Single-Sign On (SSO) describes an identity solution that allows multiple applications to use the same authentication session, so avoiding repetitive credential entry. SSO implementations are often adopted by companies in the enterprise world as part of their strategy to secure access to important resources. With the advent of cloud computing and the boom of Software as a Service (SaaS), companies all around the world are increasing their focus on access management strategies that can enhance both security and the user experience; implementing SSO can deliver on both aspects.
From the security perspective, one benefit introduced by Single-Sign On is that, because it reduces the number of credentials required to sign into multiple services to a single credential, there are fewer credentials to be lost or stolen. In addition, multi-factor authentication (MFA), or two-factor authentication (2fA) is more likely to be enforced to protect that single, powerful, credential.
From the end-user perspective, leveraging an Identity Provider (IdP) system capable of supporting SSO enhances the user experience because it drastically lowers credential entry fatigue. Additionally, using SSO means that the burden of remembering credentials for, potentially, dozens of accounts is removed.
A beneficial side-effect of adopting SSO solutions is that the number of help desk calls related to password reset activities also decreases.
How does Single-Sign On Work?
Implementing Single-Sign On usually consists of defining a central service that applications rely on when a user logs in. In this approach, if an unauthenticated user requests an application that requires identity information, the app in question redirects the user to the central service. On this server, the user then authenticates and gets redirected back to the original application with identity information. There, they can move on and achieve the initial goals they had when the authentication request was triggered.
After a while, if that same user moves onto another application that also requires identity information and that relies on the same central service to perform user authentication, the second application can leverage the session that the user initiated while signing in to the first application.
A good example that can help illustrate how SSO works is Google and its different services. For example, when you try to access Gmail without being authenticated, Google redirects you to a central service that is hosted at accounts.google.com. There, you will see a sign-in form where you will have to input your user credentials. If the authentication process is successful, then Google redirects you to Gmail, where you gain access to your email account. Then, after authenticating through this central service, if you head to another service (like Youtube, for example), you will see that you are automatically signed in.
The following diagram gives more details on how a SSO authentication process works.
Assuming the user wants to access domain1.com, upon browsing to this domain they are redirected to the authentication server, domain3.com, where they authenticate. Upon successful authentication, domain3 stores a session cookie which is used for the SSO record. It then redirects the browser back to domain1 with an artifact that domain1.com can exchange for a token that may be used to prove the user’s identity for subsequent access to domain1’s services.
When the user (in the same session) accesses domain2.com, domain2 redirects to domain3 for authentication. However, because domain3 has a record that the user has a login session (via the cookie) it doesn’t require the user to login interactively, and instead redirects the browser back to domain2.com with an appropriate authentication artifact, as before.
Note that the SSO session valid period is determined by the authentication server (domain3) and may exist simply as long as the browser session, or for a specific period, from hours to weeks, depending on the security policy and user experience requirements.
This is the essence of SSO, as with Google and others. The protocol between the authentication server and the client applications will, typically, be SAML 2.0, OpenID Connect, Kerberos or other authentication protocol that supports SSO.
How to Implement Single-Sign On with Auth0
Just like with many other authentication and authorization features, using Auth0 to implement Single-Sign On is extremely easy. If you are already using Auth0 to secure your applications, SSO is already available for you automatically. For instance, if you have two or more applications using the same Auth0 account, you will notice that users that sign in to one, they will be transparently signed into the other. You don't have to do anything special on these applications to take advantage of the SSO session.
Another useful aspect of using Auth0 to enable Single-Sign On in your applications is in having a single point of control over access to resources, reducing IT resource demands.
If you want to learn more about Auth0, how it helps you implement Single-Sign On, and how to secure your apps with it, you can refer to the docs.
Want to learn more?
Keep reading at our Intro to IAM page to explore more topics around Identity and Access Management.
FAQs
Single Sign-on (SSO) occurs when a user logs in to one application and is then signed in to other applications automatically, regardless of the platform, technology, or domain the user is using. The user signs in only one time, hence the name of the feature (Single Sign-on).
What is single sign-on SSO and how does it work? ›
Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials. SSO streamlines the authentication process for users.
How does SSO work in Auth0? ›
How Does AuthO SSO Work: The Flow. Auth0 uses Universal Login to define the login flow, a key feature of the authorization server. Every time a user attempts to prove their identity, the application redirects to Universal Login and Auth0 works to guarantee the user's identity.
What is single sign-on SSO simplified understanding how SSO works in plain English? ›
A single sign-on solution can simplify username and password management for both users and administrators. Users no longer have to keep track of different sets of credentials and can simply remember a single more complex password. SSO often enables users to just get access to their applications much faster.
How does OAuth SSO work? ›
With OAuth SSO, users can log in to various platforms with a single set of credentials, promoting a seamless and secure user experience. It employs an efficient OAuth 2.0 flow, where users receive an OAuth token after successful authentication.
How does Auth0 work? ›
Users provide pre-determined credentials, such as username or password, in the login form to verify their digital identities. Auth0's Universal Login is a login form you can customize to accommodate your brand and configure to provide secure access.
What are the benefits of using a single sign-on SSO authentication service? ›
Implementing Single Sign-On (SSO) can yield significant returns on investment (ROI) for businesses:
- Cost Savings. SSO reduces IT support costs by minimizing password-related support calls and helpdesk inquiries. ...
- Productivity Gains. ...
- Security Enhancements. ...
- Improved User Experience. ...
- Compliance Benefits.
How to check if SSO is working or not? ›
To confirm if SSO is disabled, you can review the integration in the TVE Dashboard. Following attributes are set to YES, if SSO has been disabled for a Channel - Multichannel Video Programming Distributor (MVPD) integration: Auth / Aggregator – > YES. Enable Passive AuthN – > YES.
Is SSO passwordless authentication? ›
Single Sign-On (SSO)
SSO can provide a semi-passwordless experience by enabling users to log into their SSO accounts—either using their credentials, a biometric scan, or something else—to automatically and seamlessly gain access to all associated accounts and applications.
Is SSO a single factor authentication? ›
Also note that SFA and single sign-on (SSO) are not the same thing. SFA refers to the number of pieces of verifiable information required to authenticate, while SSO is an authentication process that allows users to sign on to their applications and services with one set of credentials.
SSO is an authentication process in which a user can access more than one system or application by entering a single user ID and password. If you are an administrator, you need to specify the company that you want to access during login. Any other user is taken to their specific company.
What's the difference between single sign-on SSO and social sign-on answer? ›
The main difference between SSO (Single Sign-On) and social login is that SSO allows users to log in to multiple applications with a single set of credentials. In contrast, social login allows users to log in to one application using their social media account credentials.
What is the key benefit of single sign-on? ›
SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing login to one set of credentials improves enterprise security. When employees have to use separate passwords for each app, they usually don't.
How does Auth0 SSO work? ›
Auth0 checks to see whether there is an existing SSO cookie. Auth0 finds the SSO cookie, and if necessary, updates it. No login screen is shown. Auth0 redirects the user to your application, returning an ID Token that contains identity information for the user.
What is SSO and how does it work? ›
What is single sign-on (SSO)? Single sign-on (SSO) is a technology which combines several different application login screens into one. With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.
What is Auth0 vs OAuth? ›
OAuth is primarily focused on enabling authorization for APIs. Auth0 and OAuth can be used together to build secure and scalable authentication and authorization solutions. OAuth can be used to grant access to APIs, while Auth0 can be used to manage the authentication and authorization process for your applications.
What is a major risk of using single sign-on SSO? ›
Little Control once Access is Granted
The attacker gets access to all the endpoints of the external applications within the cloud that the user is provisioned for. If the attack is detected, the user account can be disabled. However, the user may still remain logged in.
What happens if single sign-on is enabled? ›
When single sign-on is enabled, IBM SPSS Collaboration and Deployment Services applications log into a Kerberos domain and use Kerberos tokens for web services authentication. If single sign-on is enabled, it is strongly recommended that SSL communication be configured for the repository.
What's the difference between single sign-on SSO and social sign-on? ›
SSO offers seamless authentication with one credential across multiple connected platforms or systems. On the other hand, social login allows users to access services by authenticating themselves using their social account credentials.