® 
SSO (Single Sign-On)
Definition
Single Sign-On (SSO) is an authentication method that allows users to access multiple applications with one set of credentials.
Single Sign-On (SSO) is an authentication method allowing users to access multiple applications and systems with a single set of credentials. SSO improves both user experience and security by reducing the number of passwords users must remember. According to Gartner, SSO reduces password-related helpdesk calls by 40-60%.
How does SSO work?
With SSO, the user authenticates once with a central identity provider (IdP). The IdP issues tokens that the user uses to access all linked applications (service providers) without re-authenticating. This works via standardised protocols: SAML 2.0 for enterprise applications, OAuth 2.0 for API authorisation, and OpenID Connect (OIDC) for authentication on top of OAuth.
Benefits and risks
Benefits: fewer passwords means less risk of weak or reused passwords, faster access, centralised identity management. Risk: if the SSO account is compromised, the attacker gains access to all linked applications. MFA on the SSO account is therefore essential. Session hijacking and token theft are specific SSO risks.
Impact on organisations
SSO is a fundamental component of modern IAM architecture and Zero Trust. NIS2 requires adequate identity and access management measures. ISO 27001 sets requirements for authentication processes.
Protection
Always combine SSO with MFA, preferably phishing-resistant MFA like FIDO2/WebAuthn. Implement conditional access policies. Monitor SSO sessions for suspicious behaviour. Limit session duration with automatic timeout.
How DEFION helps
DEFION evaluates SSO implementations as part of pentests and Security Assessments. The team tests for SSO configuration vulnerabilities and correct MFA implementation.