single sign-on (SSO)

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials -- for example, a name and password -- to access multiple applications. SSO can be used by enterprises, smaller organizations and individuals to ease the management of various usernames and passwords.

In a basic web SSO service, an agent module on the application server retrieves the specific authentication credentials for an individual user from a dedicated SSO policy server, while authenticating the user against a user repository, such as a Lightweight Directory Access Protocol (LDAP) directory. The service authenticates the end user for all the applications the user has been given rights to and eliminates future password prompts for individual applications during the same session.

How single sign-on works

Single sign-on is a federated identity management (FIM) arrangement, and the use of such a system is sometimes called identity federationOAuth, which stands for Open Authorization and is pronounced "oh-auth," is the framework that enables an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.

A visualization of how SSO works
This graphic provides a visualization of how single sign-on works

OAuth acts as an intermediary on behalf of the end user by providing the service with an access token that authorizes specific account information to be shared. When a user attempts to access an application from the service provider, the service provider will send a request to the identity provider for authentication. The service provider will then verify the authentication and log the user in.

Types of SSO configurations

Some SSO services use protocols, such as Kerberos, and Security Assertion Markup Language (SAML).

  • SAML is an extensible markup language (XML) standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involve communications among the user, an identity provider that maintains a user directory and a service provider.
  • In a Kerberos-based setup, once the user credentials are provided, a ticket-granting ticket (TGT) is issued. The TGT fetches service tickets for other applications the user wishes to access, without asking the user to reenter credentials.
  • Smart card-based SSO will ask an end user to use a card holding the sign-in credentials for the first log in. Once the card is used, the user will not have to reenter usernames or passwords. SSO smart cards will store either certificates or passwords.

Security risks and SSO

Although single sign-on is a convenience to users, it presents risks to enterprise security. An attacker who gains control over a user's SSO credentials will be granted access to every application the user has rights to, increasing the amount of potential damage. In order to avoid malicious access, it's essential that every aspect of SSO implementation be coupled with identity governance. Organizations can also use two-factor authentication (2FA) or multifactor authentication (MFA) with SSO to improve security.

Social SSO

Google, LinkedIn, Twitter and Facebook offer popular SSO services that enable an end user to log in to a third-party application with their social media authentication credentials. Although social single sign-on is a convenience to users, it can present security risks because it creates a single point of failure that can be exploited by attackers.

Many security professionals recommend that end users refrain from using social SSO services altogether because, once an attacker gains control over a user's SSO credentials, they will be able to access all other applications that use the same credentials.

Apple recently unveiled its own single sign-on service and is positioning it as a more private alternative to the SSO options provided by Google, Facebook, LinkedIn and Twitter. The new offering, which will be called Sign in with Apple, is expected to limit what data third-party services can access. Apple's SSO will also enhance security by requiring users to use 2FA on all Apple ID accounts to support integration with Face ID and Touch ID on iOS devices.

Enterprise SSO

Enterprise single sign-on (eSSO) software products and services are password managers with client and server components that log the user on to target applications by replaying user credentials. These credentials are almost always a username and password; target applications do not need to be modified to work with the eSSO system.

Advantages and disadvantages of SSO

Advantages of SSO include the following:

  • It enables users to remember and manage fewer passwords and usernames for each application.
  • It streamlines the process of signing on and using applications -- no need to reenter passwords.
  • It lessens the chance of phishing.
  • It leads to fewer complaints or trouble about passwords for IT help desks.

Disadvantages of SSO include the following:

  • It does not address certain levels of security each application sign-on may need.
  • If availability is lost, then users are locked out of the multiple systems connected to the SSO.
  • If unauthorized users gain access, then they could gain access to more than one application.

SSO vendors

There are multiple SSO vendors that are well known. Some provide other services, and SSO is an additional feature. SSO vendors include the following:

  • Rippling enables users to sign in to cloud applications from multiple devices.
  • Avatier Identity Anywhere is an SSO for Docker container-based platforms.
  • OneLogin is a cloud-based identity and access management (IAM) platform that supports SSO.
  • Okta is a tool with an SSO functionality. Okta also supports 2FA and is primarily utilized by enterprise users.
This was last updated in April 2020

Continue Reading About single sign-on (SSO)

Dig Deeper on Single-sign on (SSO) and federated identity

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you name systems which are nor SSO? Do they have a special name or the're called just "not single-sign on"?
I need to help for getting updates about new technologies and resolves issues releting system administrator
Adding up to what peter said, Any business that has more than one website or application and allows customers to login to their networks through the websites or applications should deploy Single Sign-On. It Improved User experience, Centralized User Profiles and Centralized Reporting and Analysis. you can learn few things about web and mobile sso over here
@Pelagia: Good question! SSO provides a way to do user authentication once, for multiple systems. So, to refer to a system that uses "non-SSO" authentication, you'd just say it uses an ordinary authentication process.
What has your experience been with integrating single sign-on into existing applications?
How does a new applicant go to create his/her SSOID?
Please guide
Dr Prakash Mishra
SSO is usually administered through the enterprise, so one would work with the IT department on that.

If *you* are the IT person charged with setting this up, it is probably a good idea to check in with your vendors before trying to setup SSO.
I was assigned an SSO by a paid website I subscribe to without asking for it or signing up for it in anyway. It states an SSO # associated with my account for the website. Why is this and what does it mean?
That's a good question -- for the paid website you subscribe to.

They should be able to explain anything related to your account and their own website.
Hey Margaret thanks for sharing this article, In simple terms, “SSO assists customers to sign in to connected domains or applications with one username and password."

There are 3 types of single sign-on solutions: web, mobile, and federated single sign-on.

The concept of seamless access is common to each type, but they differ in their architecture and methods:

Web SSO: Web single sign-on enables your customers to access any of your connected web properties with a single identity. 

Mobile SSO: Mobile single sign-on is like web SSO, expect that customers can use a single identity to access connected mobile apps.

Federated SSO: Federated single sign-on works a little differently than web and mobile SSO. Rather than connecting websites or mobile apps, you use the login credentials held by partners. 

We are looking for a single sign on App/gateway to control user access to our webcam which is done on subscription basis. If anyone know of any software or App that does that please let me know thanks. My email: [email protected]
Assigned to implement SSO to our team task but don't know how to go about it yet

nice post by