Single Sign-On (SSO)

Single Sign-On lets users authenticate once with an identity provider and access multiple applications without re-entering credentials. SAML and OIDC are the dominant enterprise protocols.

What is SSO?

Single Sign-On is an authentication pattern where a user signs in once to an identity provider (Okta, Azure AD, Google Workspace) and accesses multiple downstream applications without re-entering credentials. The two dominant protocols are SAML 2.0 (older, XML-based, common in enterprise) and OpenID Connect (newer, JSON-based, built on OAuth 2.0). Both achieve the same goal through different wire formats.

Why it's table stakes

Enterprise procurement teams require SSO for any vendor receiving more than a handful of users. The reasons: centralized account lifecycle (provisioning, de-provisioning on termination), enforced MFA at the IdP, audit logging, conditional access policies (block from untrusted networks, require trusted device). The "SSO tax" — vendors charging extra for SSO support — has been criticized for excluding small organizations from baseline security; mature AI vendors include SSO at all paid tiers.

Verification questions

Ask: which SSO protocols (SAML, OIDC), which identity providers tested in production, is SSO available at all paid tiers or only Enterprise, can you enforce SSO-only login (no password fallback) for your tenant, does SSO drive group-based authorization (JIT provisioning, group-to-role mapping), and what's the support story when SSO breaks (most vendors keep a break-glass admin password for these cases).