Single sign-on (SSO) is an authentication arrangement in which a user logs in once and thereby gains access to many separate applications without authenticating again for each one. Instead of every system holding its own copy of the user’s password, a single trusted authority, the identity provider, verifies the user and then attests to that fact to every other system the user visits. This reduces password fatigue, shrinks the number of places credentials are stored, and gives an organization one place to enforce policy and revoke access.
The model rests on a separation of roles. An identity provider authenticates the user and issues a token or assertion describing the result; a service provider (or relying party) trusts that authority and accepts its statement rather than collecting a password directly. Trust between the parties is established through cryptography, typically digital signatures over the token, so a service provider can confirm that an identity statement is authentic and unmodified.
Two standards dominate how SSO is implemented. SAML 2.0, the OASIS XML standard, defines assertions and protocols expressly for this purpose; its core specification covers XML-encoded assertions about authentication and the protocols that convey them, and its browser SSO profiles describe the redirect-and-assert flow that logs a user into a service provider. OpenID Connect, the newer layer built on OAuth 2.0, is described by its own specification as a simple identity layer that lets clients verify the identity of the end user based on the authentication performed by an authorization server, which is exactly the SSO pattern expressed in JSON and JWTs.
A typical SSO flow looks the same regardless of protocol. A user tries to reach an application, which detects no existing session and redirects the browser to the identity provider. The identity provider authenticates the user, possibly prompting for a second factor, and redirects the browser back to the application carrying a signed assertion or token. The application validates that token and establishes a local session, and the user is in, having entered their password only once.
SSO concentrates both convenience and risk. Because one login opens many doors, compromise of the identity provider account is correspondingly serious, which is why SSO deployments are commonly paired with multi-factor authentication. In return, organizations gain centralized control: a single account disable instantly cuts access across every connected system, a property that made SSO a cornerstone of enterprise identity management.