Single sign-on (SSO) is an authentication method that enables users to access multiple services using a single set of login credentials. You only need to enter these credentials once — often via one unified login screen — to navigate your connected accounts. Important for security and convenience, SSO functionality is commonly provided by major vendors (via OAuth) such as Google, Apple, Facebook/Meta, and others. Both everyday customers and enterprise users rely on SSO to make their experience across digital platforms more seamless.

The earliest versions of SSO came into being in the late 1980s and 1990s. While no single individual is documented as the inventor of single sign-on, the earliest modern advancements in SSO are attributed to MIT's Kerberos authentication system. Since then, protocols such as OAuth and services such as Microsoft Active Directory (AD) and others have helped modernize SSO technology — bringing it closer to the masses while adopting a standards-based approach for secure login management.

How does single sign-on (SSO) work? 

Single sign-on was created to reduce the fragmentation, mental load, and security risks associated with maintaining numerous sets of distinct login credentials. SSO also fits into a strong password management strategy at the organizational level. Unified login methods can help cut down on password resets, support ticket volumes, enhance security via policies like two factor authentication, and lessen instances where users might write their credentials on paper to better track them. In the wrong hands, these plain-text credentials could pose internal and external risks (for users working in the office and remotely in public settings). 

SSO falls under the identity and access management (IAM) umbrella. And while consolidation makes life easier for individual users, it also has security benefits for businesses. By providing one central pathway for authentication, it's easier for IT teams to revoke access to sensitive accounts and information — such as during offboarding periods, or in response to security incidents. This does introduce potential, unintended access challenges, however. If a service such as Google authentication goes down and multiple services are gatekept behind it, users might lose access to a variety of critical systems. This is why vendors have introduced session failover to maintain system-wide high availability.

The SSO authentication process

From the user's perspective, here's how the SSO process unfolds: 

  1. Users log into an SSO service provider (Google, Apple, Facebook/Meta, etc.) or company portal using their shared credentials. 

  2. The SSO service creates a token for session authentication (stored on the browser) which contains their various login credentials such as username, email address, password, or other PII. 

  3. If the user wants to access another service behind those same SSO login credentials, the SSO service will verify existing authentication on the backend, sign their session authentication token with a digital certificate, and enable access. If problems occur, the user must simply reauthenticate via the SSO provider or alert their administrator. 

SSO can also work with multiple identity providers. A process called federation helps maintain access to cloud-based applications and services by linking across varied domains or entire organizations. However, SSO might not work well in scenarios where users sign up for services using specific credentials — such as creating an account directly through a company (like Asana) versus using a third party. 

SSO can use a number of technologies to enable login access in different scenarios. A major option is SAML (Security Assertion Markup Language), which adheres to an open standard and has existed for decades. This enables encrypted exchanges of authentication and authorization information between identity providers and service providers. It's common amongst enterprises and organizations of varying sizes. 

Other solutions — such as OAuth (2.0), OpenID Connect (OIDC), LDAP (lightweight directory access protocol), and ADFS (Active Directory Federation Services) — support authentication and authorization using combinations of APIs, JSON tokenization, and social logins.

What are the benefits of single sign-on (SSO)?

SSO offers a number of advantages to a wide variety of everyday and business users, including: 

  • Reduced password fatigue and tighter enforcement of password management policies

  • Allow services to perform authenticated actions on behalf of a user (such as posting to a social media platform) without the user having to provide the service with their password

  • Reduced account compromise risk by limiting or outright eliminating the use of repeated passwords across accounts

  • Improved support for multi-factor authentication (MFA), while consolidating MFA functions behind a single access point vs. multiple

  • More secure password storage internally vs. externally

  • Fewer IT or support tickets related to credential management and misplaced login information

You’ve mastered one topic, but why stop there?

Our blog delivers the expert insights, industry analysis, and helpful tips you need to build resilient, high-performance services.

By clicking "Get new posts first" above, you confirm your agreement for HAProxy to store and processes your personal data in accordance with its updated Privacy Policy, which we encourage you to review.

Thank you! Your submission was successful.

Does HAProxy support single sign-on (SSO)?

Yes! HAProxy One supports single sign-on (SSO) for Google, Apple, Facebook, and other providers using either our SAML Module or OpenID Connect Module. This is configurable using your default HAProxy Enterprise configuration syntax. HAProxy One users can also enable SSO across their Microsoft Active Directory (AD) domains to make authentication and authorization even simpler. 

To learn more about SSO support in HAProxy, check out our blog, HAProxy Enterprise Offers SAML-based Single Sign-On.