Technology / Security

What is SSO (Single Sign-On)?

What-is-Single-Sign-On-SSO-Blog
Follow us
Published on October 15, 2024

Single Sign-On, or SSO, is one of the most convenient features you may have never heard of. SSO allows users to log on to multiple applications or systems with a single set of credentials. If you have logged onto a corporate website or university, I can guarantee you have used it. 

Without SSO, a user would have to use their credentials to log onto every single related system. 

This leads to password fatigue and is far from ideal. 

SSO has become an irreplaceable technology. It enhances both the security and the usability of systems and services. This article will focus on how SSO works, a more granular definition, and how it's implemented. Let's start by explaining SSO's basic principles. 

What is Single Sign-On (SSO)?

Single Sign-On (SSO) is an authentication method that allows users to access multiple applications or systems with one set of login credentials. Google SSO is one of the most widely used SSO services to date. Google has many features, like YouTube, Gmail, and Google Drive. It would be a pain to enter credentials to get to each service, each time. After all, they all use the same credentials. That would get very annoying, very fast. 

Instead, Google opted for SSO. Now, a user logs onto one of these, and they have access to all of them. Let's walk through the process, step by step. 

Authentication

You authenticate once by entering your email and password into Google's login system. Google (and most other places) also offers MFA (Multi-factor authentication). MFA makes your account much more secure against hacking, so implementing it is crucial. 

Universal Service Access

Once authenticated, you can access all related services. These include Google Drive, YouTube, and Google Calendar. You won't need to re-enter your credentials.

Token Passing

Google's Identity Provider (IdP) generates and shares authentication tokens with its services. This happens behind the scenes. These tokens verify your identity without requiring you to log in to each service.

Session Management

If you sign out of your Google account, you will be signed out of all connected Google services. This ensures centralized session management, which is mostly done in the browser. The browser uses cookies to store authentication tokens, like JWTs (JSON Web Tokens). The JWT contains information about your identity, which services use to authorize access.

Granted, this is referring to Google SSO. However, virtually all SSO's work the same. Here is a list of some other SSO providers you may encounter:

  • Okta

  • Microsoft SSO

  • Auth0

SSO is incredibly convenient, but there is a minor drawback. SSO relied on a central IDP (Identity Provider) server. If this server were to go down, users would lose access to every service available by that provider. It's important to have backup plans available in case your IDP server goes down. IDP server planning and deployment must prioritize high availability and fallback.


Online Course
EARN A CERTIFICATION

CompTIA Network+ (N10-009)


  • 272 Videos
  • Practice Exams
  • Coaching
  • Quizzes

MONTHLY

$59.00

USD / learner / month

YEARLY

$49.91

USD / learner / month


What are the Types of Single Sign-On (SSO)?

There are myriad SSOs available, and we have briefly mentioned a couple. However, it's important to talk about the different types of SSO you may encounter. Let's start by discussing one of the most common—web-based SSO.

Web-Based SSO

Web-Based SSO is probably the most common SSO mechanism that most people have encountered. Web-based SSO refers to using one password to log on to multiple web applications. The Google SSO described before is an example of this. Let's describe a couple common protocols used when implementing web-based SSO.

SAML (Security Assertion Markup Language)

SAML is an XML-based protocol that facilitates communication between the IDP server and the client. It is particularly used in enterprise settings, but can be used during web-based SSO as well.

OAuth 2.0

A widely used protocol for delegating access to resources. OAuth 2.0 is more about authorization than authentication. Yet, it is often used with OpenID Connect for web-based SSO authentication.

OpenID Connect (OIDC)

OpenID Connect adds a layer for authentication to OAuth 2.0. It provides an easy way to implement web-based SSO, especially for consumer apps. OIDC implements "federated identity" and uses JWTs to pass the identity to clients. JWT is a generic term, OIDC specifically uses a flavor of JWT called ID Tokens.

Enterprise SSO

Enterprise SSO is similar to web-based SSO, but it uses some different technologies to accomplish the task. Enterprise SSO is what you'll encounter while employed at a corporation. It will rely on RBAC (Role-Based Access Control) to assist with SSO site navigation. 

Like web-based SSO, enterprise SSO will have federated identity. However, services like Salesforce, MS 365, or Azure handle it. Enterprise SSO will also handle auditing due to industry regulations like HIPAA. Let's look at two technologies that play a critical role in enterprise SSO.

LDAP (Lightweight Directory Access Protocol)

LDAP is key to centralizing users for authorization and identification. LDAP is a tree protocol that stores a user's ID, roles, groups, and more. The IDP server can query LDAP to verify the identity of a user attempting to login. LDAP also provides RBAC roles for users to access different services. The combination of RBAC and credentials create a robust security solution. Communication with the IDP server brings much needed convenience for the end-user.

How to Implement Single Sign-On (SSO)

Implementing SSO can be a time-consuming process. Once it's done, though, it will save the end-user loads of time and enhance the system's security. Let's provide a step-by-step process on how to implement SSO. This will be light on the technical details, but will provide a broad overview of how it's done. 

Familiarize Yourself with the Protocols

SSO has a fair amount of protocols associated with it. As previously mentioned, SAML, OAuth2.0, and LDAP are some common ones. But, you may also encounter Kerberos, an internal, ticket-based authentication protocol. Ticket authentication is when the server gives the user an encrypted "ticket." This ticket can then be used for all applications within the federated server. 

You don't have to be an expert on SSO protocols at first, but having a lay of the land will help with implementation and troubleshooting.

Identify Compatible Applications and Systems

Ideally, all integrated systems will use the same LDAP for authentication. If the system is not integrated, first integrate LDAP before SSO. A common directory will provide a single location for the IdP server to query. Verify the SSO service you have chosen is compatible with the apps you would like it to encompass. 

For example, if your applications are Microsoft based, you'll want to use Microsoft SSO. That is a simple example. But, verify that the SSO used is compatible with your apps. Remember there are plenty of other IdP solutions such as Okta and Auth0. 

Configuration and Deployment

Setting up your IdP server is one of the most important aspects of SSO. Let's walk through that process at a high-level.

  1. Set Up the IdP Server: Plenty of cloud-based IdPs exist. Once you choose one, follow the provided setup instructions. Every organization comes with detailed guidelines to ensure a robust IdP server.

  2. Connect the IdP to a Directory Service: LDAP or Active Directory: The IdP must query the LDAP/AD for user authentication. Verify the connectivity to ensure all of your employees have access to your SSO solution. For cloud-based IdPs, you may need to sync your on-premise directory. For example, use Azure AD Connect to sync on-prem AD to Azure AD.

  3. Configure Identity Federation: For cross-domain authentication, configure federated identity. It lets your IdP trust and authenticate users from partner domains, if needed.

  4. Configure User Authentication Policies: Enable multi-factor authentication (MFA) for extra security. Lastly, set password policies, token expiration times, and account lockout settings. Base them on your organization's security needs.

Final Thoughts

SSO is a crucial tool in IT environments, offering both enhanced security and convenience. SSO lets users access multiple systems with one set of credentials. The importance of SSO cannot be overstated in today’s digital landscape, where security is paramount and user experience is key. 

SSO reduces password-related breaches and boosts productivity. Additionally, it streamlines authentication across multiple services. Challenges exist, like a reliance on a central Identity Provider (IdP). But, with proper planning and high-availability setups, any organization can have a reliable and secure solution.

Want to learn more about becoming a Security Engineer? Consider our CCNP Security Training!

Don't miss out!Get great content
delivered to your inbox.

By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.

Get CBT Nuggets IT training news and resources

I have read and understood the privacy policy and am able to consent to it.

© 2025 CBT Nuggets. All rights reserved.Terms | Privacy Policy | Accessibility | Sitemap | 2850 Crescent Avenue, Eugene, OR 97408 | 541-284-5522