Cybersecurity Glossary

What is SSO (Single Sign-On)?

Q: How much does SSO cost?

SSO is included in most business licensing (Microsoft 365 Business Premium, Google Workspace Business Standard). The implementation work to connect each app is the bigger cost.

Single Sign-On (SSO) is an authentication method that lets users access multiple applications with a single set of credentials. Instead of managing passwords for every tool, users sign in once with their identity provider and get authorized access to everything they’re allowed to use.

Blocks 99% of password attacks

Required by most cyber insurance

Core to SOC 2, HIPAA, PCI

How It Works

How SSO works

Three-step view of how it operates in practice.

Sign in once

The user signs in to the identity provider (Entra ID, Okta, Google Workspace).

Token issued

The identity provider issues a security token that proves the user’s identity.

Access granted

The token is presented to each downstream application, which grants or denies access based on assigned permissions.

SSO Variants

Common SSO protocols

A clear breakdown of the common variants.

Protocol

SAML 2.0

Mature, widely supported by enterprise apps. Most B2B SaaS supports SAML.

Most common

OpenID Connect (OIDC)

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

OAuth 2.0

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Kerberos

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why SSO matters for SMBs

Single Sign-On (SSO) is an authentication method that lets users access multiple applications with a single set of credentials.

50%

reduction in password-reset help desk tickets after SSO rollout

Source: Okta State of Identity, 2024

Pitfalls

Common SSO mistakes

No MFA on the identity providerSSO centralizes risk. If the identity provider falls, everything falls. MFA on the IdP is non-negotiable.
Only connecting the "easy" appsAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
Ignoring offboardingDisabling the IdP account must actually revoke access everywhere. Test your offboarding on a real terminated user.
No backup authenticationIf the IdP is down, users are locked out. Break-glass accounts and vendor SLAs matter.

Common Questions

SSO frequently asked questions

Is SSO the same as a password manager?⌄

No. A password manager stores distinct passwords for every app. SSO eliminates most passwords entirely by using one identity provider for authentication.

Can I do SSO with Microsoft 365 or Google Workspace?⌄

Yes. Entra ID (Microsoft) and Google Workspace both act as identity providers and can SSO-enable thousands of SaaS applications.

What happens if my SSO provider goes down?⌄

Users can’t sign in to SSO-enabled apps. Good SSO setups include a break-glass admin account, documented SLA expectations, and a list of apps with native logins that can be used in emergencies.

Is SSO enough without MFA?⌄

No. SSO consolidates authentication — so if the identity credential is weak, one stolen password exposes every connected app. Always pair SSO with MFA and conditional access.

How much does SSO cost?⌄

Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.

Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.

Related Terms

Ready to consolidate to SSO?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services

No commitment · Local engineers · Response within 1 business day