SSO: Why is it considered as a secure way for authentication and authorization

Gupta Bless
8 min readJun 25, 2022
Photo by Markus Spiske on Unsplash

Introduction

A huge infrastructure in which employees are required to use a number of different apps throughout the course of a single workday, and where these employees require unique passwords for each of these applications. Therefore, it broadens the attack surface in the sense that a user might choose the same password across many domains. If only one password is compromised, then all of the domains or accounts can be exploited. Therefore, in order to make things simpler for employees, the majority of companies implement single sign-on (SSO) capabilities. This allows employees to access different applications without having to repeatedly enter their credentials. They are only able to authenticate themselves to a single application, but all of their other applications can be authenticated using that one application even if they haven’t entered a password on any of the other domains. The Single Sign-On (SSO) system is able to provide authentication and authorization while also making it simple to maintain credentials.

Single SignON/SSO:

Source

The company uses SSO, which requires the user to provide their credentials only once. Whenever the user enters an application that has SSO enabled, he must enter either his username or email address, and then he will be automatically redirected to the home page of that particular application. This is because the company implements SSO. It is only possible if the user is currently logged into a secure single sign-on (SSO) session, or if the SSO session has expired, in which case the user will first need to validate the SSO by logging into a secure single sign-on application (like Okta, for example) in order to continue.

As an illustration, assume that the user has already validated themselves in the SSO-enabled application and that they wish to access the website abc.com. Because SSO is used on abc.com, the user is exempt from being required to supply his password after providing his username on the website and clicking on the login button. It is safe to assume that he can access the application…

--

--

Gupta Bless

Security enthusiast working to secure web for others.