What Is Single Sign-On Authentication (SSO) And How Does It Work? (2024)

Single Sign-On (SSO) authentication is now required more than ever. Nowadays, almost every website requires some form of authentication to access its features and content. With the number of websites and services rising, a centralized login system has become a necessity. In this post, we will study how SSO authentication is implemented for the web. Read on!

Federated Identity Glossary

The concept of a centralized or linked electronic identity is known as federated identity. Federated identity systems handle several concerns:

  • Authentication
  • Authorization
  • User attributes exchange
  • User management

The authentication aspect deals with validating user credentials and establishing the identity of the user.

Authorization is related to access restrictions (e.g., is the user allowed to access X resource?).

The attributes exchange aspect deals with data sharing across different user management systems. For instance, fields such as "real name" may be present in multiple systems. A federated identity system prevents data duplication by linking the related attributes.

Lastly, user management is related to the administration (creation, deletion, update) of user accounts. A federated identity system usually provides the means for administrators (or users) to handle accounts across domains or subsystems.

SSO is strictly related to the authentication part of a federated identity system. Its only concern is establishing the identity of the user and then sharing that information with each subsystem that requires the data. Below, we focus on this crucial aspect of a federated identity system.

What Is Single Sign-On Authentication (SSO) And How Does It Work? (1)

Single Sign-On (SSO) Authentication

Sooner or later web development teams face one problem: you have developed an application at domain X and now you want your new deployment at domain Y to use the same login information as the other domain. In fact, you want more: you want users who are already logged-in at domain X to be already logged-in at domain Y. This is what SSO is all about.

What Is Single Sign-On Authentication (SSO) And How Does It Work? (2)

The obvious solution to this problem is to share session information across different domains. However, for security reasons, browsers enforce a policy known as the same origin policy. This policy dictates that cookies (and other locally stored data) can only be accessed by its creator (i.e. the domain that originally requested the data to be stored). In other words, domain X cannot access cookies from domain Y or vice versa. This is what SSO solutions solve in one way or the other: sharing session information across different domains.

What Is Single Sign-On Authentication (SSO) And How Does It Work? (3)

Different SSO protocols share session information in different ways, but the essential concept is the same: there is a central domain, through which authentication is performed, and then the session is shared with other domains in some way.

For instance, the central domain may generate a signed JSON Web Token (JWT), which may be encrypted using JSON Web Encryption (JWE). This token may then be passed to the client and used by the authentication domain as well as any other domains. The token can be passed to the original domain by a redirect and it contains all the information needed to identify the user for the domain requiring authentication. As the token is signed, it cannot be modified in any way by the client.

What Is Single Sign-On Authentication (SSO) And How Does It Work? (4)

Whenever users go to a domain that requires authentication, they are redirected to the authentication domain. As users are already logged-in at that domain, they can be immediately redirected to the original domain with the necessary authentication token.

What Is Single Sign-On Authentication (SSO) And How Does It Work? (5)

SSO Authentication with Auth0

If you have been reading about SSO online, you have probably found that there are many different implementations: OpenID Connect, Facebook Connect, SAML, Microsoft Account (formerly known as Passport), etc. Our advice is to choose whatever is simplest for your development efforts. For instance, SAML is deeply entrenched in enterprise developments, so in some cases, it will make sense to pick that. If you think you will need to integrate your development with more than one alternative, don't despair: there are frameworks that allow interoperability between different SSO solutions. In fact, that's one of the things we do at Auth0.

Try out Auth0 authentication for free.Get started →

You can go and check our docs on Single Sign-On and the Auth0 SSO samples.

If you remember the Typical SSO Scenario diagram we saw earlier, you can see how Auth0 comes to play in the next diagram:

What Is Single Sign-On Authentication (SSO) And How Does It Work? (6)

In this case, Auth0 is the Authentication Server and it works as a bridge between different SSO frameworks.

For further information, we invite you to learn more about SSO with our free whitepaper.

Download the Whitepaper

What Is Single Sign-On Authentication (SSO) And How Does It Work? (7)

Conclusion

Single Sign-On authentication is here to stay. Decentralized systems are becoming more and more common and authentication is an essential aspect of all of them. SSO solves a big problem: how to manage the increasing number of users across a whole ecosystem of applications and services. Frameworks such as OpenID Connect and services such as the one we provide at Auth0 make integrating Single Sign-On into your new or existing applications much easier. If you are implementing authentication for a new application or service, consider integrating SSO from the get-go.

What Is Single Sign-On Authentication (SSO) And How Does It Work? (8)

What Is Single Sign-On Authentication (SSO) And How Does It Work? (2024)

FAQs

What Is Single Sign-On Authentication (SSO) And How Does It Work? ›

Single sign-on (SSO) is an authentication methodology that allows users to access multiple resources with a single entry of their login credentials (claim and secret). SSO delivers this user experience across various systems and domains.

What is single sign-on SSO and how does IT work? ›

Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials. SSO streamlines the authentication process for users.

What is single sign-on SSO simplified understanding how SSO works in plain English? ›

A single sign-on solution can simplify username and password management for both users and administrators. Users no longer have to keep track of different sets of credentials and can simply remember a single more complex password. SSO often enables users to just get access to their applications much faster.

What's the difference between single sign-on SSO and social sign-on answer? ›

SSO offers seamless authentication with one credential across multiple connected platforms or systems. On the other hand, social login allows users to access services by authenticating themselves using their social account credentials.

What is a major risk of using single sign-on SSO? ›

Disadvantages of SSO include the following: It does not address certain levels of security each application sign-on might need. If availability is lost to apps that only allow SSO, users become locked out. If unauthorized users gain access, they could access more than one application.

What are three benefits of single sign-on? ›

By adopting SSO, organizations can streamline access management, enhance security, and improve user experience, ultimately driving operational efficiency and productivity across the enterprise.

How does login authentication work? ›

A client requests access to a protected resource. The Web server returns a dialog box that requests the user name and password. The client submits the user name and password to the server. The server validates the credentials and, if successful, returns the requested resource.

How does SSO work with Google? ›

You can configure your Cloud Identity or Google Workspace account to use single sign-on (SSO). When you enable SSO, users aren't prompted to enter a password when they try to access Google services. Instead, they are redirected to an external identity provider (IdP) to authenticate.

What is the difference between single sign-on and single identity? ›

The main difference between Identity Federation and SSO or federated login vs SSO lies in the range of access. SSO allows users to use a single set of credentials to access multiple systems within a single organization (a single domain). On the other hand, FIM lets users access systems across federated organizations.

How is SSO implemented? ›

Most SaaS applications have their own user directories. For SSO implementation to happen, you will need to get these different user directories on the same page. This can be done through various third-party vendors that have developed a single point of integration to use across all of your different platforms.

What are SSO roles? ›

SSO simply authenticates the users and places them in whichever Role has 'default type' set to Member. Role management should be done exclusively in the Vanilla Dashboard; never in the IDP. Any users who are not basic members are identified and set in Vanilla (not in the IdP).

How does ad SSO work? ›

Single sign-on works by using a central server that all of the different applications will trust. Once you have logged in through this central server, each application gets redirected to the same server. This will access your login credentials, allowing you to only enter your details once.

What is the difference between authentication and single sign on? ›

Authentication: process of an entity (the Principal) proving its identity to another entity (the System). Single Sign On (SSO): characteristic of an authentication mechanism that relates to the user's identity being used to provide access across multiple Service Providers.

What is single sign on SSO options? ›

Single sign-on options. Choosing an SSO method depends on how the application is configured for authentication. Cloud applications can use federation-based options, such as OpenID Connect, OAuth, and SAML. The application can also use password-based SSO, linked-based SSO, or SSO can be disabled.

What is the difference between single sign on and true single sign on? ›

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.

What happens if single sign-on is enabled? ›

When single sign-on is enabled, IBM SPSS Collaboration and Deployment Services applications log into a Kerberos domain and use Kerberos tokens for web services authentication. If single sign-on is enabled, it is strongly recommended that SSL communication be configured for the repository.

What is the benefit of using single sign-on SSO printing is? ›

HP PrinterOn Enterprise - What is SSO (Single Sign On)?

SSO advantages include: Eliminates credential re-authentication and help desk requests; thus, improving productivity. Streamlines local and remote application and desktop workflow. Minimizes phishing.

What is the difference between same sign-on and single sign-on? ›

Single sign-on systems require a one-time authentication from the user. Once logged in, the user can access other web applications and services without re-authenticating themselves. Meanwhile, same sign-on requires the user to repeat the login process each time with the same authentication credentials.

What is the difference between single sign-on and true single sign-on? ›

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Melvina Ondricka

Last Updated:

Views: 6398

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.