Single Sign-On (SSO) allows users to authenticate once and access multiple applications without re-entering credentials. SAML 2.0 is the dominant enterprise SSO standard, using XML assertions passed via browser redirects between the Service Provider (SP) and Identity Provider (IdP). OIDC federation uses JWT-based ID tokens and is preferred for modern, API-first applications. Enterprise IdPsOkta, Microsoft Entra ID (Azure AD), Ping Identity, Auth0 — act as the central authentication authority for thousands of connected applications.

Key Points

  • SAML SP-initiated flow: user accesses SP → SP redirects to IdP with AuthnRequest (deflated, base64-encoded XML) → IdP authenticates → IdP POSTs SAMLResponse to SP ACS URL — all via browser redirects, no direct SP-IdP connection needed.
  • SAML IdP-initiated flow: user starts at IdP portal, selects app → IdP sends unsolicited SAMLResponse to SP — simpler but vulnerable to CSRF if SP does not validate the InResponseTo field.
  • OIDC federation: an IdP acts as OIDC provider; the federated app (SP) registers as a Relying Party (RP) with client_id/client_secret; users authenticate at the IdP and receive an ID Token (JWT) at the RP.
  • Entra ID (Azure AD) App Registrations support both SAML (enterprise apps) and OIDC (modern apps) — a single Entra ID tenant can federate with thousands of SaaS applications and on-premises ADFS.
  • Just-In-Time (JIT) provisioning: when a user first SSOs into an SP, the SAML assertion attributes (email, role, department) automatically create the user account in the SP — eliminating pre-provisioning steps.
  • SCIM (System for Cross-domain Identity Management, RFC 7644) automates user provisioning and deprovisioning — when HR offboards an employee in Workday, SCIM propagates the deactivation to all connected SaaS apps within minutes.
  • Group claims in SAML/OIDC assertions map IdP groups to SP roles — e.g., Entra ID group `Engineering` → Jira project role `Developer`; configure claim mappings in the IdP app registration.
  • Identity federation across organisations (B2B): Entra ID B2B allows guest users from partner tenants to access your applications using their home organisation credentials — no separate user account creation needed.

Real-World Example

Slack supports SAML SSO for enterprise customers (via Okta, Entra ID, Ping) and OIDC for workspace app integrations — when a Fortune 500 company offboards an employee in Entra ID, SCIM deprovisions the Slack account within 2 minutes.