Explanation
This section provides background information, context, and clarification about SSO concepts, design decisions, and the underlying architecture. These explanations help you understand why things work the way they do.
Core Concepts
Why We Need SSO
Understand the rationale behind implementing Single Sign-On across Statista's 3.5 and 4.0 stack, including the benefits of unified authentication, scalability, and the role of Auth0.
SSO Cookies
Learn about the cookies used in our SSO implementation, what information they contain, and how they maintain user authentication state.
Fernando Solution
A mechanism for detecting cookie support that prevents bot traffic from causing redirect loops and noisy errors.
Statista 4.0 User Rights
Explore how Role-Based Access Control (RBAC) is implemented in Statista 4.0, including the structure of user rights and permissions.
OpenAthens Keystone Architecture
Understand how OpenAthens Keystone integrates with Auth0 to provide multi-federation access, including the domain-based user identification mechanism.
Understanding EZProxy
Learn how EZProxy works as a middleware solution for managing access to electronic resources, including its IP proxy functionality, URL rewriting, and integration with Statista.
SAML Auth0 Self-Service Overview
Understand the Auth0 self-service SAML integration, including the rationale behind the approach and how Single Logout (SLO) works to ensure complete sign-out across systems.
Shibboleth Overview
Learn about Shibboleth, an open-source federated identity solution used in academic and research communities, how it compares to OpenAthens, and how it operates using SAML.
EZProxy/OverDrive Overview
Understand how we reuse the OverDrive EZProxy integration with Auth0 to provide secure, IP free Statista access for selected customers.
Deep Linking — Getting Users Where They Actually Want to Go
Understand what deep linking is, why it matters, and which authentication methods support it. A jargon-free introduction suitable for anyone on the team. Start here before reading any of the method-specific pages below.
Deep Linking with OpenAthens Keystone
How our oa-deeplink.ts route stores the target URL in a cookie, survives the Keystone SAML/OIDC round-trip, and lands users on the specific resource page they clicked.
Deep Linking with EZproxy (OverDrive Mode)
How the URL parameter from EZproxy carries the destination through the OverDrive authentication flow — and the current gap in BANGAuthenticate.dll that needs closing.
Deep Linking with Shibboleth
How SAML RelayState and WAYFless login URLs work together in our Shibboleth setup to deliver users to their intended resource.
Deep Linking with Enterprise Connections (SAML / OIDC)
How deep linking works through Auth0 self-service enterprise connections, and what customers need to include in their links.
Architecture Decisions
Important decisions that have shaped our SSO implementation:
Restructure IP Login Implementation
Status: Rejected - A proposed restructuring of the IP login mechanism to unify logic across the monolith and Statista 4.0 apps. Rejected as IP login will be discontinued.
Lambda to Fargate Migration
Status: Accepted - The decision to migrate the remix-sso application from AWS Lambda to AWS Fargate, motivated by rate limiting issues during traffic spikes.