Term · 2. Authentication & Authorization
Single Sign-On SSO
Definition
Authentication mechanism allowing users to access multiple applications with one login. Federated SSO (SAML, OIDC) — IdP issues assertions consumed by multiple RPs. Modern enterprise: SSO is table-stakes — every SaaS app expected to support SAML or OIDC. Major IdPs: Microsoft Entra, Okta, Ping, ForgeRock, Google Workspace.
- Application
- MidPoint: Single sign-on (SSO) is an authentication process based on user logging into multiple systems with single set of credentials (usually username and password)s.
SailPoint: Integration via SAML/OIDC — SailPoint does NOT provide SSO, integrates with IdP
- Standards & regulations
-
- NIST SP 800-63C-4 «Federation uses assertions to make statements about an authenticated subject. An assertion is a packaged set of attribute values that is passed between federation participants. Assertions are used by »
- NIST IR 8336 (Draft) «Web-based SSO is typically achieved using federation protocols, in which an identity provider (IdP) authenticates a user and then provides an assertion to a relying party (RP) so that the user can acc»
- OASIS SAML 2.0 Core (OASIS Standard, March 2005) «The Security Assertion Markup Language (SAML) is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, which are »
- OASIS SAML 2.0 Profiles (OASIS Standard, March 2005) «The Web Browser SSO Profile defines how SAML assertions can be used with browser redirects to enable single sign-on, allowing a user who has authenticated at an identity provider to obtain access to a»
- OpenID Connect Core 1.0 «OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Serv»
- RFC 6749 «The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to »
- Sources
-
- NIST SP 800-63 Digital Identity Guidelines (NIST) primary source
Related terms
-
Kerberos
Network authentication protocol developed at MIT (Kerberos v5: IETF RFC 4120, 2005) using symmetric-key cryptography and …
-
Login
Common term for the user-facing authentication interaction — entering credentials at a sign-in form. Modern patterns: pa …
-
Multi-factor Authentication (MFA)
Authentication requiring two or more independent factors from different categories: knowledge (password), possession (ph …
-
Relying Party (RP)
Application or service that depends on an Identity Provider to authenticate users and provide identity assertions. In SA …
-
User Session
Temporal context maintained between authentication and logout — represents a user's authenticated state across multiple …
-
Authentication (AuthN)
Process of verifying that a principal is who they claim to be. Three classic factors: knowledge (password, PIN), possess …