SSO
ess-ess-oh
Single sign-on: one login that grants access to multiple applications without signing in separately to each.
SSO (single sign-on) means you log in once and get access to all your applications. Log into your company's identity provider (Okta, Azure AD, Google Workspace), and you can access Slack, Jira, GitHub, Notion, and Salesforce without entering another password. One login. Many applications.
For enterprises, SSO is a security requirement, not a nice-to-have. It centralizes authentication. When an employee leaves, disabling their identity provider account immediately revokes access to every connected application. Without SSO, IT has to remember every application the employee used and disable each one individually. Accounts get missed. Former employees retain access for weeks.
For SaaS companies, SSO is a pricing lever. Many companies put SSO behind their enterprise tier, sometimes called the "SSO tax." This frustrates security-conscious smaller companies who want SSO but cannot afford the enterprise plan. The argument for the SSO tax: implementing and supporting SSO (SAML, OIDC, SCIM provisioning) costs real engineering time. The argument against: security should not be a premium feature.
Examples
A company implements SSO across all tools.
The company uses Okta as its identity provider. When a new employee starts, IT creates one Okta account. The employee logs into Okta and sees tiles for Slack, GitHub, Jira, Notion, AWS, and Datadog. One password, one MFA prompt, access to everything. When the employee leaves, IT disables the Okta account. Within seconds, all application sessions are terminated. Zero orphaned accounts.
A SaaS product adds SSO for enterprise customers.
Enterprise prospects keep asking for SAML SSO. The team spends two sprints implementing SAML 2.0 support. Each enterprise customer configures the integration with their identity provider (Okta, Azure AD, OneLogin). Users from that company can now log in with their corporate credentials. The IT admin can enforce MFA and session policies from a single place. The feature closes three enterprise deals in the first quarter.
A company discovers orphaned accounts without SSO.
An audit reveals that 47 former employees still have active accounts across various SaaS tools. Three have admin access to the production database tool. Two have access to the payment processing dashboard. The company fast-tracks SSO implementation and SCIM provisioning (automatic user creation and deletion). Offboarding becomes a single action in the identity provider.
In practice
Read more on the blog
Frequently asked questions
What is the difference between SSO and OAuth?
SSO is a user experience: log in once, access many apps. OAuth is a protocol for delegated authorization. SSO is often implemented using OAuth (or more precisely, OpenID Connect) as the underlying protocol. But SSO can also use SAML, which is an older protocol common in enterprises. Think of SSO as the goal (one login for everything) and OAuth/SAML as tools to achieve it.
Why do SaaS companies charge extra for SSO?
Two reasons. First, implementing SSO properly (SAML, OIDC, SCIM provisioning, testing with every identity provider) takes significant engineering work. Second, SSO is primarily demanded by enterprises, and enterprises have bigger budgets. Companies use SSO as a feature to segment their pricing tiers. Whether this is the right practice is debated. Security-focused companies like 1Password and Tailscale offer SSO on all plans. Others see it as a legitimate enterprise feature with real implementation costs.
Related terms
The process of verifying who a user is, typically through credentials like a password or token.
The process of determining what actions or resources an authenticated user is allowed to access.
An open standard that lets users grant third-party apps limited access to their accounts without sharing passwords.
A unique string that identifies and authenticates an application or user when making API requests.
Service level agreement: a contractual commitment to specific performance and availability levels.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.