What is SSO?
How does it work?

Users generally find it a hassle to remember multiple usernames and passwords to access the different websites and applications that they use for both personal and official purposes. Single sign-on (SSO) removes the need for multiple user IDs and passwords by allowing users to access multiple resources using one set of credentials.

With SSO, organizations usually rely on a trusted third party to confirm that users are who they claim to be.

A world without SSO

In the absence of SSO, organizations have to maintain databases containing the credentials of all approved users, one for every application or resource that users need to access. When a user enters their username and password, the credentials are compared with the information in the database. If it matches, the user is given access to that application.

without SSO how does SSO work?

The world of SSO

To understand how SSO works, one must understand the role of an identity provider (IdP), the system that performs user authentication, and a service provider (SP), the enterprise application or website to be accessed by the user. Only when a trust relationship is established between the SP and the IdP can SSO be enabled across them.

with SSO benefits of SSO

Here’s how it works

  • A user navigates to the SP they want to access.
  • The SP sends a token containing user information to the IdP, requesting user authentication.
  • If the user has been previously authenticated, the IdP grants access to the application.
  • If the user has not been previously authenticated, the user is required to enter their IdP credentials.
  • The IdP verifies the user's identity and passes the authentication data to the SP, confirming a successful authentication.
  • The authentication data is passed as a token through the user's browser to the SP, and the user is granted access upon successful validation.
  • Once logged in, the user's authentication verification data is passed along the pages in the SP as tokens so they do not need to authenticate repeatedly.

When the same user tries to access a different trusted resource, the new resource only checks the user's identity with the IdP. No additional login is required, as the user has already been authenticated and the IdP verifies the user's identity.

Types of Identity protocols

SSO uses standard identity protocols like OAuth, WS-Federation, OpenID, and SAML to pass tokens. These identity protocols have significant differences.

  • SAML
  • OAuth
  • WS-Federation
  • OpenID

This is among the most widely used protocols. A typical SAML workflow consists of an IdP, SP, and user. User information is sent as an assertion. First, a SAML request passes from the SP to the IdP through the user's browser, and then a SAML response passes from the IdP to the SP through the user's browser.

This protocol permits the authorization server to issue access tokens to third-party applications, with approval from the owner of the resource, without giving out credentials. These access tokens are used by third-party applications to access resources hosted by the resource server.

Users of one organization can access resources of another organization by means of a trust relationship established between the two organizations. It is very similar to how SAML works but with a simpler set of messages.

With OpenID, a user's password is only used by the relaying party, a third party, to authenticate and authorize the user. Once authorized, the user can access multiple applications without having to share their credentials with every application. The user information is passed as an ID token.


Password vaulting is the process of storing user credentials for multiple enterprise applications in a software vault and securing them with a single password. Password vaulting is sometimes incorrectly referred to as SSO. With password vaulting, the user has to enter their credentials each time they move to a different application. In SSO, however, once a user logs in through an SSO solution (IdP), they can access all the company-approved applications and websites without logging in multiple times.


Federated SSO allows users to access resources across organizations. Say a user who works at company A needs access to resources from company B. Company B is a client of company A and has a federated relationship with it. Thanks to the help of federated SSO, the user is able to sign in to company B's website using company A's authentication; there’s no need for them to create a new account for company B.

The user's credentials are recognized by the federation server and it passes the authentication token to other organizations in the federation to authorize the user.

In regular SSO, a user can use a single set of credentials to access different resources across various systems within an organization. Federated SSO, on the other hand, allows a user to access different resources in different organizations that are part of the federation using a single set of credentials. This is the main difference between regular SSO and federated SSO.

Benefits of SSO

SSO is greatly beneficial to both users and IT administrators
in any company.


Reduces bad password management habits

When users do not have to remember multiple passwords, they are less likely to create weak passwords for easy remembrance. They are also less likely to write down passwords or spend significant time scouring through their list of passwords to access different applications.


Reduces password fatigue

Users do not have to remember multiple credentials to access different websites, applications, and resources. One set of credentials is all they need to remember.


Improves security

SSO solutions with features like multi-factor authentication (MFA) can provide additional layers of security and ensure that the users accessing resources are who they claim to be. The addition of a strong password policy will further strengthen security.


Reduces user dependency on IT admins

Having to use only one set of credentials to access a host of applications makes it less likely for employees to frequently knock on the doors of IT administrators to reset their forgotten passwords. Users also won’t have to wait for IT administrators to act on their requests.


Smaller workload for administrators

Various surveys show that a significant number of calls received by IT administrators are related to forgotten passwords. Thanks to SSO, IT admins can focus on more important tasks instead of dealing with the frequent password reset tickets raised by employees.

implement SSO
with ADSelfService Plus

ADSelfService Plus is an integrated Active Directory self-service password management and SSO solution. It streamlines and enhances the login experience for users via SSO and uses MFA to provide greater security. ADSelfService Plus uses the secure and widely adopted industry standard SAML 2.0 to provide SSO.

Users can log in to a website using SSO through two ways:

IdP-initiated SSO SP-initiated SSO

When SSO is enabled, while authenticating themselves using Windows Active Directory domain credentials, users also have to clear additional authentication steps set by the administrator. These factors can be SMS- or email-based verification codes, or third-party authentication providers like Yubikey, Google, and Microsoft authenticators.

With ADSelfService Plus, administrators need not create individual identities for each user. Users’ identities already present in Active Directory can be utilized for authentication. With Active Directory's OU- and group-based structure, policies can be created to determine who gets to access various cloud applications. Access to certain applications can be restricted to users belonging to certain groups.

Highlights of ADSelfService Plus

Aside from enterprise SSO, ADSelfService Plus also offers:


Self-service password reset and account unlock

Administrators can empower users to reset their own passwords or unlock accounts without having to wait for IT support, saving valuable time for both administrators and users alike.


Endpoint MFA

With this option, users will be able to log in to their Windows, macOS, and Linux machines only after they verify their identity using enforced authenticators like biometrics, YubiKey, and authentication provided by Google and Microsoft.


Password policy enforcer

Allows administrators to restrict the types of passwords that users can create for their Windows Active Directory and cloud accounts. Restrictions can be placed on characters, repetition, pattern, and length.


Password expiration notification

Tracks users' password expiration dates and sends email notifications to users whose passwords are about to expire.

Simplify access to
enterprise applications
with SSO

Download 30-days FREE trial!

Thank you for downloading!

Your download should begin automatically in 15 seconds. If not, click here to download manually.

  • Please enter work email address
    Invalid email address
  • Please enter phone number
  • By clicking 'Download', you agree to the License Agreement and Privacy Policy.
2021, Zoho Corporation Pvt. Ltd. All Rights Reserved.