Single Sign-On (SSO)
Summary Definition: An identity authentication protocol allowing users to seamlessly access multiple sites, applications, or systems after a single successful login with an Identity Provider (IdP).
What is SSO?
Single sign-on (SSO) is an authentication program that allows users to access multiple independent applications, services, and websites based on a successful login attempt with a trusted identity provider (IdP).
The user’s verified identity is then confirmed by a generated identity token granting secure access across all participating systems, sites, and apps without requiring individual login attempts.
Single sign-on authentication streamlines user access and simplifies identity and access management (IAM) efforts by reducing the need to manage several sets of credentials.
Key Takeaways
- Single sign-on (SSO) allows users to securely access multiple applications and systems after a single login through a trusted third-party IdP.
- Standard single sign-on protocols like SAML, OIDC, and Kerberos support different environments and use cases, from cloud apps to internal enterprise networks.
- SSO enhances user experience and centralizes access management but also introduces potential security and compatibility challenges.
Single Sign-On vs. Same Sign-On
Despite sharing the acronym “SSO,” single sign-on and same sign-on function differently. Both authentication methods store and synchronize a single set of login credentials for each user, but only single sign-on allows users to bypass subsequent login prompts.
Similar to Active Directory and Lightweight Directory Access Protocol (LDAP), same sign-on merely remembers and populates credentials for each login request.
In other words, single sign-on is like a fast-pass or pre-check status that expedites access across various systems after a single successful login. Same sign-on, conversely, is more like security checkpoints at different buildings on a corporate campus, each accepting the same verified information but still requiring individuals to provide it repeatedly.
How Does SSO Work?
Single sign-on procedures require precise, secure interactions between trusted third-party IdPs and websites or applications (i.e., “relying parties” or “service providers”) requiring user authentication.
The process begins with a user either logging into an IdP’s SSO application or trying to access a separate site that redirects the user to the IdP’s single sign-on portal, usually with a prompt like “Login with SSO.”
After the user enters their corresponding login credentials, the IdP confirms their identity and generates an identity token containing verified identity information about the user, such as their name or email address.
The token then acts like an SSO ID badge or pass that each site automatically accepts based on its trusted relationship with the IdP. In some cases, the IdP can also generate an access token defining what the user’s device is authorized to do (i.e., log into the app) or replace tokens altogether with secured SSO codes.
Types of Single Sign-On Solutions
Most SSO authentication processes are social or enterprise-based, meaning they rely on the authority of a popular social media site or service provider (e.g., Apple or Google), or businesses purchase them as software from SSO providers for their employees and clients to use.
Regardless, both types are considered a form of federated identity management (FIM), which is a framework for allowing two or more domains, systems, or networks to trust and communicate with each other.
Open Authorization 2.0 (OAuth 2.0), for example, is another type of FIM that focuses on granting third-party apps or services limited access to resources or networks without the need for passwords. Instead of asking, “Is this User A trying to access these websites?” as single sign-on does, OAuth 2.0 asks, “What can Application A do with User B’s data on Website C?”
SSO Data Configurations
Each SSO service or platform uses a specific setup for exchanging and validating information:
- Security Assertion Markup Language (SAML) – SAML SSO uses Extensible Markup Language (XML) to connect and verify a user’s identity. While it’s older and less flexible than OIDC, SAML’s enhanced support for additional security measures, such as multi-factor authentication (MFA), typically makes it the preferred SSO integration for large businesses and organizations
- OpenID Connect (OIDC) – OIDC authentication is a newer, more agile type of SSO based on more modern technologies, like JavaScript Object Notation (JSON) and Representational State Transfer (REST). Its increased adaptability makes OIDC easier to implement across web, mobile, and cloud-based applications.
- Kerberos – Kerberos authentication is a ticket-based system using encrypted credentials to verify identity across multiple systems within a single network. Like SAML, Kerberos is primarily used by larger organizations, but typically ones using Windows-based software and only internal networks.
SSO Pros and Cons
While SSO software offers a streamlined and secure approach to user authentication, organizations must weigh the benefits and challenges of implementing single sign-on providers.
| Benefits of Single Sign-On | Single Sign-On Challenges |
| Improved User Experience: SSO solutions streamline user access by reducing login frequency and simplifying the authentication experience. | SSO Security: Allowing one set of credentials so much access risks greater damage if said credentials are ever compromised or stolen. |
| Password Manager: SSO reduces password exposure and vulnerability by minimizing the number of passwords a user must remember. | Access Dependency: Linking widespread access to SSO can create greater disruptions from an SSO database outage. |
| Centralized Control: Due to the centralized system feeding its network, SSO makes it easier to grant, change, or revoke user access across multiple systems. | Compatibility Issues: Not all applications may be compatible with a company’s chosen SSO platform or provider. |
| Increased IT Bandwidth: Employees who only need to remember one set of credentials are less likely to submit IT requests asking to retrieve or reset forgotten passwords. | Setup Challenges: Initial SSO implementation can be costly and complicated regardless of an organization’s size or industry. |
| SSO Basic Understanding: From an end user’s perspective, the simplicity of the SSO process makes it easy to comprehend and adopt. | Compliance: Older SSO setups may not comply with recent legislation regarding sharing user information or data privacy. |
Unify HR and IT
Managing employee accounts can feel cumbersome and manual, but it's essential to ensure your team has the right access to the software they need to be productive. Without a unified process in place, this accountability is fragmented between HR data and IT systems, leading to inefficiencies and heightened security risks.