct Assignment to Create SAML AuthN Request as Viewer.
    Direct Workflow CreateApplication Initiator Direct Assignment to CreateApplication as Initiator.
    Direct Workflow EditSAMLSingleSignOn Initiator Direct Assignment to EditSAMLSingleSignOn as Initiator.
    Direct Workflow UpdateApplication Initiator Direct Assignment to UpdateApplication as Initiator.
    Direct Workflow UpdateAssignments Initiator Direct Assignment to UpdateAssignments as Initiator.

To see the steps involved with claiming a Forms SSO application, see Claiming Accounts in Browser Extension Applications.


How does EmpowerID protect Forms SSO credentials?

When EmpowerID is installed in an environment, it generates a root certificate authority (CA) that is unique for the environment. This CA is used to issue personal certificates for encrypting and decrypting a person's "secrets." Users can have different types of secrets in EmpowerID; however, in this context, the secret is their credentials for the Forms SSO application. The very first time a user claims a Forms SSO account, EmpowerID prompts that user to create a new password for encrypting and decrypting their secrets.

Once the user enters a password, it becomes their master password. EmpowerID uses their master password to generate a public/private key pair certificate for that person, linking the public key to the user and encrypting the private key with the master password using the latest AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. The master password is then discarded. EmpowerID keeps no record of it to ensure that only the user can retrieve their credentials. Administrators, and the EmpowerID system itself, have no way to do so. Thus, users must remember their master password as it is needed to unlock their secrets. If they lose their master password, they can create a new one; however, they will need to redo all their credentials and other secrets using the new password.

However, as a user's private key is encrypted with their master password, the master password must be presented to EmpowerID before EmpowerID can unlock their Forms SSO credentials. EmpowerID requires this each time a user initially attempts to access a Forms SSO application within a given EmpoweID session. If the private key matches the user's public key the credentials are then unlocked by EmpowerID.

By default, the master password prompt occurs only once in a session for each application. Users can, however, change this behavior to be prompted each time they browse the application.