How Single Sign-On Works
Understand how SSO works, the protocols involved, and how to choose an integration approach.
Single Sign-On is the most frequently requested requirement by organizations looking to adopt new SaaS applications. SSO enables authentication via an organization’s identity provider (IdP).
The WorkOS SSO service is compatible with any IdP that supports either the SAML or OIDC protocols. It is modeled to meet the OAuth 2.0 framework specification, abstracting away the underlying authentication handshakes between different IdPs.
The WorkOS SSO API acts as authentication middleware and intentionally does not handle user database management for the application. This separation allows it to integrate with any existing auth stack.
The standalone API is designed for integrating into an existing auth stack. It gives full control over the SSO flow and is covered in the SSO Quick Start.
AuthKit is a complete authentication platform that includes SSO out of the box. It handles user management, session tokens, and multiple authentication methods in addition to SSO. For most new applications, AuthKit is the recommended approach.
- Connection
- The method by which a group of users (typically in a single organization) sign in to an application. Each connection represents a configured link between an organization’s IdP and the application.
- Profile
- Represents an authenticated user. The Profile object contains information relevant to a user in the form of normalized and raw attributes.
- SSO Quick Start – Add SSO to your app step-by-step
- Login Flows – SP-initiated vs IdP-initiated SSO
- SAML Security – Security considerations for SAML connections
- Profile Attributes – Attribute reference for SSO profiles