What is Single Sign-On (SSO)?

​​​​Single Sign-on (​SSO) is an authentication method that allows a user to log into multiple applications or services with a single set of credentials. Instead of requiring users to log in separately to each application, SSO enables them to authenticate once and gain access to multiple connected systems without the need for repeated logins.

(SSO) is like having a single key that lets you unlock multiple doors. That key is assigned to your identity so it can unlock all of the doors you are allowed to access without you needing to search through a bunch of keys to find the right one. In the digital context, that means there’s no need to remember numerous passwords or tedious identity challenges at every door.

SSO is commonly used in enterprise environments, cloud-based applications, and online services to simplify access management for users and administrators alike.

How it works

SSO has two components: the user, or identity provider, and the SSO software, or service provider.

When a user logs into their organization’s network with their username and password, the integrated SSO software generates a digital token. This token is a virtual key representing the user’s authentication that can be used to access connected applications, eliminating the need for multiple logins in a session.

The duration for which the session remains valid is determined by the SSO configuration. It can be set to remain active for a few hours or several days.

SSO is an important process because it streamlines user access, improves productivity, strengthens security measures, and simplifies access management for organizations. SSO aligns with the evolving needs of a modern workforce and contributes to a more efficient and secure workplace. However, without diligent management and the addition of other controls such as 2FA, SSO is just as likely to make an environment less secure. It’s only as good as the password management controls applied within (expirations, prohibiting reuse, elimination use of known compromised credentials, lock-after-n-attempts, etc.)

Today, organizations typically rely on a multitude of workforce applications. With the proliferation of Software-as-a-Service (SaaS) applications, organizations of all sizes must manage multiple usernames and passwords, which can be frustrating for employees and tough on IT teams.

With SSO, users only need to enter their credentials once to access internal apps, and security admins can set flexible policies. Help desk teams save time by resetting fewer passwords. This benefits IT departments by saving time and money, freeing them to focus on other business initiatives.

SSO means a user only needs to sign in a single time to access their organization's different applications, instead of entering their login information for each application.

This means users only need to remember one password. Once a user’s identity is authenticated, the user can navigate between systems without the need to log in to each one individually.

Although users may be required to enter login credentials for other systems occasionally, there’s significantly less signing in needed. Fewer passwords means fewer password resets; and strengthened security posture.

SSO helps users and IT teams work more efficiently. It not only reduces the burden placed on end users to create and manage multiple passwords, but also alleviates the hassle of remembering and resetting passwords for all the apps being accessed for work.

With SSO, organizations can centrally manage user access to various applications. Administrators can control permissions, grant or revoke access, and enforce security policies from a centralized point.

SSO is used across various contexts and industries to streamline access management, enhance user experience, and improve overall security. Here are some common use cases for Duo SSO solutions:

Small to Medium-Sized Business
Duo SSO makes life easier for users, since they only need one password, and can access apps covered by the organization’s platform and policies and even update their authentication devices from a web portal, Duo Central. Paired with strong MFA, device insights and controls, and adaptive security policies, SSO protects and enables access to the organization’s platforms and applications from any user, device, and location.

Enterprise-Level Organizations
Duo Passwordless requires SSO because SSO is integral to mitigating threats such as stolen passwords and credentials. Duo SSO can authenticate users against your Active Directory or chain to authentication from an existing SSO identity provider you may already use (e.g., Microsoft's Active Directory Federation Services, Okta, or PingFederate) so you can implement a passwordless policy quickly and securely.

Web Apps
With Duo SSO, you can protect access to popular web applications, websites, blogs and team collaboration tools. Duo verifies user identity with strong, two-factor authentication (2FA) and checks the security health and trustworthiness of their devices before granting access to your web applications.

Remote Access
Duo’s SSO can be used in conjunction with VPNs and other remote access technologies to provide a streamlined work-from-anywhere experience. Because Duo’s Multi-factor Authentication (MFA) protects every authentication, employees can use their SSO credentials to remotely access applications without introducing additional security risks.

For a VPN-free user experience, Duo’s SSO can also be paired with the Duo Network Gateway, Duo’s modern remote access proxy. This configuration provides a friction-free login experience that’s just as secure as traditional remote access solutions.

SSO + MFA
While you may think of SSO and multi-factor authentication (MFA) as two separate (or even conflicting) solutions, these two solutions are actually complementary. They work together to fortify identity and access management initiatives — and, in the process, your entire cybersecurity infrastructure.

Deployed together, SSO and MFA streamline the user experience, drive down password‑associated risk, ease the support burden on IT, and save time and money. This combination also helps organizations proactively defend themselves against all types of exploits, especially password‑based and MFA‑targeted attacks.

With Duo SSO, users can securely access a range of apps, services, and platforms, including:

• Proprietary apps (APIs)

• Microsoft environments

• Cloud services

• Unix devices (SSH sessions)

• Internal applications (VPNs)

• Cloud applications

• Web applications

• SAML 2.0 applications

• OpenID Connect (OIDC) applications

​Implementing Single Sign-On (SSO) involves several steps to enable users to authenticate once and access multiple applications or services without the need to log in separately for each.

​Here's a general guide on how to implement SSO:

​Define Objectives and Scope – Clearly define the objectives of implementing SSO and identify the scope of the project. Determine which applications or services will be integrated with SSO.

​​Choose SSO Protocol – Select an appropriate SSO protocol that aligns with your requirements. Common protocols include SAML (Security Assertion Markup Language), OAuth, and OpenID Connect (OIDC).

​​​Select SSO Provider or Identity Provider (IdP) – Choose an SSO provider or set up an IdP within your organization. The IdP is responsible for authenticating users and providing tokens or assertions to allow access to other applications.​​

​Integrate Applications with SSO – Integrate each application or service with the chosen SSO protocol. This may involve configuring the applications to recognize and trust the SSO provider.

​​​User Authentication and Authorization – Configure the IdP to handle user authentication and authorization. This includes setting up user accounts, defining access levels, and determining the authentication mechanisms (e.g., username/password, multi-factor authentication).​​

​​​Implement SSO in Applications – Modify or configure each application to support SSO. This often involves adding SSO-related libraries or modules and configuring the application to trust the IdP.​​

​​Establish Federation Trust – Establish trust between the IdP and each application by exchanging metadata or certificates. This step ensures secure communication and data exchange.

• Single Sign-On with Duo
  Duo SSO provides users with an easy and consistent login experience for every application — in the cloud or on-premises.

  Duo's cloud-based SSO works seamlessly with your identity provider and Duo's MFA to enable secure access and help protect virtually any cloud, web or on-premises app.

  Duo SSO offers inline user enrollment, self-service device management, and support for a variety of ​​​​​authentication methods​ — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Duo Universal Prompt.

SSO can be secure when implemented correctly with proper security measures. The security of an SSO system depends on various factors, including the implementation method, the strength of authentication mechanisms, device verification , and adherence to best practices.

You can enhance the security of the SSO login process by incorporating an additional layer of authentication, such as strong two-factor authentication (2FA) or strong multi-factor authentication (MFA), 2FA and MFA mandate at least one additional secure identity verification factor alongside the password. This could involve a Duo Verified Push, security key, or biometrics each serving to confirm the user's identity.

Implementing SSO with strong 2FA substantially lowers the risks linked to compromised credentials. It's a security measure that benefits on multiple fronts.

SSO provides several benefits for both users and organizations. Duo SSO enables seamless, secure access to the broadest range of cloud and on-premises apps including those built on SAML 2.0 and OpenID Connect (OIDC) standards.

Here are some key advantages.

Simplified User Experience = Increased Productivity – Users only need to log in once to access multiple applications and services, reducing the burden of managing multiple sets of credentials.

Cost and Time Savings – Reduces the number of support requests related to forgotten passwords or account lockouts.

Streamlined Access Management – Easier to grant, monitor, and revoke user access across multiple applications.

Increased Compliance – SSO means users don’t have to remember multiple passwords, reducing the risks associated with credential compromise and breaches. Duo enables organizations to adhere to regulatory compliance requirements (e.g., PCI DSS, HIPAA, etc.) for verification of users.

Passwordless – SSO dramatically reduces the number of passwords, and Duo Passwordless relies on Duo SSO for secure authentication.

Duo SSO enables a variety of organizations to adhere to regulatory compliance requirements for verification of users.

K-12

Save money and time on school cybersecurity with Duo's easy-to-use solutions.

Higher Education

Protect student and employee data and meet regulatory reporting and compliance requirements related to identity and access management with Duo (SSO + MFA).

Financial Services

Verify users identities and check device security health to keep financial data and online transactions safe.

Healthcare

Secure patient data by protecting EHR systems and e-prescription software.

Technology

Protect access to your applications and user data while reducing the risk of a data breach with Duo.