Single sign-on (SSO) is an authentication method that lets users log in once and gain access to every application they are authorized to use, without re-entering credentials. SSO simplifies the user experience, reduces password-related risk, and gives IT teams a centralized point of control for managing and revoking access. When combined with identity governance, least-privilege controls, and just-in-time provisioning, SSO becomes a foundational layer of a mature access management program.
Single sign-on (SSO) is an authentication method that allows organizations to securely verify users and grant access across multiple applications using a single set of credentials. Compliance frameworks including HIPAA, GLBA, and NIST all reference the need for strong, controlled authentication, and SSO is one of the most widely accepted mechanisms for meeting those requirements. Most enterprise SSO deployments depend on an identity provider (IdP) to act as the central authentication authority.
How SSO works#
When a user logs into an SSO service, the identity provider generates a cryptographically signed authentication token. When the user navigates to a connected application, the app contacts the SSO server, which presents the token to confirm the user's identity. The two most common protocols powering enterprise SSO:
- SAML (Security Assertion Markup Language): An XML-based standard that passes authentication assertions between the identity provider and service providers. Widely used for browser-based enterprise applications.
- OIDC (OpenID Connect): A modern, JSON-based protocol built on top of OAuth 2.0. Common in cloud-native and consumer-facing applications.
Why SSO matters#
Stronger security controls: SSO consolidates authentication at a single point, making it easier to enforce MFA across every connected application at once.
Higher productivity: Users reach every tool through a single login. Forgotten passwords and locked accounts become dramatically less common.
Lower IT cost: Password resets cost organizations an average of $5.2 million per year. SSO cuts that cost substantially.
Simplified offboarding: Revoking an employee's SSO session cuts access to every connected application immediately, rather than app by app.
Compliance support: Frameworks including SOX, HIPAA, and GLBA require strong authentication and auditable access records. SSO provides centralized authentication logs and consistent enforcement.
SSO and identity governance#
SSO handles authentication. Identity governance and administration (IGA) handles what authenticated users are allowed to do, for how long, and under what conditions. Access reviews surface over-provisioned accounts, dormant access, and privilege creep that SSO authentication alone cannot detect. Identity lifecycle management connects SSO to joiner, mover, and leaver workflows, preventing the buildup of standing privileges that attackers routinely exploit.
SSO and least-privilege access#
Pairing SSO with just-in-time (JIT) access means users receive elevated access only when they need it, for a limited window, and have it automatically revoked when the window closes. This eliminates standing access to sensitive systems. For a deeper treatment, see Authentication vs. Authorization.
SSO and MFA#
Pairing SSO with MFA at the identity provider level adds a second verification step that covers every connected application at once. Common second factors:
- TOTP (Time-based One-Time Password): A rotating code generated by an authenticator app
- Push notification: A prompt sent to a registered mobile device
- Hardware security key (FIDO2/WebAuthn): A physical device providing phishing-resistant authentication
- Biometrics: Fingerprint or facial recognition bound to a registered device
SSO and non-human identities#
Service accounts, API keys, and machine-to-machine integrations generally cannot participate in SSO flows, which means they require separate governance controls. Non-human identity (NHI) governance addresses this gap. Without it, service accounts often accumulate standing privileges that no SSO policy can detect or revoke.
SSO and compliance#
- HIPAA: Requires unique user identification and automatic logoff. SSO supports both when configured with appropriate session controls.
- GLBA: Requires safeguards for customer data. Centralized SSO authentication simplifies demonstrating access controls to examiners.
- NIST SP 800-63: SSO with MFA can satisfy NIST's higher assurance tiers.
- SOX: SSO provides the centralized audit trail auditors need to verify that only authorized users accessed financial applications.
How C1 enables SSO and access management#
C1 connects to your identity provider to extend SSO into a full identity governance program — governing what users can access, ensuring it's appropriate, and automating the work of keeping entitlements current.
- AI Access Management: intelligent automation for access requests, approvals, and provisioning
- Access Reviews: periodic certification campaigns that surface over-provisioned and dormant access
- Automations: joiner, mover, and leaver workflows that keep SSO-connected access synchronized with HR records
See also: identity governance best practices, IAM frameworks, What Is an Identity Provider (IdP)?, and Zero Standing Privilege.

