What is Single Sign On (SSO) and How It Works?

Today almost all popular sites provide options to sign up with Google, Facebook, Twitter, Github or similar known and trusted services. Whenever you click the button saying ‘Sign Up with Google’ it opens a window saying ‘You are allowing the site to access your google profile’ and when you click the allow button you get logged in to the site. Very simple right! By just clicking one button you can login to the site without entering username and password. This mechanism is called Single Sign On or SSO in the short term. Have you ever wondered how this SSO thing works?

Let’s start defining Single Sign On in technical terms and understand how it works in real life under the hood without us knowing about it.

What is Single Sign On?

SSO (Single Sign On) is an authentication mechanism allowing third party trusted sites to authenticate users of your site on behalf of you. This offloads developers of implementing authentication mechanisms and not worrying about security risk of leaking username and passwords from your site.

Now as we have defined the term Single Sign On, let’s start understanding how it really works under the hood.

How Single Sign On works?

Before going into more technical details let me describe steps being performed by Single Sign On system in plain English:

  • User clicks on Sign In with Google

As we have some context on how SSO works lets try to understand its working from a technical point of view. Here are the technical steps which will be performed to login you to the site:

  • User opens your site website.com. Session details stored in either local storage of your browser or cookies will be sent along for authentication. Website.com will check if there is any session active for given cookies/session details. If the session is active then the user will be logged in to the site.

This flow is similar to the now popular OAuth 2.0 mechanism. But there are many other protocols available in the market to implement the Single Sign On. They have introduced some variations in these steps but generating a token, authenticating users with the third party trusted service and redirecting back users with authentication details is the core part of implementing SSO. Below I am presenting the graphical view of above steps to help you understand it better:

Image for post
Image for post

Now lets understand why you should use SSO instead of implementing your own authentication mechanism and what are the pros and cons of using it.

Advantages of using SSO:

  • Developers don’t have to implement their own authentication mechanism and by using SSO you are decreasing the complexity of your site. It is well known that complexity ~ number of bugs.

Cons of using SSO:

  • Using SSO becomes a single point of failure for your site. If the SSO system goes down then no one using SSO to login to your site will be able to authenticate themselves.

Written by

Software Engineer at Endurance International Group, India.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store