Single Sign-On (SSO)
What is Single Sign-On (SSO)?
Single Sign-On (SSO)An authentication scheme that lets a user sign in once at a trusted identity provider and then access many applications without re-entering credentials.
Single Sign-On (SSO) centralizes authentication at an identity provider (IdP); applications, called relying parties, accept signed assertions or tokens from that IdP instead of asking for credentials directly. Common SSO protocols are SAML 2.0, OpenID Connect (on top of OAuth 2.0) and Kerberos for Windows environments. SSO improves user experience, reduces password reuse, enables central enforcement of MFA and conditional access, and simplifies offboarding. The downside is concentration of risk: a compromised SSO account or IdP can expose every connected application, so phishing-resistant MFA, anomaly detection and session monitoring are essential.
● Examples
- 01
Signing in once to Google Workspace and then using Slack, Notion and Jira via OIDC/SAML.
- 02
Active Directory domain accounts using Kerberos to access internal web apps without re-prompting.
● Frequently asked questions
What is Single Sign-On (SSO)?
An authentication scheme that lets a user sign in once at a trusted identity provider and then access many applications without re-entering credentials. It belongs to the Identity & Access category of cybersecurity.
What does Single Sign-On (SSO) mean?
An authentication scheme that lets a user sign in once at a trusted identity provider and then access many applications without re-entering credentials.
How do you defend against Single Sign-On (SSO)?
Defences for Single Sign-On (SSO) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Single Sign-On (SSO)?
Common alternative names include: SSO, Single sign-on.