"use strict"; const {Fragment: _Fragment, jsx: _jsx, jsxs: _jsxs} = arguments[0]; const {useMDXComponents: _provideComponents} = arguments[0]; const headings = [{ "data": { "id": "what-is-enterprise-sso", "hProperties": { "id": "what-is-enterprise-sso" } }, "depth": 2, "value": "What is Enterprise SSO?" }, { "data": { "id": "how-does-enterprise-sso-work", "hProperties": { "id": "how-does-enterprise-sso-work" } }, "depth": 2, "value": "How does enterprise SSO work?" }, { "data": { "id": "why-does-enterprise-sso-matter", "hProperties": { "id": "why-does-enterprise-sso-matter" } }, "depth": 2, "value": "Why does enterprise SSO matter?" }, { "data": { "id": "enterprise-sso-in-workforce-iam", "hProperties": { "id": "enterprise-sso-in-workforce-iam" } }, "depth": 3, "value": "Enterprise SSO in Workforce IAM" }, { "data": { "id": "centralized-management", "hProperties": { "id": "centralized-management" } }, "depth": 4, "value": "Centralized management" }, { "data": { "id": "access-control", "hProperties": { "id": "access-control" } }, "depth": 4, "value": "Access control" }, { "data": { "id": "enhanced-security", "hProperties": { "id": "enhanced-security" } }, "depth": 4, "value": "Enhanced security" }, { "data": { "id": "enterprise-sso-in-customer-iam", "hProperties": { "id": "enterprise-sso-in-customer-iam" } }, "depth": 3, "value": "Enterprise SSO in Customer IAM" }, { "data": { "id": "be-enterprise-ready", "hProperties": { "id": "be-enterprise-ready" } }, "depth": 4, "value": "Be enterprise-ready" }, { "data": { "id": "closing-notes", "hProperties": { "id": "closing-notes" } }, "depth": 2, "value": "Closing notes" }]; const readingTime = { "minutes": 4, "words": 1246, "text": "4 min read" }; const frontmatter = undefined; function _createMdxContent(props) { const _components = { a: "a", code: "code", em: "em", h2: "h2", h3: "h3", h4: "h4", li: "li", ol: "ol", p: "p", pre: "pre", span: "span", ul: "ul", ..._provideComponents(), ...props.components }, {LogtoCloudButton} = _components; if (!LogtoCloudButton) _missingMdxReference("LogtoCloudButton", true); return _jsxs(_Fragment, { children: [_jsxs(_components.h2, { id: "what-is-enterprise-sso", children: ["What is Enterprise SSO?", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#what-is-enterprise-sso", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsx(_components.p, { children: "Before diving into the definition, it's important to clarify the difference between SSO and Enterprise SSO, as this can often cause confusion." }), "\n", _jsxs(_components.ul, { children: ["\n", _jsx(_components.li, { children: "SSO (Single Sign-On) is a general term that refers to a user's ability to log in once and access multiple applications or resources without needing to log in again." }), "\n", _jsx(_components.li, { children: "Enterprise SSO is a specific type of SSO designed for employees within an organization." }), "\n"] }), "\n", _jsx(_components.p, { children: "Still unsure? Let’s look at an example:" }), "\n", _jsxs(_components.p, { children: ["An online shopping website called ", _jsx(_components.em, { children: "Amazed" }), " has two web applications: one for customers and one for shop owners. Customers sign in to the shopping app to buy products, while shop owners sign in to the shop owner app to manage their stores. Both apps use the same identity provider for authentication. As a result, users only need to sign in once to access both apps, providing a Single Sign-On experience."] }), "\n", _jsx(_components.pre, { children: _jsx(_components.code, { className: "language-mermaid", children: "graph LR\n U[User] -->|Sign in| A1[Shopping app]\n U -->|Sign in| A2[Shop owner app]\n A1 <--> A3[Identity provider]\n A2 <--> A3\n" }) }), "\n", _jsxs(_components.p, { children: ["Internally, ", _jsx(_components.em, { children: "Amazed" }), " uses multiple applications for team communication, project management, and customer support. To streamline daily workflows, ", _jsx(_components.em, { children: "Amazed" }), " implements Enterprise SSO for its employees. With Enterprise SSO, employees can access all internal applications with a single login."] }), "\n", _jsx(_components.pre, { children: _jsx(_components.code, { className: "language-mermaid", children: "graph LR\n E[Employee] -->|Sign in| A4[Communication app]\n E -->|Sign in| A5[Project management app]\n E -->|Sign in| A6[Customer support app]\n A4 <--> A7[Identity provider]\n A5 <--> A7\n A6 <--> A7\n" }) }), "\n", _jsx(_components.p, { children: "Typically, Enterprise SSO solutions also provide a centralized dashboard for employees to access all applications with one click. This dashboard is often called the SSO dashboard." }), "\n", _jsx(_components.pre, { children: _jsx(_components.code, { className: "language-mermaid", children: "graph LR\n Employee -->|Sign in| A8[Identity provider]\n A8 <--> A4[Communication app]\n A8 <--> A5[Project management app]\n A8 <--> A6[Customer support app]\n" }) }), "\n", _jsx(_components.p, { children: "In short, both scenarios are examples of Single Sign-On. The difference is that the first example is a generic SSO, while the second is Enterprise SSO. These are typical use cases for Customer IAM (Identity and Access Management) and Workforce IAM, respectively." }), "\n", _jsxs(_components.h2, { id: "how-does-enterprise-sso-work", children: ["How does enterprise SSO work?", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#how-does-enterprise-sso-work", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsx(_components.p, { children: "Enterprise SSO works by connecting multiple applications to a centralized identity provider. The connection can be one-way (from the application to the identity provider) or two-way (between the application and the identity provider). Various standards and protocols, such as SAML, OpenID Connect, and OAuth 2.0, are used for these connections." }), "\n", _jsx(_components.p, { children: "Regardless of the protocol, the basic workflow is usually similar:" }), "\n", _jsxs(_components.ol, { children: ["\n", _jsx(_components.li, { children: "The user accesses an application (e.g., communication app) that requires authentication." }), "\n", _jsx(_components.li, { children: "The application redirects the user to the identity provider for authentication." }), "\n", _jsx(_components.li, { children: "The user logs in to the identity provider." }), "\n", _jsx(_components.li, { children: "The identity provider sends an authentication response back to the application." }), "\n", _jsx(_components.li, { children: "The application verifies the response and grants the user access." }), "\n"] }), "\n", _jsx(_components.pre, { children: _jsx(_components.code, { className: "language-mermaid", children: "sequenceDiagram\n participant User\n participant App\n participant IdP as Identity provider\n User->>App: Access app\n App->>IdP: Redirect to IdP\n IdP->>User: Show sign-in page\n User->>IdP: Enter credentials\n IdP->>App: Send response\n App->>App: Verify response\n App->>User: Grant access\n" }) }), "\n", _jsx(_components.p, { children: "When the user accesses another application (e.g., project management app) connected to the same identity provider, they are automatically logged in without needing to enter their credentials again. In this case, step 3 is skipped, and since steps 2, 4, and 5 occur in the background, the user may not even notice the authentication process." }), "\n", _jsx(_components.p, { children: "This process is called Service Provider (SP)-Initiated SSO, where the application (SP) initiates the authentication process." }), "\n", _jsx(_components.p, { children: "In another scenario, the identity provider provides a centralized dashboard for users to access all connected applications. A simplified workflow is:" }), "\n", _jsxs(_components.ol, { children: ["\n", _jsx(_components.li, { children: "The user logs in to the identity provider." }), "\n", _jsx(_components.li, { children: "The identity provider displays a list of applications that the user can access." }), "\n", _jsx(_components.li, { children: "The user clicks on an application (e.g., customer support app) to access it." }), "\n", _jsx(_components.li, { children: "The identity provider redirects the user to the application with authentication information." }), "\n", _jsx(_components.li, { children: "The application verifies the information and grants the user access." }), "\n"] }), "\n", _jsx(_components.pre, { children: _jsx(_components.code, { className: "language-mermaid", children: "sequenceDiagram\n participant User\n participant IdP as Identity provider\n participant App\n User->>IdP: Sign in\n IdP->>User: Show SSO dashboard\n User->>IdP: Click app\n IdP->>App: Redirect to app\n App->>App: Verify info\n App->>User: Grant access\n" }) }), "\n", _jsx(_components.p, { children: "This process is called Identity Provider (IdP)-Initiated SSO, where the identity provider (IdP) initiates the authentication process." }), "\n", _jsxs(_components.h2, { id: "why-does-enterprise-sso-matter", children: ["Why does enterprise SSO matter?", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#why-does-enterprise-sso-matter", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsxs(_components.h3, { id: "enterprise-sso-in-workforce-iam", children: ["Enterprise SSO in Workforce IAM", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#enterprise-sso-in-workforce-iam", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsxs(_components.h4, { id: "centralized-management", children: ["Centralized management", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#centralized-management", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsx(_components.p, { children: "The primary benefit of Enterprise SSO is not only convenience for employees but also enhanced security and compliance for organizations. Instead of managing multiple credentials for different applications and configuring authentication and authorization separately for each one, organizations can centralize the management of user identities, access control policies, and audit logs." }), "\n", _jsx(_components.p, { children: "For example, when an employee leaves the company, the IT department can disable the employee's account in the identity provider, immediately revoking access to all applications. This is crucial for preventing unauthorized access and data breaches, a process known as lifecycle management." }), "\n", _jsxs(_components.h4, { id: "access-control", children: ["Access control", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#access-control", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsx(_components.p, { children: "Enterprise SSO solutions often include access control features, such as role-based access control (RBAC) and attribute-based access control (ABAC). These features allow organizations to define detailed access policies based on user roles, attributes, and other contextual information, ensuring that employees have the right level of access to the right resources." }), "\n", _jsxs(_components.p, { children: ["For a detailed comparison between RBAC and ABAC, check out ", _jsx(_components.a, { href: "https://blog.logto.io/rbac-and-abac", children: "RBAC and ABAC: The access control models you should know" }), "."] }), "\n", _jsxs(_components.h4, { id: "enhanced-security", children: ["Enhanced security", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#enhanced-security", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsx(_components.p, { children: "Another benefit is the ability to enforce strong authentication methods, such as multi-factor authentication (MFA), passwordless authentication, and adaptive authentication, across all applications. These methods help protect sensitive data and comply with industry regulations." }), "\n", _jsxs(_components.p, { children: ["For more information on MFA, refer to ", _jsx(_components.a, { href: "https://blog.logto.io/elaborate-mfa", children: "Exploring MFA: Looking at authentication from a product perspective" }), "."] }), "\n", _jsxs(_components.h3, { id: "enterprise-sso-in-customer-iam", children: ["Enterprise SSO in Customer IAM", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#enterprise-sso-in-customer-iam", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsxs(_components.p, { children: ["The term \"Enterprise SSO\" also appears in Customer IAM solutions. What does it mean in this context? Let’s revisit the ", _jsx(_components.em, { children: "Amazed" }), " example: Some shop owners are incorporated as businesses. One shop owner, ", _jsx(_components.em, { children: "Banana Inc." }), ", implements Enterprise SSO for its employees. As part of the agreement, ", _jsx(_components.em, { children: "Banana Inc." }), " requires ", _jsx(_components.em, { children: "Amazed" }), " to enforce Enterprise SSO for all email addresses from ", _jsx(_components.em, { children: "Banana Inc." }), " (e.g., ", _jsx(_components.code, { children: "*@banana.com" }), ") when accessing the shop owner app."] }), "\n", _jsx(_components.pre, { children: _jsx(_components.code, { className: "language-mermaid", children: "graph TD\n subgraph Amazed\n A9 <--> A3[Identity provider]\n end\n subgraph Banana Inc.\n B[Employee] -->|Sign in| A9[Shop owner app]\n A3 <--> A11[Identity provider]\n end\n" }) }), "\n", _jsxs(_components.p, { children: ["In this case, ", _jsx(_components.em, { children: "Amazed" }), " needs to integrate its identity provider with ", _jsx(_components.em, { children: "Banana Inc." }), "'s identity provider to enable Enterprise SSO for ", _jsx(_components.em, { children: "Banana Inc." }), " employees. This integration, often done through standard protocols like SAML, OpenID Connect, or OAuth, is commonly referred to as Enterprise SSO connection, Enterprise SSO connector, or SSO federation."] }), "\n", _jsx(_components.p, { children: "For an in-depth explanation of Customer IAM, check out our CIAM series:" }), "\n", _jsxs(_components.ul, { children: ["\n", _jsx(_components.li, { children: _jsx(_components.a, { href: "https://blog.logto.io/ciam-101-intro-authn-sso", children: "CIAM 101: Authentication, Identity, SSO" }) }), "\n", _jsx(_components.li, { children: _jsx(_components.a, { href: "https://blog.logto.io/ciam-102-authz-and-rbac", children: "CIAM 102: Authorization & Role-Based Access Control" }) }), "\n"] }), "\n", _jsxs(_components.h4, { id: "be-enterprise-ready", children: ["Be enterprise-ready", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#be-enterprise-ready", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsxs(_components.p, { children: ["In B2B (business-to-business) scenarios, Enterprise SSO is a must-have feature for SaaS providers like ", _jsx(_components.em, { children: "Amazed" }), " to support their enterprise customers. It’s not just about convenience; it’s about security and compliance for both parties. Enterprise SSO can enforce all identities managed by the enterprise customer to authenticate through the enterprise identity provider, ensuring that the enterprise maintains control over its users, data, access and security policies."] }), "\n", _jsxs(_components.p, { children: ["Enterprise SSO is a key factor in achieving ", _jsx(_components.em, { children: "enterprise readiness" }), ", meaning the ability to meet the needs of enterprise customers. However, identity and access management, especially in the context of enterprise customers, is complex and requires significant investment in time, resources, and expertise. Modern SaaS providers often choose IAM platforms to handle these complexities."] }), "\n", _jsxs(_components.h2, { id: "closing-notes", children: ["Closing notes", _jsx(_components.a, { "aria-hidden": "true", tabIndex: "-1", href: "#closing-notes", children: _jsx(_components.span, { children: "#" }) })] }), "\n", _jsxs(_components.p, { children: ["Enterprise SSO is powerful. It benefits everyone involved: employees, organizations, and customers. The IT department enjoys reduced workloads, employees avoid password fatigue with passwordless authentication, and customers appreciate the enhanced user experience. If you are building or planning to support enterprise customers with a SaaS product, consider ", _jsx(_components.a, { href: "https://logto.io", children: "Logto" }), " for an out-of-the-box, developer-friendly solution."] }), "\n", _jsx(LogtoCloudButton, {})] }); } function MDXContent(props = {}) { const {wrapper: MDXLayout} = { ..._provideComponents(), ...props.components }; return MDXLayout ? _jsx(MDXLayout, { ...props, children: _jsx(_createMdxContent, { ...props }) }) : _createMdxContent(props); } return { headings, readingTime, frontmatter, default: MDXContent }; function _missingMdxReference(id, component) { throw new Error("Expected " + (component ? "component" : "object") + " `" + id + "` to be defined: you likely forgot to import, pass, or provide it."); }