You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadmap!
sso — lovingly known as the S.S. Octopus or octoboi — is the
authentication and authorization system BuzzFeed developed to provide a secure,
single sign-on experience for access to the many internal web apps used by our
employees.
It depends on Google as its authoritative OAuth2 provider, and authenticates
users against a specific email domain. Further authorization based on Google
Group membership can be required on a per-upstream basis.
The main idea behind sso is a "double OAuth2" flow, where sso-auth is the
OAuth2 provider for sso-proxy and Google is the OAuth2 provider for sso-auth.
If a user visits an sso-proxy-protected service (foo.sso.example.com) and does not have a session cookie, they are redirected to sso-auth (sso-auth.example.com).
If the user does not have a session cookie for sso-auth,
they are prompted to log in via the usual Google OAuth2 flow, and then
redirected back to sso-proxy where they will now be logged in (to
foo.sso.example.com)
If the user does have a session cookie for sso-auth (e.g. they
have already logged into bar.sso.example.com), they are
transparently redirected back to proxy where they will be logged in,
without needing to go through the Google OAuth2 flow
sso-proxy transparently re-validates & refreshes the user's session with sso-auth
Please file any issues you find in our issue tracker.
Security Vulns
If you come across any security vulnerabilities with the sso repo or software, please email security@buzzfeed.com. In your email, please request access to our bug bounty program so we can compensate you for any valid issues reported.
Maintainers
sso is actively maintained by the BuzzFeed Infrastructure teams.
Notable forks
pomerium an identity-access proxy, inspired by BeyondCorp.
About
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services
