Overview
In today's digital world, we use many applications in our day-to-day life, and remembering different usernames and passwords for each one is painful.
This is where Single Sign-On (SSO) comes into the picture.
SSO allows users to enter their credentials only once and then access multiple applications without having to re-enter credentials.
What is Single Sign-On (SSO)?
Single Sign-On is an authentication process that allows users to access multiple applications without being asked for credentials repeatedly.
Example: If you log in to Google once, you automatically get access to YouTube, Gmail, Google Drive, and other apps without logging in to each one separately.
Why Do We Need SSO?
- User Experience: One login grants access to multiple systems
- Stronger Security: Centralized authentication allows stronger controls
- Reduced IT Burden: Easier user management from a central Identity Provider
- Compliance & Monitoring: Centralized login activity helps with audits
Key Players in SSO
| Component | Description |
|---|---|
| User | The person who accesses applications |
| Service Provider (SP) | The application the user wants to access (e.g., YouTube, Gmail, Google Drive) |
| Identity Provider (IdP) | The trusted authentication system that verifies the user's identity (e.g., Google Identity, Keycloak) |
| Authentication Protocol | The rules that define how the SP and IdP communicate (e.g., SAML, OAuth2, OIDC) |
How Does SSO Work? (Step by Step)
Let's imagine you want to log in to Google Drive using SSO.
1. User tries to access Google Drive
Google Drive does not authenticate you directly.
2. Redirect to Identity Provider (IdP)
The IdP is now responsible for checking your credentials.
3. Authentication at the IdP
- The IdP checks its session
- If you are not already authenticated, it will ask for your email and password
- Once authenticated, the IdP confirms your identity
4. Issue Token
The IdP generates a token for the user and sends it back.
5. Token Verification
The Service Provider verifies the token. If valid, you get access to the application.
Technical View: Full Token Exchange Flow
Since SSO can use different protocols (SAML, OAuth2, OIDC), the most modern and common is OIDC, which is built on top of OAuth2.
This guide explains the Authorization Code Flow with PKCE, which is the standard for web and mobile apps.
Step 1: User Accesses Application (Service Provider)
The user visits: https://myapp.com and clicks Login with SSO.
Step 2: Redirect to Identity Provider
The Service Provider redirects the user to the IdP with parameters:
-
client_id→ unique ID of the app registered in IdP -
redirect_uri→ where IdP should send the response -
scope→ requested information (profile, email, openid) -
response_type=code→ authorization code flow -
state→ CSRF protection token -
code_challenge→ PKCE for security
Step 3: Authentication at the IdP
- The browser shows the IdP login screen
- The user enters username, password, maybe MFA
- The IdP validates credentials → user authenticated
Step 4: Authorization Code Issued
After successful login, the IdP does not issue a token directly.
Instead, it generates an Authorization Code and sends the user back:
https://myapp.com/callback?code=AUTH_CODE&state=xyz
Now, the Service Provider makes a secure POST request to the IdP's Token Endpoint with:
client_id-
redirect_uri(must match original) grant_type=authorization_codecode=AUTH_CODE-
code_verifier(PKCE check)
The IdP verifies the code and PKCE challenge. If valid → issues tokens.
Step 5: Tokens Issued
The IdP responds with:
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR...",
"id_token": "eyJhbGciOiJSUzI1NiIsInR...",
"refresh_token": "0d1f...xyz",
"token_type": "Bearer",
"expires_in": 3600
}
The Service Provider then validates:
- Signature (using IdP's public key)
-
Expiry (
exp) -
Audience (
aud) matches the app -
Issuer (
iss) matches the IdP
If valid → the Service Provider creates a session.
🔑 Final Thoughts
So, this is how SSO works — simple and seamless for the user, but under the hood it's powered by cryptography, tokens, and strict validation.
Top comments (0)