Single sign on, abbreviated as SSO, is an authentication service that allows a user to access multiple services or applications using one set of login details. It authenticates the user for all applications he/she has been given the right to access eliminating the need to re-enter login credentials when switching between applications. With SSO, a user is signed on to different applications regardless of the domain, technology, and platform the user is using.
An example of single sign-on is Google’s implementation of login for its products including Google Analytics, YouTube, and Gmail among others. A user who signs in to one of Google’s products is automatically signed in to the company’s other products as well.
How Does SSO Work?
To enable SSO, an identity provider must implement a centralized server that all applications can use to confirm the identity of a user. The server validates a user’s identity and issues access tokens – encrypted data that confirm the identity and rights of a user.
When a first-time user logs in to an application, the login credentials are redirected to the identity provider for verification. The centralized server verifies the user ID and password against a directory where user data is stored and initiates a single sign-on on the user’s browser.
Once a match has been found, the server creates a unique access token for the user. The token replaces the user’s login credentials. Therefore, when the user wants to access an application, the identity provider uses the token to grant the user access to their account. The token is stored in the authentication server and can be used again to grant a user access to their applications.
Common SSO configurations
SSO services use different protocols including:
With the Kerberos-based setup, a ticket-granting ticket is issued when user credentials are provided. The TGT obtains service tickets for any apps the user wants to access without prompting them to provide their login credentials.
- Security Assertion Markup Language
This XML-based solution facilitates the exchange of user data between a SAML service provider and SAML identity provider.
With the SAML-based single sign-on, the SAML service provider sends a request to the SAML identity provider for authentication purposes. The service provider then verifies the user information and logs the user into their account.
- Integrated Windows Authentication
This term refers to authenticated connections between Internet Explorer and Microsoft Internet Information Services. However, vendors of Active Directory integration have extended this SSO protocol to Linux/GNU and Unix systems.
- Smart Card
Smart card-based single sign-on use passwords or certificates stored on the smart card to log a user into his/her account.