Single Sign-On (SSO) is an authentication scheme that allows a user to log in once with a single set of credentials and gain access to multiple independent applications without re-authenticating at each one.
SSO works through a trust relationship between a central identity provider (IdP) and multiple service providers (SPs). When a user attempts to access an application, the SP redirects them to the IdP for authentication. Once authenticated, the IdP issues a token or assertion that the SP validates — granting access without requiring a separate login. This token-based handshake means the user's password is only ever shared with the IdP, never with individual applications.
The two dominant protocols for SSO are SAML 2.0 and OpenID Connect (OIDC). SAML, the older standard, uses XML-based assertions and is prevalent in enterprise environments. OIDC, built on top of OAuth 2.0, uses JSON and is lighter-weight — more common in modern web and mobile applications. Both protocols accomplish the same goal through different mechanisms: SAML via browser redirects with signed XML documents, OIDC via 📝REST 📝Application Programming Interface (API) calls exchanging 📝JSON Web Tokens (JWTs).
SSO reduces password fatigue, shrinks the attack surface (fewer credentials to phish or leak), and centralizes access control for IT teams. The tradeoff is concentration of risk — if the IdP is compromised, all connected applications are exposed. Leading SSO providers include 📝Okta, 📝Microsoft Entra ID, 📝Google Workspace, and Ping Identity. Most enterprise 📝Software as a Service (SaaS) applications support SSO as a standard integration point.