single sign-on (SSO)

Contributor(s): Taina Teravainen

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts.

In a basic web SSO service, an agent module on the application server retrieves the specific authentication credentials for an individual user from a dedicated SSO policy server, while authenticating the user against a user repository such as a lightweight directory access protocol (LDAP) directory.

Some SSO services use protocols such as Kerberos and the security assertion markup language (SAML). SAML is an XML standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involve communications between the user, an identity provider that maintains a user directory, and a service provider. When a user attempts to access an application from the service provider, the service provider will send a request to the identity provider for authentication. The service provider will then verify the authentication and log the user in. The user will not have to log in again for the rest of his session. In a Kerberos-based setup, once the user credentials are provided, a ticket-granting ticket (TGT) is issued. The TGT fetches service tickets for other applications the user wishes to access, without asking the user to re-enter credentials.

Although single sign-on is a convenience to users, it present risks to enterprise security. An attacker who gains control over a user's SSO credentials will be granted access to every application the user has rights to, increasing the amount of potential damage. In order to avoid malicious access, it's essential that every aspect of SSO implementation be coupled with identity governance. Organizations can also use two factor authentication (2FA) or multifactor authentication (MFA) with SSO to improve security.

This was last updated in June 2016

Next Steps

Read about the top multifactor authentication products currently on the market and find reviews of Okta Verify and SecureAuth IdP MFA and SSO products.

Check out this buyer's guide for healthcare organizations considering an SSO technology purchase and explore the various options available, including federated SSO.

Continue Reading About single sign-on (SSO)

Dig Deeper on Single-sign on (SSO) and federated identity

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you name systems which are nor SSO? Do they have a special name or the're called just "not single-sign on"?
I need to help for getting updates about new technologies and resolves issues releting system administrator
@Pelagia: Good question! SSO provides a way to do user authentication once, for multiple systems. So, to refer to a system that uses "non-SSO" authentication, you'd just say it uses an ordinary authentication process.
What has your experience been with integrating single sign-on into existing applications?
How does a new applicant go to create his/her SSOID?
Please guide
Dr Prakash Mishra
SSO is usually administered through the enterprise, so one would work with the IT department on that.

If *you* are the IT person charged with setting this up, it is probably a good idea to check in with your vendors before trying to setup SSO.
I was assigned an SSO by a paid website I subscribe to without asking for it or signing up for it in anyway. It states an SSO # associated with my account for the website. Why is this and what does it mean?
That's a good question -- for the paid website you subscribe to.

They should be able to explain anything related to your account and their own website.


File Extensions and File Formats