2.3.3. Single Sign-On (SSO)
š” First Principle: Single Sign-On lets a user authenticate once to their identity provider and then access multiple applications without re-entering credentials. The identity provider issues a token; applications trust that token instead of asking the user to log in again. SSO reduces friction, reduces password fatigue, and centralizes authentication control.
Without SSO, every application has its own login. Users manage 10-20 separate passwords, forget them, reuse them across services (a major security risk), and waste time on authentication. With SSO, users sign in once to Entra ID and get seamless access to all connected apps.
How it works technically:
SSO in Microsoft 365 uses two main protocols:
- SAML 2.0: XML-based, widely used for enterprise apps (Salesforce, ServiceNow, older SaaS)
- OpenID Connect (OIDC): JSON/REST-based, modern standard used by most new cloud apps
š” Key Point: SSO doesn't just improve user experience ā it improves security. When all authentications flow through Entra ID, Conditional Access policies apply universally, MFA is enforced centrally, and every sign-in is logged in one place. Fragmented authentication means fragmented security.
ā ļø Exam Trap: SSO does not mean users have only one password. Some users may still have separate local passwords for non-SSO applications. SSO means one authentication session ā users authenticate once to Entra ID and get tokens for SSO-enabled apps. Non-SSO apps require separate login.
Reflection Question: After implementing SSO for all cloud apps, a user reports they still have to log in to one legacy web application every day. What is the most likely explanation?
