📝 Problem Description
Design a Single Sign-On (SSO) system that allows users to authenticate once and access multiple applications. Support SAML, OAuth 2.0/OIDC, session management, and enterprise identity providers.
👤 Use Cases
1.
User wants to logs into SSO so that authenticated across all apps
2.
User wants to accesses new app so that auto-authenticated via SSO
3.
Admin wants to revokes user access so that user logged out everywhere
4.
App wants to validates token so that user identity confirmed
✅ Functional Requirements
- •Single authentication for multiple apps
- •Support SAML 2.0 and OIDC protocols
- •Integrate with external IdPs (Google, Azure AD)
- •Session management (SSO session, app sessions)
- •Multi-factor authentication
- •User provisioning (SCIM)
- •Audit logging
⚡ Non-Functional Requirements
- •Login latency < 500ms
- •Support 1M concurrent sessions
- •99.99% availability (auth is critical)
- •Token validation < 10ms
⚠️ Constraints & Assumptions
- •Security is paramount
- •Must support legacy SAML apps
- •Session sync across services
📊 Capacity Estimation
👥 Users
10M users, 1M concurrent sessions
💾 Storage
1TB (sessions, audit logs)
⚡ QPS
Token validation: 100K/sec, Logins: 1K/sec
📐 Assumptions
- • 10M total users
- • 1M concurrent sessions
- • 100 integrated applications
- • Average SSO session: 8 hours
- • JWT access token TTL: 1 hour
- • Refresh token TTL: 7 days
💡 Key Concepts
CRITICAL
OIDC (OpenID Connect)
Auth layer on OAuth 2.0, provides ID tokens.
HIGH
SAML 2.0
XML-based SSO protocol for enterprise.
CRITICAL
JWT Tokens
Signed tokens for stateless authentication.
HIGH
Session Federation
Link SSO session to individual app sessions.
💡 Interview Tips
- 💡Start with the SSO flow: IdP, SP, tokens
- 💡Discuss the difference between authentication and authorization
- 💡Emphasize security considerations
- 💡Be prepared to explain OAuth2 flows
- 💡Know the difference between access tokens and refresh tokens
- 💡Understand session management challenges