What Is SSO? A Comprehensive Guide to Single Sign-On

Single sign-on (SSO) is a way for a user to have a single set of login credentials for multiple applications. This is different from reusing the same login credentials, i.e., name and password, for multiple sites, which is incredibly dangerous.

When modern IT professionals discuss SSO in the context of computers, they are talking about a centralized authentication framework. With SSO, you are using a single login system, which then allows you to access multiple other sites. Because of this centralized approach, you are introducing vulnerability by sharing the same credentials across many platforms—but you are doing so within a highly encrypted, heavily monitored, and mathematically proven framework, rather than trusting a dozen different website databases with your password.

Opposite to SSO, there is SLO (single log-out, which is sometimes called single sign-off), which is a single action leading to the termination of access to many different systems. This is just as critical for IT administrators; when an employee leaves a company, an administrator can trigger an SLO event to instantly revoke access to all company tools.

TeamPassword is an accredited secure provider utilizing state-of-the-art encryption technology for its password manager. Whatever other security measures you have in place, make TeamPassword a part of your security protocols to facilitate secure and easy collaboration across your organization. Even if you use a major SSO provider, there will always be shared team accounts, social media profiles, and legacy applications that do not support SSO integration.

When you save new passwords, the data is hashed, salted, and encrypted locally on your computer before being uploaded to TeamPassword via an encrypted connection. This level of encryption makes it impossible for nefarious actors to intercept your passwords.

Sign up today for a free 14-day TeamPassword trial and protect your company's digital assets from cybercriminals.

How single sign-on works

To fully grasp the SSO system meaning, you have to look at the underlying architecture. SSO is a type of federated identity management (FIM) arrangement. FIM refers to the establishment of trusted relationships between an organization and third parties, e.g., application vendors or partners, which allows them to share identities and authenticate users across domains. OAuth (Open Authorization) is the framework that enables the user's account information to be used by third-party services, such as Facebook, without exposing the user's password.

The basic web SSO service works as follows: 

1. The agent module on the application server retrieves the authentication credentials for a user from a dedicated SSO policy server (often called the Identity Provider or IdP).
2. Then, the agent module authenticates the user against the user repository, e.g., a lightweight directory access protocol (LDAP) directory. 
3. The service then authenticates the user for all applications for which the user has been given rights, thus eliminating the need for further password prompts during the session. This is done using SSO tokens.

Types of SSO configurations

Many terms are used when discussing SSO, including Federated Identity Management (FIM), OAuth (nowadays OAuth 2.1), OpenID Connect (OIDC), Security Access Markup Language (SAML), and Same Sign-On (SSO). Understanding these terms is the key to mastering the SSO meaning computer experts reference daily.

SSO systems can be configured using different protocols. Two of them are Kerberos and SAML. They work as follows:

• SAML: SAML is an extensible markup language (XML) standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services require communications among the user, the identity provider that maintains the user directory, and the service provider. It remains the gold standard for enterprise web applications.
• Kerberos: In a Kerberos-based setup, a ticket-granting ticket (TGT) is issued when the user credentials are provided. The TGT then retrieves service tickets for any other applications the user tries to access so that the user does not need to personally provide further credentials. This is highly common in internal corporate networks.

Differently, a smartcard-based SSO requires the user to use a physical card holding the sign-in credentials for the first login. After using the information provided by the smartcard, the user will not have to enter any other usernames or passwords. Different SSO smartcards store either certificates or passwords.

What are the most popular SSO solutions?

The enterprise identity market has evolved rapidly, with several platforms rebranding to reflect modern cloud architectures. The following are some of the most popular SSO solutions available today:

• Duo Single Sign-On (SSO): Owned by Cisco, Duo is famous for its frictionless multi-factor authentication push notifications and has expanded into a highly respected, lightweight SSO provider.
• Ping Identity: A powerhouse in the enterprise space, Ping excels at handling complex, large-scale deployments that require integration with both modern cloud apps and legacy on-premises software.
• CyberArk Workforce Identity: Traditionally known for Privileged Access Management (PAM), CyberArk offers a robust SSO solution heavily focused on Zero Trust security frameworks.
• LastPass Enterprise: While primarily known as a password manager, LastPass offers integrated SSO capabilities tailored for small to medium-sized businesses looking for an all-in-one solution.
• Microsoft Entra ID (Formerly Azure Active Directory): Microsoft recently rebranded Azure AD to Entra ID. Deeply integrated into the Microsoft 365 ecosystem, this is arguably the most widely used enterprise identity provider in the world.
• Okta Single Sign-On: Okta is a vendor-neutral giant in the identity space, boasting thousands of pre-built integrations to get companies up and running quickly.
• OneLogin Secure Single Sign-On: Acquired by Identity Automation, OneLogin provides a unified access management platform that is highly customizable and developer-friendly.
• RSA SecurID Access: A legacy name in security, RSA continues to provide military-grade identity and access management for organizations with the highest security requirements.
• SecureAuth Identity Platform: SecureAuth specializes in passwordless authentication and adaptive risk-based access control.
• Symantec VIP Access Manager SSO: Now part of Broadcom, Symantec VIP integrates advanced threat protection directly into the authentication process.

What makes a true SSO system?

A true SSO system means you do not need to reenter credentials moving from site to site. Once you log in to the system, it submits all the credentials behind the scenes using SSO tokens for you as you move from one site to another. 

This is the key point of SSO as in single sign-on. It requires the trust relationship among the sites to be performed as a true SSO solution. 

So what is SSO (as in same sign-on), besides the frustrating reuse of the same abbreviation? Same sign-on is very similar to SSO, with the big difference being that you need to keep logging in as you move from site to site even though you use the same credentials. 

If you use your browser to save your passwords (and you shouldn’t if you currently are), then it likely types in the username and password fields for you as you enter a site, and then you need to click login all the same. Thus, you still need to log in to each website individually, even if it is accomplished with the same credentials as your browser.

If you are using a dedicated password manager, then things are similar. As you navigate from page to page, you are prompted to log in with the same credentials—those of your password manager—which then fills in the specific username and password for the website you are trying to access. This hybrid approach is excellent for the dozens of websites that do not natively support SAML or OIDC enterprise connections.

With SSO, meaning single sign-on as used throughout, you can log in to all applications for which you are approved once and with only one set of credentials, including cloud applications, on-premises applications, and web applications.

What are some types of SSO?

Social SSO

Facebook, Google, LinkedIn, and Twitter all offer popular SSO services. While these services are convenient and simple to begin using, they can present security risks as they create a single point of failure that can be exploited by attackers. If an employee uses their personal Facebook account to log into a business application, a compromise of their personal social media immediately puts your corporate data at risk.

More recently, Apple unveiled its own SSO service as part of its repositioning as a more privacy-conscious company. Sign-in with Apple offers enhanced security as it requires users to use two-factor authentication (2FA) on all Apple ID accounts to support integration with Face ID and Touch ID on iOS devices. It also allows users to hide their real email addresses from third parties.

Enterprise SSO

Enterprise single sign-on (eSSO) software products and services are based on a client-server structure and are used to log in the user to target applications by replaying user credentials. One benefit is that target applications do not need to be modified to work with the eSSO system. eSSO platforms are explicitly designed to handle complex corporate hierarchies, allowing IT teams to instantly provision or revoke access based on a user's role within the company directory.

Advantages of SSO

The advantages of SSO include the following:

• Fewer Passwords to Remember: It allows users to remember and manage fewer passwords and usernames. This drastically cuts down on password fatigue, meaning employees are more likely to create one highly complex, uncrackable passphrase rather than a dozen weak ones.
• Increased Productivity: The process of signing on and using applications is streamlined by no longer needing to reenter passwords. Employees can move fluidly between their email, CRM, and project management tools without breaking their workflow.
• Better Security Posture: It reduces the chance of a successful phishing attack. Because users aren't accustomed to constantly typing their passwords into web forms, they are less likely to accidentally type them into a malicious, spoofed website.
• Mitigated Third-Party Risk: The risks from third-party sites are mitigated by the federated system. You are no longer trusting smaller SaaS vendors to properly salt and hash your employees' passwords in their own databases.
• Cost Savings: IT costs are reduced due to the decrease in the number of IT help desk calls about passwords. Password resets frequently make up the majority of daily IT support tickets, draining valuable time and resources.

Disadvantages of SSO

Some disadvantages of SSO are the following:

• Lack of Granularity: Different sites may require different levels of security, but SSO offers a uniform level of security. If a user is logged in, they are logged in. (Though modern adaptive access tools are beginning to solve this by requesting re-authentication for highly sensitive apps).
• Downtime Vulnerability: If the SSO system becomes unavailable, then users are locked out of all their services. This heavy reliance on a single provider means uptime and redundancy are absolutely critical.
• The Domino Effect: If unauthorized users gain access, then they could gain access to more than one application. A single compromised credential provides the keys to the entire corporate kingdom.
• Strict Initial Requirements: Since the risk of stolen or abused SSO credentials is higher, it necessitates a much higher level of security during the initial credentialing process, requiring strict enforcement of hardware tokens or biometric authenticators.

What is an SSO token?

The SSO token is a collection of data passed between systems during the SSO process. It contains the information required to log in to the system and proof of its veracity. The information could include an email address and must be digitally signed to be accepted. A common modern format is the JSON Web Token (JWT), which securely transmits information between parties as a JSON object. Because the token is digitally signed—often using a public/private key pair—the receiving application can perfectly verify that the token genuinely came from the trusted Identity Provider.

Is SSO secure?

As always, the answer to this question is “sometimes.” 

While SSO can improve security in many ways, like all security systems, it is not infallible. With a single username and password, the user is more likely to pick a long and secure password, as well as change it regularly. This reduced “password fatigue” also prevents users from recycling credentials across external sites, vastly reducing the attack surface.

Security risks and the limits of SSO

While an SSO system offers fantastic security benefits for the applications it covers, relying exclusively on SSO introduces its own set of risks and logistical challenges. The biggest hurdle for many growing businesses is that SSO is not universally supported. Countless niche software products, legacy databases, and shared social media accounts (like a company's LinkedIn or X profile) simply do not offer SAML or OIDC integrations.

Furthermore, even when a software vendor does support SSO, they frequently hide the feature behind their most expensive "Enterprise" pricing tiers. This industry practice, widely known as the "SSO Tax," forces organizations to pay drastically higher licensing fees just to secure their logins. For many small to medium-sized businesses, upgrading every single SaaS application to an enterprise tier is financially impossible, leaving a massive gap in their security coverage.

Because of these coverage gaps and exorbitant costs, dedicated password managers remain a vital tool in any cybersecurity arsenal. A password manager acts as the ultimate safety net, securing all the vital shared accounts and web services that your central SSO system cannot reach or that are too expensive to upgrade.

The best security strategy doesn't force you to choose between the two. TeamPassword seamlessly bridges this gap by offering robust SSO integrations. You can use your existing identity provider (like Google Workspace or Microsoft) to authenticate your team's access to TeamPassword. This means your employees get the frictionless login experience of an SSO system, while your company gets the comprehensive, encrypted coverage of a dedicated password vault for every single app they use.

Don't let your company fall victim to extortion emails, credential stuffing, and other password vulnerabilities. Let TeamPassword take care of security while you focus on growing a successful business!

Sign up for a 14-day free trial to test TeamPassword with your team members today.