What Is SSO? Single Sign-On Explained
Learn what single sign-on (SSO) is, how SSO login works, how SAML and OIDC differ, and how SSO fits with MFA, team access, API keys, and DNS account security.
Answer snapshot
SSO, or single sign-on, lets a user authenticate once with a trusted identity provider and then access multiple applications without separate passwords for each one. The application delegates login to an IdP such as Okta, Microsoft Entra ID, Google Workspace, or another identity platform. SSO improves central control, offboarding, auditability, and user experience, but it does not replace MFA, least-privilege roles, scoped API keys, or careful identity-provider security.
What you'll learn
- Understand what SSO and single sign-on mean
- Follow the basic SSO login flow between a user, application, and identity provider
- Compare SAML, OIDC, and OAuth in practical terms
- Learn how SSO differs from MFA and password managers
- Understand why SSO matters for infrastructure and DNS-provider accounts
SSO stands for single sign-on. It is a login model where a user signs in once through a trusted identity provider, then accesses multiple applications without managing a separate password for every application.
For example, a company may use Microsoft Entra ID, Okta, Google Workspace, Ping Identity, OneLogin, or another identity provider as the central login system. Employees sign in there, complete any required MFA challenge, and then access SaaS tools, internal dashboards, infrastructure consoles, and support systems through that central identity.
SSO is not only a convenience feature. For infrastructure teams, it is an access-control and auditability control: one place to enforce login policy, disable users, require MFA, review sessions, and monitor suspicious sign-ins.
How SSO Works
A typical SSO flow has three parties:
| Party | Role |
|---|---|
| User | The person trying to sign in |
| Service provider (SP) or application | The app the user wants to access |
| Identity provider (IdP) | The trusted login system that verifies the user |
The flow usually looks like this:
- The user opens an application.
- The application sees that the user is not signed in.
- The application redirects the user to the identity provider.
- The identity provider verifies the user with password, MFA, device policy, risk checks, or other controls.
- The identity provider sends a signed assertion or token back to the application.
- The application validates that assertion or token.
- The application creates a local session for the user.
The application does not need to store the user's primary password. It trusts the identity provider's signed response.
What SSO Solves
SSO addresses several common identity problems:
- Users do not need separate passwords for every application.
- Security teams can enforce login policy centrally.
- MFA can be required from one identity layer.
- Offboarding can disable access across many applications quickly.
- Audit logs can show authentication events across the organization.
- Conditional access policies can account for device, network, location, and risk.
- Applications can avoid building complex password-management workflows themselves.
For small teams, SSO may be mostly convenience. For larger teams, regulated organizations, and infrastructure operators, SSO becomes part of operational risk management.
SSO vs MFA
SSO and MFA solve different problems.
| Control | What it answers |
|---|---|
| SSO | Which trusted identity provider says this user signed in? |
| MFA | Can this user prove possession of a second factor? |
SSO centralizes login. MFA strengthens the proof during login.
Use both where possible. SSO without MFA still leaves users exposed if a password is stolen. MFA without SSO still leaves teams managing user lifecycle, password policy, and access review across many separate applications.
SSO vs Password Managers
Password managers and SSO are complementary.
A password manager stores and fills credentials for many sites. It helps users create unique passwords and avoid reuse.
SSO removes the need for many separate application passwords by delegating authentication to a central identity provider.
In practice, teams often use both:
- SSO for applications that support federation.
- A password manager for applications that still require local credentials.
- MFA or hardware keys on the identity provider and high-risk direct logins.
SAML, OIDC, and OAuth
SSO discussions often mention SAML, OIDC, and OAuth. They are related, but not identical.
| Term | What it is | Common use |
|---|---|---|
| SAML | XML-based federation protocol | Enterprise web SSO |
| OIDC | Identity layer on top of OAuth 2.0 | Modern web, mobile, and SaaS login |
| OAuth 2.0 | Authorization framework | Letting one app access resources in another app |
SAML and OIDC can both power SSO login. OAuth is often involved in authorization flows, but OAuth alone does not necessarily prove who the user is. OIDC adds the identity layer that applications need for login.
SAML SSO
SAML SSO is common in enterprise SaaS.
In a SAML flow:
- The service provider sends the user to the identity provider.
- The identity provider authenticates the user.
- The identity provider returns a signed SAML assertion.
- The service provider validates the signature and attributes.
- The user gets an application session.
SAML assertions can include attributes such as email, name, groups, and role mappings. Misconfigured attributes can accidentally grant too much access, so SAML setup should be tested carefully.
OIDC SSO
OIDC uses JSON Web Tokens and OAuth-style flows. It is common for modern SaaS, developer tools, web apps, and mobile applications.
In an OIDC flow:
- The application redirects the user to the identity provider.
- The user authenticates.
- The identity provider returns an authorization code.
- The application exchanges the code for tokens.
- The application validates the ID token and creates a session.
OIDC tends to fit modern application stacks naturally, but token validation, redirect URI configuration, and client-secret handling still need care.
Why SSO Matters for Infrastructure Accounts
Infrastructure accounts are high-value targets. DNS, cloud, CI/CD, monitoring, incident-management, and payment systems can all affect production availability.
For DNS provider accounts specifically, an attacker who gets access may be able to:
- Change A, AAAA, or CNAME records and redirect traffic.
- Change MX records and intercept email routing.
- Change TXT records, SPF, DKIM, or DMARC data.
- Remove or break DNSSEC-related records.
- Create API keys for later access.
- Delete zones or records and cause outages.
That is why SSO belongs beside other controls: MFA, multi-user access control, scoped API keys, audit logs, registrar locks, and DNSSEC.
SSO and Team Access
SSO handles the login identity. It does not automatically decide what the user can do after they sign in.
Applications still need authorization controls:
- Account roles such as admin or member.
- Zone-level access for DNS platforms.
- Read-only vs write access where supported.
- API-key scopes.
- Audit logs for who changed what.
- Offboarding workflows that remove sessions and keys.
In DNScale, multi-user accounts and zone access control cover role and zone-level permissions. Conceptually, SSO would sit above that as a centralized login layer; permissions still need to be enforced inside the application.
SSO and API Keys
SSO usually authenticates humans in a browser. API keys authenticate automation.
Do not assume SSO protects API keys automatically. If an API key is already created and stored in CI/CD, Terraform, DNSControl, or another automation system, it may continue working until it is rotated or revoked.
Good practice:
- Create dedicated users or service accounts for automation where the product model supports it.
- Scope API keys to the minimum required permissions.
- Store keys in a secrets manager.
- Rotate keys when team members leave.
- Monitor API-key creation and usage.
- Revoke unused keys.
See the API authentication documentation for DNScale API-key mechanics.
SSO Benefits
| Benefit | Why it matters |
|---|---|
| Centralized policy | Password, MFA, device, and conditional-access rules live in one place |
| Faster offboarding | Disable one identity to remove access to many apps |
| Better auditability | Login events are visible in the identity provider |
| Less password reuse | Fewer application-specific passwords |
| User convenience | Users sign in once across many tools |
| Procurement fit | Enterprise buyers often require SSO for production SaaS |
These benefits are strongest when SSO is paired with MFA, least privilege, lifecycle automation, and regular access reviews.
SSO Risks
SSO also introduces concentration risk.
| Risk | Example mitigation |
|---|---|
| Identity provider compromise | Require phishing-resistant MFA, protect admin accounts, monitor IdP changes |
| IdP outage | Maintain emergency access procedures and tested break-glass accounts |
| Misconfigured assertions | Test role and group mappings before rollout |
| Over-broad access | Use least-privilege roles inside each application |
| Weak offboarding | Automate deprovisioning and regularly audit active users |
| Forgotten local accounts | Disable or monitor password fallback where possible |
SSO is not a magic security upgrade by itself. It centralizes identity, which makes good identity operations more powerful and bad identity operations more dangerous.
SSO Implementation Checklist
Use this checklist when evaluating SSO for production infrastructure tools:
- Choose the identity provider that is already authoritative for your organization.
- Require MFA at the identity provider, preferably phishing-resistant MFA for administrators.
- Decide whether SAML or OIDC is the right integration path.
- Map identity-provider groups to application roles carefully.
- Keep at least two tested break-glass admin accounts.
- Document how offboarding revokes application sessions and API keys.
- Review whether local password login remains enabled.
- Test login from normal user, admin, and disabled-user scenarios.
- Confirm audit logs show successful and failed sign-ins.
- Review access quarterly for high-risk tools.
For DNS and infrastructure tools, also review scoped API keys, zone access, activity logs, and registrar access controls.
Common Misconceptions
"SSO means users cannot be phished"
Not by itself. SSO centralizes login, but users can still be phished if the identity provider allows password-only login or weak MFA. WebAuthn/FIDO2 security keys provide much stronger phishing resistance.
"SSO replaces MFA"
No. SSO and MFA should work together. SSO routes authentication through one place; MFA strengthens that authentication.
"SSO controls every API key"
Usually no. Existing API keys, service accounts, and automation credentials need their own lifecycle controls.
"SSO ID means the same thing everywhere"
No. Some portals call a login identifier an SSO ID. In identity architecture, SSO means the broader single sign-on model, not one specific government, school, or service-provider account number.
Key Takeaways
- SSO means single sign-on: one trusted identity provider authenticates users for many applications.
- SAML and OIDC are the two common protocols used for SSO login.
- SSO centralizes login policy, offboarding, MFA enforcement, and auditability.
- SSO does not replace MFA, role-based access control, scoped API keys, or audit logs.
- DNS-provider accounts are high-value targets, so identity controls matter alongside DNSSEC, registrar locks, and API-key governance.
Related Guides
Frequently asked questions
- What is SSO?
- SSO stands for single sign-on. It is an authentication model where a user signs in through one trusted identity provider and then accesses multiple applications without creating separate passwords for each application.
- What is an SSO login?
- An SSO login is a sign-in flow where an application redirects the user to an identity provider. After the identity provider verifies the user, it sends a signed assertion or token back to the application so the user can start a session.
- Is SSO the same as MFA?
- No. SSO centralizes authentication through an identity provider. MFA adds a second verification factor, such as a hardware key or authenticator code. Strong enterprise setups usually use both: SSO for centralized control and MFA for stronger proof that the user is legitimate.
- What is the difference between SAML and OIDC?
- SAML is an XML-based federation protocol widely used for enterprise web SSO. OIDC, or OpenID Connect, is a JSON/token-based identity layer built on OAuth 2.0 and is common in modern web and mobile applications.
- Is SSO more secure than passwords?
- SSO can be more secure because it centralizes policy, MFA, offboarding, and monitoring. It can also create concentration risk: if the identity provider is compromised or misconfigured, many applications may be affected. The IdP must be protected carefully.
- Is an SSO ID the same thing as SSO?
- Not exactly. In some services, an SSO ID is the user identifier used to sign in through a particular portal. SSO itself is the broader authentication architecture that lets one identity provider authenticate users across multiple applications.
Related guides
Security
What Is a CAPTCHA Challenge Response?
Learn what a CAPTCHA challenge-response is, how CAPTCHA verification works, where it fits in a security stack, and what it does not protect.
Security
Multi-Factor Authentication (MFA) Guide
Learn what multi-factor authentication is, how to enable 2FA on your DNScale account using an authenticator app or a hardware security key, and how the login flow works with MFA enabled.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free