Single-Sign-On (SSO)

Single Sign-On (SSO) is an authentication method that allows users to log in once and simultaneously access multiple applications and services, without having to sign in to each system separately. Identity verification is handled centrally by a so-called Identity Provider, which manages credentials and forwards them to the respective services as needed. Widely used technical foundations for SSO include the SAML, OIDC, and LDAP protocols.

The technical mechanism is based on the Identity Provider transmitting a digitally signed authentication confirmation to the respective service after a successful login. The service trusts the Identity Provider's assertion and grants access without checking or storing the credentials itself. As a result, login information is never passed on to individual services, which significantly reduces the risk of data leaks caused by weak or reused passwords.

A public authority running multiple specialist applications, a VPN connection, and an internal document management system can configure SSO so that employees log in once on their work device in the morning and can then use all approved systems without entering a password again. For the IT department, this means less effort spent on password resets and a clear overview of which accounts are permitted to access which services.

The key advantage of SSO lies in the combination of improved usability and enhanced security. Fewer passwords mean a smaller attack surface, and central management through an Identity Provider makes it straightforward to revoke a departing employee's access to all systems in a single step — significantly reducing the risk of orphaned accounts.

SSO reaches its full potential when closely integrated with central device management. Embedding user directories, SAML, and OIDC into a privacy-compliant IT infrastructure simultaneously reduces administrative overhead considerably.