What Is Single Sign-On?
A lot of confusion arises with the phrase 'sign-on' and what it means, particularly since it is often used interchangeably with 'login'. Hopefully this page will help clarify the distinction and make it clear what the 'Single sign-on' system provided by Earthdata Login actually does.
When you 'log in' to a web application, you are establishing a 'session' with the application - a temporary state or environment that the application will use to track what you are doing and various options you have set. For example, on-line shopping sites may store any items you have added to your shopping cart in your session. This session typically lasts until you explicitly 'logout', or you are idle for log enough that the application decides to log you out (which can be anywhere from minutes to hours).
Some applications want to be able to identify their users - whether it is to determine if they are repeat customers (shopping history, billing details, etc), or in the case of many Earthdata applications, just to know where the data is going. This is the 'sign in' part - the user must provide some credentials to prove who they are (and this is where Earthdata Login helps out).
Putting it Together - without Single sign-on
If a user wants to access an application, but is not logged in to that application (i.e. has not yet established a session), the user will generally go to the application and click a 'login' button to do so. At this point, the application now needs to identify the user. In a typical scenario, the application will ask the user to sign-on - to enter their credentials. If the credentials are valid, the application will go ahead and set up a session, and the user is now logged in. If that user subsequently goes to another application, the same steps will have to be followed, with the user entering their (possibly different) credentials for every application.
Adding in Single Sign-On
When a single sign-on system such as Earthdata Login is used, this changes. As before, if a user wants to access an application, but is not currently logged in to that application, the user will go to the application and click a 'login' button to do so. The application now needs to identify the user, but instead of asking the user for credentials, it asks Earthdata Login to identify the user. There are two different scenarios for what happens next:
- If the user has not recently signed in using Earthdata Login, then Earthdata Login will ask the user for his/her credentials. If the credentials are valid, Earthdata Login will tell the application who the user is, and the application can now set up the session - the user is logged in. This scenario is similar to the one without single sign-on, with the exception that the user provides the credentials to Earthdata Login, and not the application.
- The other scenario occurs when the user has recently signed in using Earthdata Login - for example, they have used the Earthdata Login GUI, or have already logged in to an application that uses Earthdata Login single sign-on as described in the above scenario. In this case, Earthdata Login already knows who the user is, so when the application asks Earthdata Login to identify the user, it can simply tell the application who the user is without the need to request the user credentials again. Thus the user effectively logs in to the application without needing to provide any username or password.
The 'sign-on' in 'single sign-on' is referring to the act of providing credentials, not the process of logging in.