Single Sign-On (SSO)

Log in once, access everything without managing a hundred passwords.

The idea

Instead of every app (Slack, GitHub, JIRA) storing and verifying passwords, they delegate trust to a central Identity Provider (IdP) like Okta or Google. The app redirects you to the IdP, you prove who you are, and the IdP sends a cryptographically signed token back to the app saying "This is Alice, I verified her."

Step 1: Alice wants to log into a new App (Service Provider).

How it works (OIDC/SAML conceptually)

SSO relies on HTTP redirects and signed tokens (like JWTs). The app (Service Provider) never sees the user's password.

# App's view of the SSO Flow
@app.route('/login')
def login():
    # 1. App redirects user to IdP (e.g. Google)
    return redirect("https://idp.com/auth?client_id=MY_APP&redirect_uri=/callback")

@app.route('/callback')
def callback():
    # 2. IdP redirects back here with a token in the URL after user logs in
    token = request.args.get('token')
    
    # 3. App verifies the token using the IdP's public key
    try:
        payload = jwt.decode(token, IDP_PUBLIC_KEY, algorithms=["RS256"])
        user_email = payload["email"]
        session["user"] = user_email
        return "Logged in successfully!"
    except InvalidSignatureError:
        return "Hack attempt detected!"

Cost

Implementing SSO (SAML or OpenID Connect) requires managing cryptographic keys and adds a few network redirects to the login latency. However, it massively reduces support costs (no more "forgot password" emails) and security risks.

Watch out for