Konubinix' opinionated web of thoughts

Single Sign-On


It appears to be the property of login only once and have access to several resource server afterwards.

Having ONLY ONE authentication and ONLY ONE authorization that works for several systems. This is different than using an Identity Provider that only provides ONLY ONE authentication.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems


It appears to be directly related to the notion of access token. Otherwise, without a token to pass proving the initial authentication, the user has to authenticate again for each resource server. In case they all share the same authorization server, it is called same-sign on.

For clarity, a distinction is made between Directory Server Authentication (same-sign on) and single sign-on: Directory Server Authentication refers to systems requiring authentication for each application but using the same credentials from a directory server, whereas single sign-on refers to systems where a single authentication provides access to multiple applications by passing the authentication token seamlessly to configured applications


Conversely, single sign-off or single log-out (SLO) is the property whereby a single action of signing out terminates access to multiple software systems.


SSO appears to refer to the notion of doing a single action and be done with it. Therefore, the need to sign several consent screens makes a scheme not SSO per se. This does not mean that it is bad or anything, just that it is not SSO.

An increasing number of federated social logons, like Facebook Connect, do require the user to enter consent choices upon first registration with a new resource, and so are not always single sign-on in the strictest sense.


Notes linking here