Logo / Articles

Authentication

How Does SSO Work? | Single Sign-On Explained | FusionAuth

By Dan Moore

How Does SSO Work? | Single Sign-On Explained | FusionAuth

Single sign-on (SSO) allows users to log in once and access multiple applications using a single set of credentials, such as a username and password, magic link, or WebAuthn passkey.

SSO reduces the number of logins, enhances security, and provides centralized control over access, making it a key part of any customer identity and access management (CIAM) strategy.

How Does SSO Work?

Your user authenticates through an identity provider (IdP), which generates and securely stores a token containing user information. This token is shared with other authorized applications, allowing seamless access without requiring additional logins.

The token enables communication between applications by verifying the user’s identity.

Typically, tokens are digitally signed to prevent tampering and ensure they originate from a trusted source.

Understanding how SSO works is easier with a real-world example. Let’s see how this might look with two connected applications.

Scenario Example: Seamless Application Access

Let’s say you want to enable single sign-on for two applications:

  • Pied Piper Video Chat (PPVC)
  • Hooli Jobs (they’re always hiring)

When a user signs in to the PPVC application, the IdP validates user credentials and establishes a session. Later, when the same user visits Hooli Jobs, the application checks for a valid session by verifying the token via communication with  the IdP. This could happen in a number of ways such as a browser redirect or backchannel communication between the application and the IdP. Since the user is already authenticated, they are automatically signed in to Hooli Jobs without needing to enter their credentials again. This pattern can scale to any number of applications, including commercial off-the-shelf (COTS) apps that support protocols like OIDC (OpenID Connect) or SAML (Security Assertion Markup Language).

A common suite of applications with similar functionality is Google’s suite, where users can switch between Gmail, Google Calendar, and Google Drive without re-authenticating.

This scenario highlights one aspect of SSO, but managing user sessions across multiple applications requires a more detailed look.

SSO Session Management

Sessions help HTTP-based servers track client activity and authenticate access. In SSO scenarios, multiple sessions are typically created:

  • The PPVC application’s session
  • The Hooli Jobs application’s session
  • The IdP’s session

Each application relies on the IdP’s session to verify whether the user remains authenticated. If a session is missing or invalid for an application, it must be created or updated after the user provides valid credentials. These credentials may be the token mentioned above or user-provided credentials. This process ensures each application recognizes the token issued by the IdP.

With session management in place, SSO provides several advantages for both users and organizations.

What Are The Benefits of SSO?

Your organization probably has multiple customer-facing applications, such as forums, ticketing systems, and chat platforms, to say nothing of your core application. Without SSO, users need to log in separately for each of these applications, leading to a fragmented and frustrating experience.

By integrating single sign-on, you streamline this process, providing a smoother, more efficient experience for users. By minimizing the time your customers spend getting into your application, you can maximize the time they spend enjoying it.

Aside from the benefits to users, SSO allows your organization to capture each user in a single view, supporting security and data consistency.

Let’s explore some specific benefits in more detail.

Enhanced Security

SSO reduces the risk of password-related security breaches by eliminating the need for users to remember and manage multiple credentials across different applications. It centralizes authentication, minimizing the overall attack surface for cybercriminals. You can also take steps to avoid phishing and credential stuffing attacks at one place: the IdP.

Streamlined User Experience

Beyond improving security, SSO also significantly enhances the experience for end users by reducing login friction. With SSO, users only need to authenticate once to access multiple applications. This eliminates the need for repeated logins, reducing the time it takes for users to get to what they actually want: the features of your applications. This streamlined experience can not only improve user satisfaction, your users might find greater productivity too.

Simplified Access Management

SSO solutions provide your team with better visibility and control over user access. Admins can manage user accounts, permissions, and access controls, from a single source, the IdP, making it easier to provision and remove users across multiple systems.

Regulatory Compliance

Centralized authentication and access controls in SSO help organizations meet regulatory requirements. It simplifies data access, user authentication, and audit trails, which are essential for meeting standards such as HIPAA and SOC 2. This reduces the complexity of maintaining compliance, streamlines audit preparation, and helps protect sensitive data.

Improved Productivity

SSO reduces the time users spend managing credentials, allowing them to focus on more important tasks. With fewer login interruptions, employees can access the resources they need without delays, improving efficiency. For users of customer-facing platforms, smoother access leads to fewer login-related support tickets and increased app usage.

Now that we’ve covered the benefits, let’s explore the different types of SSO solutions and how they work.

What Are The Different Types of SSO?

Each type of SSO is designed to meet different needs and use cases. Here are some of the most common protocols, including those used in many Software as a Service (SaaS) applications:

SAML (Security Assertion Markup Language)

SAML is an XML-based protocol for exchanging auth data between an identity provider (IDP) and a service provider. You’ll commonly see SAML used in enterprise environments for web-based applications.

OAuth 2.0

OAuth is an open standard for access delegation. It’s commonly used for token-based auth. It allows users to grant third-party applications access to their resources, without sharing credentials. While not strictly SSO functionality, OAuth 2.0 often is included with CIAM systems that offer SSO.

OpenID Connect (OIDC)

OIDC is an authentication layer baked on top of OAuth 2.0. It uses JSON web tokens (JWTs) and it’s designed for consumer-facing apps. It’s a simpler and more modern approach to SSO compared to SAML.

Kerberos

Kerberos is a network auth protocol that uses secret-key cryptography to provide strong authentication for client-server applications. It’s most often used in on-premises environments, particularly within Windows domains.

LDAP (Lightweight Directory Access Protocol)

LDAP is often used with other SSO protocols to provide a centralized authentication mechanism. It’s used for accessing and maintaining directory services over an IP network.

Browser Vs Non-Browser Based SSO Protocols

Both SAML and OIDC are browser-based. They require functionality such as HTTP redirects, cookies, and the ability to interact using URLs.

There are other single sign-on protocols useful for other kinds of applications, such as desktop applications. Kerberos is a common one for client-server applications.

Since organizations may choose between different SSO protocols, understanding their differences is key to making an informed decision.

OIDC Vs SAML

When implementing Single Sign-On (SSO), organizations often face a decision between two widely-used protocols: OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). Both protocols enable secure authentication and provide seamless access across applications, but they are designed for different use cases and environments.

Here’s a breakdown of each protocol’s characteristics, common use cases, and how they handle authentication flows.

OIDC: How Single Sign-on Request Flow Works

Here’s an OIDC single sign-on flow. The home page of each application is unavailable to anonymous users. When a browser requests it, the user is directed to the identity provider to log in. However, the authentication at the identity provider happens only once.

BrowserPied Piper VideoChatIdentity Provider(IdP)Hooli JobsView Home PageCheck SessionExistenceRedirect to IdP Because There isNo Valid SessionRequest Login PageCheck IdP SessionExistenceSend Login PageSend CredentialsRedirects to Pied PiperRequests Home PageSends Home PageRequests Home PageCheck SessionExistenceRedirect to IdP Because There is No Valid SessionRequest Login PageCheck IdP SessionExistenceRedirects to Home PageRequests Application PageSends Application PageBrowserPied Piper VideoChatIdentity Provider(IdP)Hooli Jobs

Single sign-on request flow during login.

(If you are a stickler, you’ll notice there is no request for a token from the apps to the identity provider after the user authenticates. That is implied and required.)

With SSO, different sessions manage different applications, which can have varying lifetimes and storage mechanisms.

The PPVC and Hooli Jobs applications delegate authentication to the single sign-on provider, and build their sessions on the foundation of the identity provider’s session. That session is, in turn, tied to a user authentication event.

That’s it. All that is required for single sign-on to work is:

  • a browser that respects redirects
  • a single source of truth for user authentication data (the IdP)
  • a defined protocol for an application to bounce an unauthenticated user to the identity provider
  • a defined protocol for the identity provider to bounce requests back to the application
  • sessions for each application (typically managed with cookies)

However, there are many use cases to consider, including:

  • Account takeover
  • Logout
  • Account locking and revocation
  • Loss of network access

Luckily, other folks have thought about these too, including standards bodies. Let’s look at another implementation, using a standard.

How SAML SSO Works

SAML is an alternative to OIDC which also allows single sign-on. It is older, and more complex, but well-supported across many applications, especially B2B applications.

(Again, if you’re a stickler, this is talking about SAMLv2, the latest version of SAML, codified in 2005.)

SAML, in contrast to the JWT-based flow of OIDC, uses signed and/or encrypted XML documents to convey information about users.

Let’s look at a different scenario. Say you have two different applications: Zendesk and Gusto. You want to use SAML to integrate these applications with your identity provider.

Here’s a diagram for a SAML flow. This is a service provider (SP) initiated flow, where the user is trying to access an application, such as Zendesk (the SP), when they are not logged in.

BrowserZendeskIdentity Provider(IdP)GustoRequests appCheck sessionexistence, sessionmissingRedirect to IdP with a signedAuthNRequest (XML)Request login pageValidate AuthNRequest(XML)Check IdP sessionexistence (doesn'texist)Send login pageSend credentials of userRedirects to Zendesk with a response (XML)Requests App and providesresponse (XML)Processes response(XML)Sends appRequests appCheck sessionexistence, sessionmissingRedirect to IdP with a signed AuthNRequest (XML)Request login pageValidate AuthNRequest(XML)Check IdP sessionexistence (exists)Redirects to Gusto with a response (XML)Requests app and provides response (XML)Processes response(XML)Sends appBrowserZendeskIdentity Provider(IdP)Gusto

SAML single sign-on request flow during login.

SAML is more complicated because of the breadth of the specification and because of the flexibility of XML. If you want to implement it, using a battle-tested library is a good idea.

FusionAuth provides an open source library for Java that is regularly tested and updated.

While OIDC and SAML both enable SSO, certain scenarios may favor one protocol over the other. Let’s compare their use cases.

Why Use SAML Instead of OIDC?

Why would you pick SAML over the OIDC flow mentioned above? Widespread support. SAML has been around since 2005 and many commercial off-the-shelf (COTS) and open source applications support it.

When evaluating your identity provider solution, think about what kinds of applications you need to support.

Any business-focused applications will typically support SAML, whereas support for OIDC is far easier to implement in your custom applications. Newer COTS applications may support OIDC.

For maximum flexibility, pick an identity provider that supports both standards.

Use Cases for SSO Implementation

SSO is a versatile solution that benefits organizations across various industries by enhancing security, improving user experience, and streamlining access management. Here are examples from several industries that demonstrate how SSO can be adapted to meet specific business needs.

Healthcare

In healthcare, secure and compliant access to sensitive patient data is critical for both patients and medical professionals. SSO makes this process easier by allowing users to log in once and access multiple systems, like electronic health records (EHR), diagnostic tools, and scheduling applications. This saves time, reduces frustration, and improves provider efficiency.

For example, when a patient logs into their healthcare portal to view lab results, SSO may also grant them access to related services such as appointment scheduling without the need for additional logins. And doctors and nurses can seamlessly switch between systems during a shift, spending less time managing access and more time focusing on patient care.

Additionally, SSO helps maintain compliance with regulations like HIPAA by centralizing authentication and providing audit trails for user activity.

Gaming

In the gaming industry, delivering a seamless and secure user experience across multiple platforms is essential. SSO enables players to use a single set of credentials to access various gaming services, such as game consoles, mobile apps, and online communities. This unified authentication enhances user engagement and retention by simplifying the login process.

For instance, a game developer might implement SSO to allow players to log in with their preferred gaming network accounts, such as Steam, Xbox Live, or PlayStation Network.

Retail

In retail and e-commerce, providing a seamless and secure shopping experience is essential for customer satisfaction and loyalty. SSO enables customers to access various services, including online stores, loyalty programs, and mobile apps, with a single set of credentials. This reduces login friction and enhances the overall user experience.

For example, an online retailer might implement SSO to allow customers to log in once and access personalized product recommendations, purchase history, and reward points across multiple platforms.

By offering multiple login options, including magic links, social logins (e.g., Facebook, Google), passkeys, and one-time passcodes, retailers can further minimize login friction and cater to user preferences.

Additionally, integrating existing marketing tools on login pages and utilizing webhooks to sync user profile data with other systems can enhance marketing efforts and provide a more personalized shopping experience.

Entertainment

In the entertainment industry, delivering seamless and secure user access across various platforms is essential. SSO enables users to access multiple services, such as streaming content, ticket purchases, and social features, with one set of credentials, enhancing the overall user experience.

For example, an entertainment company might implement SSO to allow users to log in once and enjoy movies, music, and live events across smart TVs, smartphones, and gaming consoles without repeated authentication.

Additionally, by using features like the Families API, the company can model parent-child relationships and manage consents, providing a tailored and secure experience for all family members. Implementing security measures such as multi-factor authentication (MFA), breached password detection, and rate limiting further safeguard user data across all applications.

Fintech

In the fintech industry, SSO provides a secure and efficient way for users to access multiple services, such as banking portals, investment dashboards, and payment platforms, using one set of credentials. This approach not only enhances user convenience but also strengthens security by reducing the need for multiple passwords.

For example, a digital banking platform might implement SSO to allow customers to seamlessly access their accounts, loan applications, and payment services through a unified authentication process.

By integrating SSO with multi-factor authentication (MFA), fintech companies can further reduce the risk of unauthorized access while maintaining compliance with industry regulations like PCI-DSS.

Additionally, features such as breached password detection, configurable password policies, and rate limiting help safeguard against cyber threats.

Implementing SSO can also help organizations meet stringent regulatory standards by enhancing security and access control.

How Does SSO Help with Regulatory Compliance?

Many industries, particularly healthcare, finance, and retail, are governed by regulations designed to protect sensitive data. SSO can simplify compliance with these frameworks by centralizing authentication, improving access control, and generating audit logs. Let’s break down how SSO helps meet the requirements of HIPAA, SOC 2, and GDPR.

HIPAA (Health Insurance Portability and Accountability Act)

Healthcare organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA), which mandates the protection of Protected Health Information (PHI). SSO enhances compliance by securing access to applications that store and process patient data. It enforces consistent access controls, reducing the risk of unauthorized access or data breaches.

Imagine a hospital where medical staff need to access multiple systems, like electronic health records (EHR) and diagnostic tools, daily. Without SSO, constant logins could lead to password fatigue or risky behaviors like sharing credentials. SSO streamlines this by allowing staff to authenticate once while maintaining a secure, traceable login trail.

SOC 2 (Service Organization Control 2)

SOC 2 is a standard for organizations that store or process customer data, particularly SaaS providers. It emphasizes the principles of security, availability, and confidentiality. SSO helps organizations meet these requirements by centralizing access management and reducing security risks linked to password misuse.

Let’s say your organization offers a cloud-based ticketing system. With SSO, administrators can quickly manage user access to both internal and external tools, ensuring that only authorized personnel can view sensitive customer data. Access logs generated by SSO also provide the necessary evidence for SOC 2 audits.

GDPR (General Data Protection Regulation)

The General Data Protection Regulation (GDPR) governs how organizations collect, store, and use the personal data of EU citizens. SSO aids GDPR compliance by improving data access control and making it easier to manage user consent and data deletion requests.

Imagine a retail platform where users log in once to access their account settings, purchase history, and loyalty program. Through SSO, users can manage their data from a central dashboard, making it easier for the organization to honor GDPR requirements like the “right to be forgotten.”

Common Challenges and Best Practices for Implementing SSO

While SSO provides many benefits, organizations may encounter several challenges during implementation. Addressing these challenges with best practices can help ensure a successful, secure, and user-friendly SSO solution.

Integration Complexity

SSO relies on different applications communicating with an identity provider (IdP) using specific protocols like SAML, OIDC, or OAuth 2.0. Integrating these protocols can be difficult, especially when dealing with legacy systems or applications that do not fully support modern standards. Mismatched protocol support can require extensive customization, slowing down deployment.

For example, your organization may want to implement OIDC, but some of your existing enterprise tools might only support SAML. This often results in needing middleware solutions to bridge compatibility gaps.

To address this, select an IdP that supports multiple protocols, enabling better compatibility with both custom and commercial off-the-shelf (COTS) applications. This future-proofs your solution by reducing the need for complex integrations.

Session Synchronization Issues

In an SSO environment, applications rely on the IdP’s session for authentication. However, keeping sessions synchronized across multiple applications can be challenging. Differences in session timeouts or storage mechanisms may lead to situations where users are unexpectedly logged out of one application while remaining authenticated in others.

To mitigate this, configure consistent session policies across all applications and ensure session refresh mechanisms are functioning properly. Consistency in session management helps maintain a smooth user experience.

Security Risks

SSO reduces the number of attack surfaces because users only log in once, and with only a single set of credentials.

That said, if an IdP is compromised, attackers could gain access to multiple applications simultaneously. Additionally, improper token handling or configuration errors may expose security vulnerabilities, such as session hijacking or replay attacks.

To address these risks, organizations should:

  • Implement multi-factor authentication (MFA). Most SSO solutions offer MFA as an extra layer of security. So even if a password is compromised, the bad actor still needs a second form of verification to gain account access.
  • Use secure token storage practices. Use secure mechanisms to store authentication tokens and prevent unauthorized access.
  • Regularly audit SSO configurations for vulnerabilities. Periodically review SSO configurations to detect and resolve potential vulnerabilities.

In the rare case that a user account is compromised, that same centralized source allows you to remove the user once and mitigate the potential problems.

Using a reputable SSO provider is also crucial. They should have a strong security track record, comply with industry standards, and ensure your data is protected. Research and compare providers to make sure they’ll meet your organization’s security and compliance requirements.

Vendor Lock-In

Choosing an identity provider with limited protocol support may lock your organization into a specific vendor’s ecosystem. This can reduce flexibility if your business needs change or you decide to migrate to another provider.

To minimize lock-in, select an IdP that supports multiple protocols, such as SAML, OIDC, and OAuth. Open standards help future-proof your SSO implementation by enabling compatibility with a wider range of applications.

User Experience Challenges

While SSO simplifies user access, poor implementation can lead to a confusing or frustrating experience. For example, users may encounter frequent redirects or failed logins if session management or token validation is not properly configured.

User education and testing can help identify and resolve these issues early. Ensure your authentication flow is intuitive, with clear error messages and instructions for resolving login problems.

SSO also addresses password fatigue, a common issue for users who need to remember multiple credentials across different applications. Users only need to remember one complex password instead of multiple passwords. They’re then less likely to reuse passwords or write them down.

By consolidating authentication into a single login, SSO reduces the risk of users reusing weak passwords or sto

ring them insecurely. This not only improves security but also enhances overall satisfaction and productivity.

By addressing these challenges and following best practices, organizations can unlock the full potential of SSO.

Conclusion

SSO is a key part of your application’s authentication story. Your users care about it, even if they don’t know it by name.

Implementing SSO doesn’t have to be complicated. By adopting industry standards like OpenID Connect (OIDC) and Security Assertion Markup Language (SAML), organizations can integrate SSO across both custom-built and COTS applications. This flexibility helps businesses support a wide variety of use cases, from employee access to internal tools to customer-facing platforms in healthcare, gaming, and retail.

Ultimately, single sign-on is more than a convenience feature. It’s a strategic tool that enhances security, streamlines operations, and builds trust with users. Whether you’re managing customer identity for a global e-commerce platform or securing internal systems for your business, SSO helps create a safer, more efficient digital experience.

Ready to Simplify Authentication with SSO?

With FusionAuth’s robust SSO solution, you can simplify access management, enhance security, and boost user satisfaction across all your applications.

Explore FusionAuth’s SSO Features