Enterprise SSO
Single sign-on (SSO) allows users to sign in to multiple applications with a single set of credentials. It streamlines the authentication process for enterprise users, especially for todays's workforce SaaS platforms.
Logto enhances the SSO experience by providing a wide range of enterprise SSO connectors that you can easily set up and integrate with your applications, for example, Google Workspace, Microsoft Azure AD, Okta, and more.
Key components of enterprise SSO
- Identity provider (IdP): A service that verifies user identities and manages their login credentials. After confirming a user's identity, the IdP generates authentication tokens or assertions and allows the user to access various applications or services without needing to log in again. Essentially, it's the go-to system for managing employee identities and permissions in your enterprise. Examples: Okta, Azure AD, Google Workspace, LastPass, OneLogin, Ping Identity, Cyberark, etc. Learn more about IdP.
- Service provider (SP): A system or application that requires user authentication and relies on the Identity Provider (IdP) for authentication. The SP receives authentication tokens or assertions from the IdP, granting access to its resources without requiring separate login credentials. Examples: Slack, Shopify, Dropbox, Figma, Notion, etc…and your service. Learn more about SP.
- Enterprise identity: Typically identified by their use of a company email domain for login. This enterprise email account finally belongs to the company.
Supported SSO workflow
- IdP-Initiated SSO: In IdP-initiated SSO, the Identity Provider (IdP) primarily controls the single sign-on process. This process begins when a user logs into the IdP's platform, such as a company portal or a centralized identity dashboard. Once authenticated, the IdP generates an authentication token or assertion, which is then used to seamlessly grant the user access to multiple connected services or applications (SPs) without requiring additional logins.
- SP-Initiated SSO: In SP-initiated SSO, the Service Provider (SP) takes the lead in initiating and managing the single sign-on process, often preferred in B2B scenarios. This scenario occurs when a user attempts to access a specific service or application (the SP) and is redirected to their IdP for authentication. Upon successful login at the IdP, an authentication token is sent back to the SP, granting the user access. Logto supports SP-initiated SSO for your B2B services.
Supported SSO protocols
- SAML: Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between an IdP and SP. his protocol is particularly adept at handling complex enterprise-level security requirements.
- OIDC: OpenID Connect (OIDC) is a simple identity layer built on top of the OAuth 2.0 protocol. It employs JSON/REST for communication, making it more lightweight and better suited for modern application architectures, including mobile and single-page applications (SPAs).
FAQs
How to add SSO connector buttons and directly sign in with SSO provider on my website?
Logto allows you to add social login buttons to your website and initiate the SSO sign-in process directly without showing the default sign-in form. Check out our Direct sign-in guide for detailed instructions.