What is Single Sign-on (SSO)?

Single sign-on (SSO) is a core capability of identity and access management (IAM) technology that makes it easier for users to have convenient and secure online experiences. When users log in with SSO, they need only to sign in one time to gain authorization for access to multiple applications and websites. In a cloud environment, this is called "cloud SSO."

Why did SSO come about? In the "old days," each application, service, and system within an organization had its own separate credential repository. That meant that each required a separate login. Any time credentials were forgotten, or worse, stolen, the user had to call IT for a password reset. SSO solved this annoying, expensive, and risky problem. IAM and SSO solutions feature a single identity repository called an identity store that contains user credentials and identity data for multiple apps, services, and systems. This means that users only have to log in once in order to gain access to resources associated with that identity store.

There are various attributes contained within SSO that mean different things and provide different SSO functionality.

Making sense of SSO technologies

An apt metaphor for single sign-on in the physical world is attending a tradeshow conference. The badge provided at the registration table is similar to SSO credentials. The registration table is where the attendee shows the event staff proof of identity, perhaps a driver's license or photo ID issued by a governing body, such as a state government in the U.S. This proof of identity gets the attendee admitted and a conference pass or badge provides access to various areas of the conference, exhibit hall, and so on. The attendee doesn't have to go back to the registration table to visit different rooms or attend new sessions, or even when the show re-opens the next day.

In the digital world, rather than a photo ID, the way to gain entry might be with a username and password combination. But because user credentials are at a high risk for being stolen or compromised, organizations can provide more secure access through a push authentication app, or risk-based, contextual, behavioral, or biometric authentication methods. Any of these can provide stronger security by eliminating the risk of compromised credentials, and they all offer a better user experience. But the point is to authenticate the user. And based on that authentication, the user is issued a token, the digital equivalent of a conference badge.

SSO access has multiple attributes

One of the ways that SSO improves security is that it's not universal. Different permissions are assigned to the token that allow you to get into different areas. (Certificates are a similar concept.) Continuing with the conference metaphor, certain areas might be off limits, such as a speaker's lounge or executive conference rooms, depending on the type of attendee you are. SSO access levels can differ in the same way based on a user's level of authorization. Authorization can be granular, enabling a user to access certain applications or see certain types of data in a database, but not others.

Another single sign-on attribute is the level of detail your token shares. In the conference metaphor, your badge has some personally identifiable information (PII), such as your name, company, and email. But the event organizer's registration record would also probably have your work address, home address, phone number, and perhaps a credit card. A vendor who scans your badge at their booth does not automatically get access to all of that information about you. Before your PII can be used or shared, you must provide consent. There are laws about how and how long your information can be stored and what it can be used for, all of which varies by country and regional regulations. In your SSO credentials, only information agreed-upon in advance is allowed to be in the token.

There's also a time-factor involved. At the conference, your badge won't get you into the hotel conference area a week after the event is over. Similarly, your SSO security token can have an expiration date.

Federated single sign-on: the chain of trust

Continuing further with our tradeshow metaphor, let's say one of the show's sponsors is throwing an after-party at a local restaurant. This restaurant has no affiliation with the conference. The sponsor provides the restaurant with a list of party attendees, and the person who works the door at the restaurant checks the names on the badges against the list of party attendees. It's all about trust: Does this person trust the badge and allow the attendee into the party? This concept of chain of trust is what federated SSO means. Third parties can trust that the token has been authenticated.

With federated single sign-on, an organization can extend frictionless, secure account access to users beyond organizational boundaries. Using standard identity protocols, including OAuth, WS-Federation, WS-Trust, OpenID Connect, and security assertion markup language (SAML)-based SSO, organizations can pass authentication tokens repeatedly and scalably to partners, citizens, customers, patients, and others. It's a win for visitors because they get frictionless, secure access to the resources they need, which benefits the organization while reducing the need for IT involvement and involving far fewer helpdesk calls.

Is single sign-on right for my organization?

When considering SSO integration, organizations are likely to be looking at a solution that addresses the three main SSO applications. One is increasing security. SSO security is a way to enable Zero Trust principles and ensure a greater level of identity assurance and access authorization. Another is improving user experience. By reducing friction and providing fast and seamless access across a wide array of applications, organizations can boost user satisfaction and productivity. And a third SSO application is to save costs by reducing password reset support calls to the helpdesk.

Built into the ForgeRock Identity Platform is the industry's most robust orchestration engine, which uses a low-code/no-code approach to orchestrating an enormous range of secure user journeys, including single sign-on. ForgeRock makes it easy to drag and drop different elements, such as multi-factor authentication (MFA), role-based access controls (RBAC), attribute-based access controls (ABAC), passwordless authentication, and much more, into your single sign-on journeys.

With the ForgeRock platform, organizations can get all of the new IAM and SSO capabilities they need quickly and cost-effectively without ripping and replacing their legacy IAM systems (such as CA Single Sign-On [SiteMinder], Oracle, IBM, and homegrown solutions). Plus, you can do it within minutes in any cloud environment for millions of identities or as a service.

Learn More About ForgeRock Single Sign-On


What is Single Sign-On?

White Paper

Migration Guide: CA Single Sign-On (Siteminder SSO) to ForgeRock Identity Platform

Learn how you can migrate from CA to ForgeRock Single Sign-On


IAM 101 Series: Single Sign On (SSO)

Learn how you can migrate from CA to ForgeRock Single Sign-On