Breadcrumbs

Single Sign-On (SSO)

Overview

Single sign-on (SSO) allows users to sign in once and access Login Enterprise without repeated authentication prompts. Authentication is delegated to an external identity provider (IdP), which verifies user identities and manages sign-in.

SSO streamlines the sign-in experience and helps organizations enforce security policies such as multi-factor authentication (MFA), reduce password management overhead, and improve overall security.

SSO can be implemented using standard protocols such as SAML or OpenID Connect (OIDC), depending on your identity provider and application requirements.

How SSO Works

In Login Enterprise, authentication and authorization are handled separately:

  • Authentication is performed by an external identity provider (IdP) using single sign-on (SSO).

    • This can be configured using SAML or OpenID Connect (OIDC).

  • Authorization is handled by LDAP.

After a user signs in through the identity provider, Login Enterprise queries LDAP to determine the user’s group membership (for example, whether the user belongs to the required Active Directory groups) and assigns access accordingly.

Note: Because authorization depends on LDAP, it must be configured even when SSO is enabled. For details, see Configuring Authentication.

Choosing an SSO Method

  • SAML: a widely adopted standard supported by many identity providers. It is often used in enterprise environments and offers broad compatibility across different systems.

  • OpenID Connect (OIDC): a modern authentication protocol built on OAuth 2.0. It is commonly used with cloud-based identity providers and supports advanced features, including modern authentication flows and improved integration with newer applications.

When choosing a method, consider the capabilities of your identity provider and your organization's existing setup.

  • Choose SAML if you require compatibility with a wide range of identity providers or are working with existing enterprise SSO configurations.

  • Choose OpenID Connect (OIDC) if you prefer a more modern, flexible protocol.

    • Currently, only Entra ID is supported.

For configuration steps, see Configuring SAML and Configuring OpenID Connect.