Skip to main content

SSO FAQ

Straightforward answers to common Single Sign‑On questions. Looking for the product overview? Go back to SSO.

How does Single Sign-on (SSO) work?

Single Sign-On (SSO) allows a user to access multiple applications with one set of login credentials. When a user logs in to a primary system (Identity Provider or IdP), an authentication token is generated. This token is used to authenticate the user across other connected applications (Service Providers or SPs) without requiring additional logins. SSO improves security and user convenience by centralizing authentication and reducing the number of passwords users need to remember.

What are the benefits of SSO?

  • User Convenience: Fewer passwords to remember and manage.
  • Improved Security: Centralized authentication with strong, complex passwords.
  • Administrative Efficiency: Simplified user management and reduced help desk costs for password resets.
  • Consistent Experience: Seamless access to multiple applications enhances productivity.

What are some of the key components of SSO?

  • Identity Provider (IdP): The centralized system that handles authentication and issues tokens (e.g., Okta, Azure AD, Auth0).
  • Service Providers (SP): The applications or services that rely on the IdP for authentication (e.g., Gmail, Salesforce).
  • Authentication Protocols: Standard protocols such as SAML (Security Assertion Markup Language), OAuth, and OpenID Connect facilitate secure token exchanges between the IdP and SPs.

What is an SSO Authentication Token?

An SSO authentication token is a digital artifact issued by an Identity Provider (IdP) upon successful user authentication. This token serves as proof of the user’s identity and is used to grant access to multiple connected applications (Service Providers or SPs) without requiring the user to log in again. The token typically contains information about the user’s identity and permissions, and it is securely passed between the IdP and SPs to verify the user’s authentication status.

What are the different types of Single Sign-On?

There are several types of Single Sign-On (SSO) solutions, each designed to meet different security and integration requirements. The main types include:

  1. Kerberos-Based SSO
  2. Security Assertion Markup Language (SAML)
  3. OAuth/OpenID Connect
  4. Lightweight Directory Access Protocol (LDAP)
  5. Central Authentication Service (CAS)

What is IDP initiated and SP initiated SSO?

IDP-Initiated SSO starts with the user logging in directly at the Identity Provider (IdP). After authentication, the IdP redirects the user to the Service Provider (SP) with an authentication token, granting access to the application.

SP-Initiated SSO starts with the user attempting to access the Service Provider (SP) directly. The SP redirects the user to the Identity Provider (IdP) for authentication. After successful login, the IdP sends an authentication token back to the SP, which then grants access to the user.

How do I start using SSO with Phase Two?

Setting up SSO with Phase Two is simple and easy. Read our SSO article on how to set it up. With Phase Two you can create multiple SSO interactions, including a “landing page” filled with boxes of the various services a user can sign into.

Does Keycloak support Single Logout (SLO)?

Yes!

Read the SSO setup guides