Single Sign-On (SSO)
About 4 min read
Last updated: 2026-03-05
What Is Single Sign-On (SSO)
Single Sign-On (SSO) is a mechanism that allows access to multiple related services and applications with a single authentication. For example, logging into your Google account gives you access to Gmail, Google Drive, YouTube, and all other Google services without re-authenticating. This is a typical example of SSO.
In enterprise environments, a single login to the company portal provides access to dozens of systems including email, chat, attendance management, and expense reporting. It dramatically reduces the number of passwords users need to manage and prevents password reuse that causes credential stuffing.
Major SSO Protocols
Several protocols are used as the technical mechanisms to implement SSO.
- SAML 2.0: The standard protocol for enterprise SSO. Exchanges XML-based assertions (authentication information) between the IdP (Identity Provider) and SP (Service Provider). Supported by IdPs like Okta, Azure AD, and OneLogin
- OpenID Connect (OIDC): A protocol that adds an authentication layer on top of OAuth 2.0. JSON-based and lightweight, making it highly compatible with web and mobile apps. "Sign in with Google" and "Sign in with GitHub" use this mechanism
- Kerberos: A ticket-based authentication protocol used in Active Directory environments. Specialized for SSO within corporate networks and is standard in Windows domain environments
OIDC is becoming mainstream for SSO between web services, while SAML 2.0 remains widely used for enterprise internal system integration.
Benefits and Risks of SSO
SSO offers benefits in both convenience and security, but also has inherent risks.
Benefits
- Eliminating Password Fatigue: With only one password to remember, users are more likely to set a strong one
- Centralized Security Management: By centralizing the authentication infrastructure, two-factor authentication and access policies can be uniformly applied across all services
- Reduced IT Management Costs: Password reset requests decrease, and disabling a departing employee's account is reflected across all services with a single action on the IdP
Risks
- Single Point of Failure: If the IdP goes down, users cannot log in to any connected service. The IdP's availability directly determines the availability of all systems
- Blast Radius of Compromise: If an SSO account is hijacked, all connected services are compromised at once. The impact of a single password leak becomes far more severe than before
- Vendor Lock-in: Dependency on a specific IdP increases migration costs
To mitigate risks, it's essential to set up strong authentication using passkeys or FIDO2 security keys on your SSO account.
Safe SSO Operations
Here are practical tips for operating SSO safely.
- Prioritize IdP Account Protection: Set up the strongest authentication method (hardware security key, passkeys) on the IdP account that serves as the SSO entry point. SMS authentication alone is insufficient
- Proper Session Management: Set session expiration as short as practical without disrupting work. Require re-authentication (step-up authentication) when accessing highly sensitive services
- Access Log Monitoring: Implement mechanisms to detect and alert on logins from unusual locations or devices
- Principle of Least Privilege: Integrate with IAM to grant users access only to the minimum services required for their role
- Emergency Access Procedures: Prepare emergency access methods (break-glass accounts) for critical systems in case of IdP outages
To learn more about this topic, see Two-Factor Authentication (2FA): The Best Defense for Your Accounts.
Common Misconceptions
- Implementing SSO solves all password management problems
- SSO reduces the number of passwords, but services that don't support SSO still require individual passwords. Also, if the SSO account password itself is weak, all services are at risk. A combination with a password manager is the practical solution.
- Using SSO automatically improves security
- SSO enables centralized authentication management, but doesn't inherently strengthen security. Without two-factor authentication, with overly long session timeouts, or without access log monitoring, risks can actually increase with poor operational practices.