logo
Sign in
Get started
BLOG/TECHNOLOGY

The art of single sign-on

Single sign-on (SSO) is a method of authentication that allows a user to access multiple applications or services with a single set of login credentials. This article will explain what SSO is, how it works, and why it's important for businesses.
Simeng
SimengDeveloper
November 30, 20238 min read
The art of single sign-on

In our fast-paced tech era, we're surrounded by countless daily applications. Managing various identities across platforms is a common struggle. Whether at work or in personal accounts, the burden of countless usernames and passwords can be overwhelming. That brings us single sign-on (SSO) – the solution to simplify out digital experience.

What is single sign-on?

At its core, SSO is a method of authentication that allows a user to access multiple applications or services with a single set of login credentials. Instead of remembering and entering different usernames and passwords for each application, SSO enables users to log in once and gain access to all connected systems seamlessly.

Imagine a world where you no longer need to juggle a myriad of login details for your email, project management tool, and collaboration platforms. That's the promise of SSO.

How does single sign-on work?

SSO works by establishing a trust relationship between a central identity provider (IdP) and various service providers (SPs). The IdP serves as the authoritative source for user authentication, verifying the user's identity through a single login process. Once authenticated, the IdP generates tokens or credentials that grant the user access to connected SPs without requiring additional logins.

Let's take a closer look at two different SSO models.

A centralized identity and access management (IAM) system

In this model, SSO operates like a master key within a centralized IAM system, a digital hub. The IdP is the master key that grants access to all connected products. The IdP is responsible for authenticating users and providing them with access to the appropriate resources. Users, upon authenticating once, gain universal access to every connected resources without the need for subsequent logins.

For example you have a SaaS company Alpha, using a centralized IAM system like Logto. The company have developed multiple products:

  • A: An internal management service
  • B: A client product service
  • C: A web application for admins
  • D: A native application for clients

IAM system
User identity
Auth service
Service A
Service B
Web application C
Native application D
Actor

Each of the product acts as a SP and the centralized IAM system act as the IdP. The user identity is stored in the IdP and the user can access all the products with a single sign-on.

This is a typical working day for a employee use SSO in Alpha company:

BDACAuth ServiceUser Identity DBBDACAuth ServiceUser Identity DBpar[Admin management flow][Product flow]User(1)Request to access(2)Redirect to Auth service(3)Verify user credentials(4)Return user identity(5)Authenticate(6)Authorized request on behave of User(7)Request to access(8)Get authentication(9)Auto consent(10)Authorized request on behave of UserUser

  1. User initiates access to admin management functionalities in web application C.
  2. Web application C redirects the user to the authentication service for user authentication.
  3. The authentication service verifies user credentials by interfacing with the user identity database.
  4. User identity database returns user identity information to the authentication service.
  5. Authentication service completes the authentication process and returns the result back to web application C.
  6. Authenticated user context enables web application C to send an authorized request to service A on behalf of the user for administrative functionalities.
  7. User, after making changes, requests access to native application D to verify the modifications.
  8. Native application D seeks authentication from the authentication service.
  9. Authentication service auto-consents to the authentication request for native application D.
  10. Native application D, authenticated, sends an authorized request to service B on behalf of the user.

Bridging identities across different systems: SPs and IdPs

In a more intricate scenario, various services and applications maintain their distinct identity systems. Here, SSO acts as the mediator between SP and IdP. Users, upon authenticating with the IdP, traverse the digital landscape, are granted access to the SP without the need for additional new identities.

Now, let's zoom out to a broader context. Imagine a global retailer company, Bravo, with an extensive workforce. The company has recently entered into a partnership with your company, Alpha. For Bravo employees to access Alpha's products, a smooth authentication process is essential.

IdP
SP
Bravo IAM system
Bravo user identity
Alpha IAM system
Alpha user identity
Alpha product service
Alpha client application
Bravo employee

Here's how it works: Bravo, equipped with its own IAM system (IdP), a Bravo employee seeks access to Alpha's products managed by Alpha's IAM system (SP).

Alpha product serviceAlpha client applicationAlpha user identityAlpha IAM systemBravo user identityBravo IAM systemAlpha product serviceAlpha client applicationAlpha user identityAlpha IAM systemBravo user identityBravo IAM systemBravo employee(1)Request to access(2)Redirect to Alpha IAM system(3)Redirect to Bravo IAM system(4)Verify user credentials(5)Return user identity(6)Redirect to Alpha IAM system(7)Create or verify user Bravo identity(8)Return Alpha user identity(9)Authenticate(10)Authorized request on behave of UserBravo employee

  1. Bravo employee initiates access to Alpha's client application B.
  2. Alpha's client application B redirects the user to Alpha's IAM system for user authentication.
  3. Bravo employee seeks for a SSO authentication using Bravo's user identity. Alpha's IAM system redirects the user to Bravo's IAM system for user authentication.
  4. Bravo's IAM system verifies user credentials by interfacing with the user identity database.
  5. Bravo's user identity database returns user identity information to Bravo's IAM system.
  6. Bravo's IAM system redirects the user to Alpha's IAM system with authenticated Bravo user identity context.
  7. Alpha's IAM system creates or verifies user Bravo identity by interfacing with it's own user identity database.
  8. Alpha's user identity database returns user identity information to Alpha's IAM system.
  9. Alpha's IAM system completes the authentication process and returns the result back to Alpha's client application B.
  10. Authenticated user context enables Alpha's client application B to send an authorized request to Alpha's product service A on behalf of the user.

Instead of creating a isolated new identity on Bravo employees, Alpha's IAM system delegates the authentication process to Bravo's IAM system. Once Bravo's IAM system verifies the employees, Alpha's IAM system establishes trust, granting Bravo employees smooth access to Alpha's products.

Imagine the same flow for a Bravo employee happens many times a day. Apart from accessing Alpha's products, Bravo employees also need to access other third-party SaaS products, such as Slack, Zoom, and Notion, which you may have already used. With one single SSO authentication, Bravo employees can access all the products without the need for additional new authentication processes.

This is the true power of SSO in facilitating secure and efficient cross-system authentication, ensuring a effortless experience for users in complex business partnerships.

Benefits of single sign-on

Based on the above scenarios, we can see that SSO offers a wide range of benefits for both users and businesses.

  1. Saves time and boosts productivity

    With SSO, users can log in once and navigate between applications, eliminating the need for repetitive logins. This not only saves time but also enhances overall productivity by reducing authentication barriers.

  2. Enhances security

    By centralizing authentication through a robust identity provider, SSO can enhance security by adding extra layers of protection. Users can benefit from stronger authentication protocols, such as multi-factor authentication (MFA), provided by the IDP.

  3. Globalized user management

    For organizations, SSO simplifies user management by centralizing user access control. Administrators can efficiently add or revoke access across multiple platforms and third-party products through the central identity provider.

Conclusion

As the digital landscape continues to expand, SSO is becoming increasingly important for businesses to optimize the user access and enhance security. With SSO, users can enjoy a seamless experience across multiple applications, while businesses can benefit from centralized user management and enhanced security. If you pay attention, you'll notice that SSO is everywhere. From social media platforms to enterprise applications, SSO is the key to a smooth and secure user experience. It links the digital world together.

Try Logto Cloud for free
Subscribe Logto newsletters
Stay on top of the latest product updates, development inspirations, blogs, and research prompt.
Email address
Subscribe
Products
Email and SMS passwordlessEnterprise SSO (SAML & OIDC)PasswordMachine-to-machineSocial sign-inManagement APIOmni sign-in experienceProtected AppMulti-factor authenticationIdP for 3rd-party appsUser managementRole-based access controlOrganizations (Multi-tenancy)
Pricing
Pricing plans
Solutions
Consumer appsSaaS productsAI appsEnterprise-readyMulti-app products
Developers
DocumentationAPI referencesSDK guideMigration guide
Resources
BlogBranding assetsYouTube channelSign-in experience assetsNewsletterLogto vs. Auth0Logto vs. ClerkLogto vs. StytchChangelogs
About
Trust and securityAbout us
Designed by Silverhand Inc.
Hosted in the 🇪🇺 EUTerms of usePrivacy policy