nordpass logo

Single Sign-On: What it is and how it works

Nowadays, single sign-on (SSO) authentication is required more than ever. Many websites offer users the option to sign up with Google, Apple, or any other service. Chances are you have logged in to something via single sign-on today or at least this week. But do you know what it is, how it works, and why it's used? Take a deep dive into the world of single sign-on and all things related to it.

What is SSO?

Single sign-on is a session and user authentication service that allows the user to use a single set of login credentials – namely, a username and password – to access multiple websites or applications. Put plainly, SSO allows users to sign up and access a variety of online accounts with a single username and password, thus making things a lot easier for the everyday user. SSO's primary use is as an identification system that permits websites and apps to use the data of other trusted sites to verify a user upon login or sign-up.

Essentially, SSO puts an end to the days of remembering and entering multiple passwords. An added bonus is that SSO gets users out of the vicious password reset loops.

Additionally, SSO can be great for business, as it improves productivity, security control, and management. With a single security token (a username and password), IT professionals can enable or disable a user’s access to multiple systems, which in some cases mitigates cybersecurity risks.

So, how does the magical service work?

How does SSO work?

Single sign-on is a component of a centralized electronic identity known as federated identity management (FIM). FIM, or Identity Federation, is a system that enables users to use the same verification method to access multiple applications and other resources on the web. FIM is responsible for a few essential processes:

  • Authentication

  • Authorization

  • User attributes exchange

  • User management

When we talk about SSO, it is important to understand that it is primarily related to the authentication part of the FIM system. It's concerned with establishing the user's identity and then sharing that information with each platform that requires that data.

Fancy jargon aside, here are the basic operational processes of single sign-on:

  • You enter a website.

  • You click “Sign In with Apple” or any other service.

  • The site opens Apple's account login page.

  • If you're already logged in, then it gives the site your data.

  • You are logged in to your Apple account.

  • Apple's site verifies that you are authorized to access the site.

  • If you're authorized, the site creates a session for you and logs you in.

In technical terms, when the user first signs in via an SSO service, the service creates an authentication cookie that remembers that the user is verified. An authentication cookie is a piece of code stored in the user's browser or the SSO service's servers. Next time the user logs in to that same app or website using SSO, the service then transfers the user's authentication cookie to that platform, and the user is allowed to access it. It's important to highlight that an SSO service doesn't identify the exact user since it does not store user identities.

Is single sign-on secure?

Yes. An SSO protocol is secure when implemented and managed properly and used alongside other cybersecurity tools.

The main benefit introduced by single-sign on with regard to cybersecurity is that, because it allows using a single set of credentials for multiple services, there are fewer login details to be lost or stolen. As long as the server is secure and an organization's access control policies are established, a malicious user or an attacker will have little to no chance to do any damage.

However, this benefit could also pose a certain kind of risk. Since SSO provides instant access to multiple accounts via a single endpoint, if a hacker gains access to an authenticated SSO account, they will also gain access to all the linked applications, websites, platforms, and other online environments.

This issue can be easily mitigated by implementing an additional layer of security known as Multi-Factor Authentication. Combining SSO with MFA allows service providers to verify users' identity while giving them easy access to applications or online platforms.

The benefits of SSO

Reduced password fatigue

With SSO in place, users only have to remember one password, making life a lot easier. Password fatigue is real and dangerous. SSO encourages users to come up with a single strong password rather than using a simple one for each account separately. It also helps users escape the vicious cycle of password reset loops.

Increased employee and IT productivity

When deployed in a business setting, SSO can be a real time saver. According to a recent report, people waste 16.3 billion hours a year trying to remember, type, or reset passwords. In a business environment, every minute counts. Thanks to SSO, users don't need to hop between multiple login URLs or reset passwords and can focus on the tasks at hand.

Enhanced user experience

One of the most valuable benefits of SSO is an improved user experience. Because repeated logins are not required, users can enjoy a digital experience with less hassle. This means that users will be less hesitant to use the service. For any commercial web-based service, SSO is an essential part of their user experience.

Centralized control of user access

SSO offers organizations centralized control over who has access to their systems. In a business setting, you can use SSO to grant new employees specific levels of access to different systems. You can also provide employees with a single set of credentials (username and passwords) to access all company systems.

Top single sign-on solutions

Microsoft Azure AD

Microsoft Azure AD includes Active Directory Federation Services (AD FS) as an option to support SSO. Azure AD also offers reporting, security analytics, and multi-factor authentication services. It's perfectly suited for any company that uses the Microsoft Azure cloud platform, no matter its size.

Okta Identity Cloud

Okta is well-established in the world of SSO solutions. They are open-source SSO leaders because of their flexibility and ease of use. Okta offers customizable open identity management in real time according to business needs, as well as two-factor authentication and a password reset functionality. Okta can serve the needs of multiple industries, from education and nonprofits to financial services and the government.

OneLogin Unified Access Management Platform

OneLogin is an open-source SSO provider that is often used for employee access to the company's cloud-based applications. OneLogin is suited for a variety of IT administrator needs since it is designed to enforce IT policy in real time. It can also be updated according to specific needs if any changes occur, such as an employee leaving.

Idaptive Application Services

Idaptive is primarily suited for small to medium-sized businesses. Idaptive is capable of providing support to many users at once, thanks to their new cloud architecture. The company also offers adaptive MFA, enterprise mobility management (EMM), and user behavior analytics (UBA) all in a single solution.

Ping Intelligent Identity Platform

Ping offers services to large enterprises. The solution can serve anywhere between a few hundred to a few million users. Ping provides both on-premises and cloud options for deploying their solution. Additionally, the service comes with multi-factor authentication.

Benjamin Scott
Verified author
Ben is our tech geek. He analyses difficult topics and brings them to the reader in a nice and simple language. In his free time, he loves to compete, so he likes to participate in various marathons and triathlons.
Subscribe to NordPass news