SSO (Single Sign-On)
An authentication scheme that allows users to authenticate once and gain access to multiple independent applications without re-entering credentials.
Description
Single Sign-On (SSO) enables users to authenticate once with an identity provider and then access multiple service providers (applications) without being prompted to log in again. The identity provider maintains the user's authentication state and issues tokens or assertions to service providers that trust it. This improves user experience by eliminating password fatigue, reduces the attack surface by centralizing credential management, and simplifies user lifecycle management (onboarding/offboarding) for organizations.
SSO is implemented using protocols like SAML 2.0 (common in enterprise environments), OpenID Connect (modern web and mobile applications), and proprietary protocols. In a typical SAML SSO flow, the user attempts to access a service provider, is redirected to the identity provider for authentication, authenticates (if not already), and is redirected back with a signed SAML assertion. In OIDC-based SSO, the flow uses authorization codes and ID tokens instead of SAML assertions. Both protocols rely on pre-established trust relationships between identity and service providers.
Enterprise SSO implementations often involve identity providers like Okta, Azure AD (Entra ID), OneLogin, or Ping Identity. Key considerations include supporting both SP-initiated (user starts at the app) and IdP-initiated (user starts at the identity provider's portal) flows, implementing Single Logout (SLO) to terminate sessions across all applications, handling just-in-time (JIT) user provisioning from identity provider attributes, and maintaining a service provider metadata exchange for trust establishment. SCIM (System for Cross-domain Identity Management) is often paired with SSO for automated user provisioning and deprovisioning.
Prompt Snippet
Implement SSO as a service provider supporting both SAML 2.0 and OIDC protocols. For SAML, use a library like saml2-js or passport-saml to parse assertions, validate XML signatures against the IdP's X.509 certificate, check Audience and Recipient conditions, and enforce NotBefore/NotOnOrAfter time constraints. For OIDC, implement the authorization code flow with PKCE and validate ID tokens per the OIDC spec. Implement JIT user provisioning that creates/updates local user accounts from IdP attributes on first login. Support SP-initiated and IdP-initiated flows. Expose SP metadata at /saml/metadata for enterprise onboarding.
Tags
Related Terms
SAML
An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider, widely used in enterprise SSO.
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that enables clients to verify the identity of the end-user and obtain basic profile information.
Identity Provider (IdP)
A trusted service that authenticates users, manages their identities, and issues security tokens or assertions to relying applications.
LDAP Integration
Integration with LDAP directory services to authenticate users and retrieve organizational attributes like groups, departments, and roles from a centralized directory.
Social Login (OAuth Providers)
Authentication via third-party identity providers like Google, GitHub, or Apple using OAuth 2.0/OIDC, allowing users to sign in with existing accounts.