Updated: 01 March 2024
Contributors: Mark Scapicchio, Amber Forrest
Single sign-on, or SSO, is an authentication scheme that lets users log in once using a single set of credentials, and access multiple applications during the same session.
Single sign-on simplifies user authentication, improves the user experience and, when properly implemented, improves security. It’s used often to manage authentication and secure access to company intranets or extranets, student portals, public cloud service, and other environments where users need to move between different applications to get their work done. It’s also used increasingly in customer-facing web sites and apps–such as banking and e-commerce sites–to combine applications from third-party providers into seamless, uninterrupted user experiences.
Learn and see how IBM Verify SaaS is enabling user-centric identity to expand on existing access management experience using verifiable credentials and decentralized identity.
Register for the Cost of a Data Breach report
Single sign-on is based on a digital trust relationship between service providers—applications, web sites, services—and an identity provider (IdP), or SSO solution. The SSO solution is often part of a larger identity and access management (IAM) solution.
In general, SSO authentication works as follows:
A user logs into one of the service providers, or into a central portal (such as an company intranet or college student portal) using SSO login credentials.
When the user is successfully authenticated, the SSO solution generates a session authentication token containing specific information about the user's identity—a username, email address, etc. This token is stored with the user's web browser, or in the SSO system.
When the user attempts to access another trusted service provider, the application checks with the SSO system to determine if user is already authenticated for the session. If so, the SSO solution validates the user by signing the authentication token with a digital certificate, and the user is granted access to the application. If not, the user is prompted to reenter login credentials.
Subscribe to Security Topic Updates
The SSO process describe above—a single log-in and set of user credentials providing session access to multiple related applications—is sometimes called simple SSO or pure SSO. Other types of SSO include:
Adaptive SSO requires an initial set of login credentials, but prompts for additional authentication factors or a new login when additional risks emerge—such as when a user logs in from a new device or attempts to access particularly sensitive data or functionality.
Federated identity management, or FIM, is a superset of SSO. While SSO is based on a digital trust relationship among applications within a single organization's domain, FIM extends that relationship to trusted third parties, vendors, and other service providers outside the organization. For example, FIM might enable a logged-in employee to access third-party web applications (e.g., Slack or WebEx) without an additional log-in, or with a simple username-only log-in.
Social login enable end users to authenticate with applications using the same credentials they use to authenticate with popular social media sites. For third-party application providers, social login can discourage undesirable behaviors (e.g., false logins, shopping cart abandonment) and provide valuable information for improving their apps.
SSO may be implemented using any of several authentication protocols and services.
Security Assertion Markup Language, or SAML, is the longest-standing open standard protocol for exchanging encrypted authentication and authorization data between an identity provider and multiple service providers. Because it provides greater control over security than other protocols, SAML is typically used to implement SSO within and between enterprise or government application domains.
Open Authorization, or OAuth, is an open standard protocol that exchanges authorization data between applications without exposing the user's password. OAuth enables using a single log-in to streamline interactions between applications that would typically require separate logins to each. For example, OAuth makes it possible for LinkedIn to search your email contacts for potential new network members.
Another open standard protocol, OICD uses REST APIs and JSON authentication tokens to enable a web site or application to grant users access by authenticating them through another service provider.
Layered on top of OAuth, OICD is used primarily to implement social logins to third-party applications, shopping carts, and more. A lighter-weight implementation, OAuth/OIDC is often to SAML for implementing SSO across software-as-a-service (SaaS) and cloud applications, mobile apps, and Internet of Things (IoT) devices.
Lightweight directory access protocol (LDAP) defines a directory for storing and updating user credentials, and a process for authenticating users against the directory. Introduced in 1993, LDAP is still the authentication directory solution of choice for many organizations implementing SSO, because LDAP lets them provide granular control over access the directory.
Active Directory Federation Services, or ADFS, runs on Microsoft Windows Server to enable federated identity management—including single sign-on—with on-premises and off-premises applications and services. ADFS uses Active Directory Domain Services (ADDS) as an identity provider.
SSO saves users time and trouble. For example: Instead of logging into multiple applications multiple times per day, with SSO corporate end users can log into the corporate intranet just once for all-day access to every application they need.
But by reducing significantly the number of passwords users need to remember, and the number of user accounts administrators need to manage, SSO can provide a number of other benefits.
Users with lots of passwords to manage often lapse into the bad and risky habit of using the same short, weak passwords—or slight variations thereof—for every application. A hacker who cracks one of these passwords can easily gain access to multiple applications. SSO lets users consolidate multiple short weak passwords into one single, long, strong password that’s easier for users to remember and much more difficult for hackers to break.
According to the IBM X-Force Threat Intelligence Index 2024, 2023 saw a 71% year-over year increase in cyberattacks that used stolen or compromised credentials. SSO can reduce or eliminate the need for password managers, passwords stored in spreadsheets, passwords written on sticky notes and other memory aids—all of which provide targets for hackers or make passwords easier for the wrong people to steal or stumble upon.
According to industry analyst Gartner, 20 to 50 percent of IT help desk calls are related to forgotten passwords or password resets. Most SSO solutions make it easy for users to reset passwords themselves, with help desk assistance.
SSO gives administrators simpler, more centralized control over account provisioning and access permissions. When a user leaves the organization, administrators can remove permissions and decommission the user account in fewer steps.
SSO can make it easier to meet regulatory requirements around protection of personal identity information (PII) and data access control, as well as specific requirements in some regulations—such as HIPAA—around session time-outs.
The chief risk of SSO is that if a user's credentials are compromised, they can grant an attacker access to all or most of the applications and resources on the network. But requiring users to create long and complex passwords—and carefully encrypting and protecting those passwords wherever they're stored—goes a long way toward preventing this worst-case scenario.
In addition, most security experts recommend two-factor authentication (2FA) or multi-factor authentication (MFA) as part of any SSO implementation. 2FA or MFA require users to provide at least one authentication factor in addition to a password—e.g., a code sent to a mobile phone, a fingerprint, an ID card. Because these additional credentials are ones that hackers can't easily steal or spoof, MFA can dramatically reduce risks related to compromised credentials in SSO.
Add deep context, intelligence and security to decisions about which users should have access to your organization’s data and applications, on premises or in the cloud.
Centralize access control for cloud and on-premises applications.
Go beyond basic authentication with options for passwordless or multifactor authentication.
Cost of a Data Breach report aids in preparedness for breaches by understanding their causes and the factors that increase or reduce their costs.
IAM is the cybersecurity discipline that deals with how users access digital resources and what they can do with those resources.
Multi-factor authentication requires users to supply at least two pieces of evidence, in addition to their username, to prove their identity.