eastbaycyber

Single Sign-On (SSO): Definition, How It Works, and Where You’ll See It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Single Sign-On (SSO) is an authentication approach where a user logs in once and then can access multiple applications or services without authenticating again for each one. In practice, SSO centralizes authentication at an Identity Provider (IdP) and “federates” access to Service Providers (SPs) such as SaaS apps.

Single sign-on (SSO) is an authentication pattern that lets you sign in once (usually via an Identity Provider) and then access multiple apps without re-entering your password each time. It reduces password sprawl, but it also increases the impact of an account takeover—so pairing SSO with strong multi-factor authentication (MFA) and sensible session controls matters.

How SSO works

SSO is easiest to understand as a trust relationship between three parties:

  • User (and their device/browser)
  • Identity Provider (IdP): the system that authenticates the user (e.g., a corporate identity platform)
  • Service Provider (SP): the app the user wants to use (e.g., email, CRM, ticketing)

There are two common web SSO protocol families:

  • SAML 2.0 (common in enterprise SaaS and older integrations)
  • OpenID Connect (OIDC) on top of OAuth 2.0 (common for modern web apps and APIs)

The typical flow (high-level)

  1. User tries to access an app (SP).
    Example: https://app.example.com requires corporate login.

  2. App redirects the user to the IdP.
    The app says, effectively: “I don’t handle passwords—go prove who you are to this IdP.”

  3. IdP authenticates the user.
    The IdP prompts for credentials and may enforce MFA, device posture checks, geolocation rules, or other conditional access policies. (If you need a refresher on what MFA is and why it matters, see: what is multi factor authentication.)

  4. IdP sends proof back to the app.
    - In SAML, this proof is a signed SAML assertion containing the user identity and attributes/claims. - In OIDC, the IdP (authorization server) issues an ID token (typically a signed JWT) and possibly an access token.

  5. App establishes its own session.
    After validating the assertion/token (signature, issuer, audience, timestamps), the app creates a session (often a secure cookie) and authorizes access based on the claims/roles it received.

  6. User accesses other apps without reauth (until the session expires).
    If the user is already authenticated to the IdP, subsequent apps can complete the flow silently or with minimal prompts.

What makes SSO valuable (and risky)

Benefits - Fewer passwords to manage (less reuse, fewer resets) - Centralized security controls (MFA, conditional access, lockouts) - Faster onboarding/offboarding (especially when paired with automated provisioning)

Risks / failure modes - IdP compromise is a blast-radius multiplier. If an attacker gains control of the IdP account or admin plane, many apps can be accessed. - Misconfigurations can bypass controls. Examples: weak MFA policies, overly broad app assignments, incorrect token validation, long session lifetimes. - Logout isn’t always global. Ending a session at the IdP may not immediately terminate sessions in every SP (depends on protocol/app support).

SAML vs OIDC (in one minute)

  • SAML: XML-based, typically browser-posted assertions. Strong enterprise footprint. Can be more complex to troubleshoot due to XML signatures and clock skew.
  • OIDC: JSON/JWT-based, web-native. Common for modern applications and API ecosystems. Usually easier to integrate and inspect with standard tooling.

What service providers should validate (SP-side checks)

For SSO to be secure, the SP must validate key properties of the assertion/token:

  • Signature validity (trusted signing key/cert) — effectively, “is this proof authentic?”
    (Related concept: how signatures work. See: what is a digital signature.)
  • Issuer (expected IdP)
  • Audience / client_id (token is meant for this SP)
  • Expiration / NotBefore (short-lived, time checks)
  • Nonce / state (OIDC) to prevent replay/CSRF
  • Auth context (optional) to ensure MFA occurred when required
  • Group/role claims mapping (avoid overly permissive defaults)

Example OIDC discovery endpoint (common for troubleshooting):

curl -s https://idp.example.com/.well-known/openid-configuration | jq

Example: Inspect a JWT header/payload (do not paste real tokens into third-party sites):

python3 - <<'PY'
import base64, json, sys
token = sys.stdin.read().strip()
h,p,_ = token.split('.')
def dec(x):
    x += '=' * (-len(x) % 4)
    return json.loads(base64.urlsafe_b64decode(x).decode())
print("header:", json.dumps(dec(h), indent=2))
print("payload:", json.dumps(dec(p), indent=2))
PY

Where you’ll encounter SSO

You’ll see SSO anywhere organizations want centralized identity and consistent access control—especially as companies adopt SaaS and hybrid work.

Common real-world scenarios

  • SaaS applications: email, collaboration, HR, CRM, ticketing, accounting.
    Users click an app tile in a portal and are logged in automatically.

  • Cloud platforms: access to cloud consoles and management planes.
    Admins often use SSO to reduce local accounts and enforce MFA and conditional access.

  • Remote access / VPN / ZTNA: SSO-backed authentication for remote workforce access.
    The IdP becomes the policy engine for who can connect, from where, and under what conditions.

  • Internal enterprise apps: legacy and modern apps integrated behind an identity-aware proxy or SSO gateway.

  • Mergers, partners, B2B access (federation): one organization’s IdP is trusted by another organization’s apps, enabling partner access without creating separate passwords.

Signs you’re using SSO (even if you didn’t know it)

  • You’re redirected to a corporate login page when accessing an app.
  • You log in once, then can open multiple apps without re-entering credentials.
  • URLs include /saml, /oauth, /authorize, or you see references to “Identity Provider,” “SAML,” “OIDC,” or “Sign in with company account.”

Operational and security “gotchas” teams hit

  • Session lifetime mismatch: IdP session may be short, but SP session cookie lasts much longer (or vice versa). Align for your risk profile.
  • Break-glass access: If the IdP is down, can admins still access critical systems? Plan a controlled break-glass process.
  • Overbroad group-to-role mapping: A single mis-mapped group claim can grant admin rights widely.
  • Shadow integrations: Teams may configure SSO for apps without security review, leaving unused but active trust relationships.
  • Incomplete offboarding: SSO stops new logins, but existing SP sessions/tokens might remain valid; pair SSO with session revocation controls where possible.

Logs and patterns to watch

While log formats vary by vendor, effective SSO monitoring typically looks for:

  • Unusual IdP sign-ins (new country, unfamiliar device, impossible travel)
  • MFA fatigue / push bombing patterns
  • Consent grants / OAuth app authorizations you didn’t expect
  • Repeated SAML/OIDC failures indicating misconfig or probing

Common indicators in web/app logs: - Requests to /sso/saml, /saml/acs, /oauth2/authorize, /oauth2/callback - “Invalid audience,” “signature validation failed,” “clock skew,” “nonce mismatch” - Spikes in 401/403 around auth endpoints after a certificate/key rotation

Example (generic) search ideas:

("saml" AND ("assertion" OR "acs" OR "audience"))
("oidc" OR "oauth") AND ("callback" OR "authorize" OR "token")
("signature" AND "invalid") OR ("clock skew") OR ("nonce")

Practical hardening checklist for SSO

  • Enforce phishing-resistant MFA for privileged users (and ideally for all users where feasible).
  • Require device compliance / conditional access for high-risk apps.
  • Minimize app assignments (least privilege) and review group/role claim mappings.
  • Set reasonable IdP and SP session lifetimes; prefer short lifetimes for admin consoles.
  • Monitor IdP sign-ins and OAuth consent activity as tier-0 telemetry.
  • Maintain a documented break-glass process with audited use.

If you want a straightforward way to reduce password reuse and improve account security alongside SSO, consider a password manager that supports strong unique passwords and MFA storage for non-SSO accounts. 1Password is a common option in teams: Try 1Password →.

Related terms

Authentication vs Authorization

Authentication proves who you are; authorization determines what you can do. SSO centralizes authentication but authorization still must be correctly enforced in each app.

Identity Provider (IdP)

The system that performs authentication and issues assertions/tokens.

Service Provider (SP) / Relying Party (RP)

The application relying on the IdP’s authentication result.

Federation

Trust between organizations or systems so identities can be used across boundaries (e.g., partner access).

SAML 2.0

XML-based SSO standard commonly used in enterprise SaaS.

OAuth 2.0

Authorization framework; often paired with OIDC for authentication in modern apps.

JWT (JSON Web Token)

Compact signed token format commonly used in OIDC.

MFA (Multi-Factor Authentication)

Additional verification (push, TOTP, FIDO2) layered into IdP authentication.

Conditional Access / Adaptive Access

Policy controls based on risk signals (device compliance, location, user risk).

SCIM (System for Cross-domain Identity Management)

Standard for automated user provisioning/deprovisioning to apps (often used alongside SSO).

Just-In-Time (JIT) provisioning

Creating accounts in the SP at first SSO login based on claims.

Single Logout (SLO)

Mechanism to propagate logout across IdP and SPs; not universally supported and often imperfect in practice.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.