Single Sign-On (SSO)
An authentication pattern that lets users log in once and access multiple applications without re-authenticating, implemented via protocols like OIDC or SAML.
Single Sign-On is an authentication architecture where a centralized identity provider (IdP) manages user sessions across multiple service providers (SPs). When a user authenticates with the IdP, a session is established. When they navigate to another application, that application redirects to the IdP, discovers the existing session, and receives an authentication assertion without the user entering credentials again. SSO is not a protocol itself -- it's a pattern implemented using OIDC, SAML, or proprietary mechanisms. Key benefits include reduced credential fatigue, centralized access control, and simplified offboarding. Key risks include single point of failure and blast radius if the IdP is compromised.
Security Model
SSO centralizes the authentication trust anchor at the IdP, making the IdP a high-value target. Security depends on IdP hardening (MFA, anomaly detection, rate limiting), secure session management (HttpOnly/Secure cookies, session binding), proper assertion validation at each SP, and short session lifetimes. The blast radius of IdP compromise is all connected applications.
Implementation
medium complexityUser Experience
SSO provides an excellent user experience after initial setup. Users authenticate once (with their strongest credentials + MFA) and seamlessly access all applications without repeated logins. The initial redirect-based authentication takes 2-5 seconds. Subsequent application access is near-instant if the IdP session is valid. The main friction point is session expiration, which can feel abrupt if not handled with graceful re-authentication.
Platform Examples
Okta
Cloud-based SSO hub supporting OIDC and SAML. Provides an application portal, universal directory, adaptive MFA, and lifecycle management via SCIM.
Google Workspace
Acts as both IdP (for third-party apps) and SP (for Google services). Supports SAML and OIDC. Provides context-aware access policies based on device and network.
Azure Active Directory
Microsoft's cloud IdP supporting SSO for Azure, Microsoft 365, and thousands of third-party apps. Supports conditional access policies and seamless SSO for domain-joined devices.
OneLogin
Enterprise SSO with smart hooks for custom authentication logic, desktop SSO integration, and real-time event streaming for security analytics.
Tradeoffs
Strengths
- Users authenticate once for all applications -- reduced credential fatigue
- Centralized access control and policy enforcement
- Simplified user offboarding -- disable IdP account to revoke all access
- Reduced password reuse and associated credential stuffing risk
- Enables consistent MFA enforcement across all applications
Weaknesses
- Single point of failure -- IdP outage blocks access to all applications
- Increased blast radius if IdP credentials are compromised
- Complex session management across IdP and multiple SPs
- Single Logout is unreliable in practice
- Integration overhead for each new application
- The 'SSO tax' is a real cost for SaaS vendors implementing enterprise SSO
Likely Follow-Up Questions
- How would you design SSO for a multi-tenant SaaS platform supporting 500 enterprise customers?
- What happens when the IdP goes down? How do you design for IdP failure?
- How do you handle user deprovisioning across 20 applications connected via SSO?
- What are the security implications of SSO and how do you mitigate the increased blast radius?
- How would you implement tenant discovery (routing users to the correct IdP)?
- Compare SSO session management trade-offs: long IdP sessions vs short IdP sessions.
Related Auth Methods
Source: editorial — SSO architecture deep dive covering session management, multi-tenant enterprise integration, security trade-offs, and zero trust evolution.