{
    "@context": "https://schema.org",
    "@type": "DefinedTerm",
    "@id": "https://hostdir.net/glossary/sso",
    "name": "SSO",
    "alternateName": [
        "Single Sign-On"
    ],
    "description": "SSO (Single Sign-On) is a user authentication process that enables access to multiple independent applications after a single login, using a central identity provider to issue and validate credentials.",
    "url": "https://hostdir.net/glossary/sso",
    "inDefinedTermSet": "https://hostdir.net/glossary",
    "termCode": "sso",
    "mainEntityOfPage": "https://hostdir.net/glossary/sso",
    "license": "https://creativecommons.org/licenses/by/4.0/",
    "_hostdir": {
        "kind": "glossary-term",
        "slug": "sso",
        "canonical": "https://hostdir.net/glossary/sso",
        "term": "SSO",
        "category": "Security",
        "category_slug": "security",
        "summary": "SSO (Single Sign-On) is a user authentication process that enables access to multiple independent applications after a single login, using a central identity provider to issue and validate credentials.",
        "definition": "SSO (Single Sign-On) is an authentication scheme that lets a user log in once and gain access to multiple independent software systems without re-entering credentials. The core idea is that one authentication event, often backed by a session token or ticket, is accepted by all participating applications as proof of identity. This reduces password fatigue, decreases time spent re-authenticating, and lowers support costs associated with password resets.\n\nIn a typical SSO flow, the user requests access to a service provider (SP) application. The SP redirects the user to a central identity provider (IdP). The user authenticates to the IdP (for example, by entering a password and a second factor). The IdP generates a signed assertion or token, often in SAML 2.0 or OpenID Connect 1.0 formats. The user’s browser carries this token back to the SP, which validates the signature and establishes a local session. Subsequent requests to other SPs follow the same pattern, but the IdP already recognizes the user’s session and issues new tokens without asking for credentials again.\n\nSSO sits in the security layer above individual applications, typically as part of an identity and access management (IAM) stack. Protocols such as SAML 2.0, OAuth 2.0, and OpenID Connect 1.0 define the message formats and flows. Kerberos, common in enterprise Windows environments, uses ticket-granting tickets for SSO. While SSO improves user convenience, it introduces a single point of failure: if the IdP is compromised, every relying application is exposed. Organizations often combine SSO with multi-factor authentication and session monitoring to mitigate this risk.",
        "examples": "A Google Workspace user logs into their Gmail account. The session is recorded by Google's IdP. When the user then navigates to Google Drive or Google Calendar, those services detect the existing Google session and grant access without prompting for credentials again. Behind the scenes, the IdP issues a signed token (OpenID Connect ID token or OAuth access token) that each service validates independently.",
        "key_facts": [
            "Reduces password fatigue and support workload by eliminating multiple logins.",
            "Relies on a central identity provider (IdP) to authenticate the user and issue tokens.",
            "Common protocols include SAML 2.0, OAuth 2.0, and OpenID Connect 1.0.",
            "Presents a single point of security failure if the IdP is breached.",
            "Frequently implemented via browser redirects, HTTP cookies, or Kerberos ticket-granting tickets."
        ],
        "related_terms": [
            "Identity Provider (IdP)",
            "Service Provider (SP)",
            "SAML 2.0",
            "OAuth 2.0",
            "OpenID Connect (OIDC)",
            "Kerberos",
            "Multi-Factor Authentication (MFA)"
        ],
        "references": [
            {
                "title": "SAML V2.0 Technical Overview (OASIS)",
                "url": "https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html"
            },
            {
                "title": "The OAuth 2.0 Authorization Framework (RFC 6749)",
                "url": "https://datatracker.ietf.org/doc/html/rfc6749"
            },
            {
                "title": "OpenID Connect Core 1.0 Specification",
                "url": "https://openid.net/specs/openid-connect-core-1_0.html"
            },
            {
                "title": "Kerberos Network Authentication Service (RFC 4120)",
                "url": "https://datatracker.ietf.org/doc/html/rfc4120"
            }
        ],
        "word_count": 267,
        "license": "CC BY 4.0",
        "license_url": "https://creativecommons.org/licenses/by/4.0/",
        "attribution": "HostDir Glossary — https://hostdir.net/glossary/sso"
    }
}