Security

What is SSO?

Also known as: Single Sign-On

Definition

SSO (Single Sign-On) is a user authentication process that enables access to multiple independent applications after a single login, using a central identity provider to issue and validate credentials.

SSO (Single Sign-On) is an authentication scheme that lets a user log in once and gain access to multiple independent software systems without re-entering credentials. The core idea is that one authentication event, often backed by a session token or ticket, is accepted by all participating applications as proof of identity. This reduces password fatigue, decreases time spent re-authenticating, and lowers support costs associated with password resets.

In a typical SSO flow, the user requests access to a service provider (SP) application. The SP redirects the user to a central identity provider (IdP). The user authenticates to the IdP (for example, by entering a password and a second factor). The IdP generates a signed assertion or token, often in SAML 2.0 or OpenID Connect 1.0 formats. The user’s browser carries this token back to the SP, which validates the signature and establishes a local session. Subsequent requests to other SPs follow the same pattern, but the IdP already recognizes the user’s session and issues new tokens without asking for credentials again.

SSO sits in the security layer above individual applications, typically as part of an identity and access management (IAM) stack. Protocols such as SAML 2.0, OAuth 2.0, and OpenID Connect 1.0 define the message formats and flows. Kerberos, common in enterprise Windows environments, uses ticket-granting tickets for SSO. While SSO improves user convenience, it introduces a single point of failure: if the IdP is compromised, every relying application is exposed. Organizations often combine SSO with multi-factor authentication and session monitoring to mitigate this risk.

Key facts

  • Reduces password fatigue and support workload by eliminating multiple logins.
  • Relies on a central identity provider (IdP) to authenticate the user and issue tokens.
  • Common protocols include SAML 2.0, OAuth 2.0, and OpenID Connect 1.0.
  • Presents a single point of security failure if the IdP is breached.
  • Frequently implemented via browser redirects, HTTP cookies, or Kerberos ticket-granting tickets.

How it works in practice

A Google Workspace user logs into their Gmail account. The session is recorded by Google's IdP. When the user then navigates to Google Drive or Google Calendar, those services detect the existing Google session and grant access without prompting for credentials again. Behind the scenes, the IdP issues a signed token (OpenID Connect ID token or OAuth access token) that each service validates independently.

Related terms

Identity Provider (IdP) Service Provider (SP) SAML 2.0 OAuth 2.0 OpenID Connect (OIDC) Kerberos Multi-Factor Authentication (MFA)

References

More in Security

2FA

Two-factor authentication (2FA) is a security method that requires a user to present two distinct types of evidence to verify their identity, typically a password and a time-based one-time code from an authenticator app or hardware key.

Bot Management

Bot management detects automated web traffic and distinguishes it from human users, using behavioral fingerprinting and other signals to block malicious bots while allowing benign ones.

Credential Stuffing

Credential stuffing is a cyberattack in which automated tools use username-password pairs leaked from one site to try logging into other sites, exploiting password reuse.

DDoS

A DDoS (Distributed Denial of Service) attack overwhelms a target server, service, or network with massive traffic from many compromised computers, making it unavailable to legitimate users.

DDoS Scrubbing

DDoS scrubbing diverts attack traffic to a specialized filtering facility that removes malicious packets and forwards only legitimate traffic to the target network.

Firewall

A network security device or software that monitors and controls incoming and outgoing traffic based on predetermined security rules, acting as a barrier between trusted and untrusted networks.

IDS

An Intrusion Detection System (IDS) monitors network traffic or host activity for signs of malicious behavior or policy violations and generates alerts for security personnel.

IPS

An Intrusion Prevention System (IPS) is a network security device that monitors traffic inline and actively blocks malicious packets before they reach their target.

OAuth 2.0

OAuth 2.0 is an authorization framework that allows a user to grant a third-party application limited access to their resources on another service without revealing their password.

OpenID Connect

OpenID Connect (OIDC) is an identity authentication layer built on OAuth 2.0 that provides a signed ID token containing verified user identity claims.

Who Is Online

In total there are 78 users online: 0 registered, 72 guests and 6 bots.

Bots: AhrefsBot Applebot Facebook Other Bot Other Spider SemrushBot

Users active in the past 15 minutes. Total registered members: 340