Single Sign-On architecture: SAML, OIDC, and what to choose
SSO is not just convenience — it centralizes authentication, enables MFA enforcement, and shrinks your attack surface. Here is the technical landscape.
Single Sign-On (SSO) lets users authenticate once at an identity provider (IdP) and access multiple applications without re-entering credentials. The dominant standards are SAML 2.0 (XML-based, mature, dominant in enterprise SaaS), OpenID Connect / OIDC (JSON over OAuth 2.0, dominant in modern apps and mobile), and the older but still common WS-Federation. Azure AD / Microsoft Entra ID, Okta, OneLogin, JumpCloud, and Google Workspace are leading IdPs.
SAML works through a SAML assertion — a signed XML document the IdP returns to the application after authentication. The Service Provider validates the signature against the IdP's certificate. SAML is the safe default for B2B SaaS and is required by virtually every enterprise SaaS application's SSO tier. The 2024 PingFederate, Okta, and Microsoft SAML signature validation bugs, and the older Golden SAML attack used by Lazarus, prove that signature validation and signing key custody must be airtight.
OIDC is the modern choice for new applications and any app with mobile or SPA frontends. The flow uses a JWT id_token plus access_token from the OAuth 2.0 authorization code flow with PKCE. OIDC's discovery document and JWKS endpoint mean configuration is short and consistent across IdPs. Almost all greenfield apps in the past five years should be OIDC; SAML is tolerable when forced by an aging vendor. Auth0, Keycloak, and the cloud IdPs all speak both, so your IdP choice does not lock you out.
Architecture decisions: pick one IdP and route everything through it. Multiple IdPs fragment policy enforcement and create blind spots. Enforce MFA at the IdP, not per-app. Federate the IdP to your HR system so joiners and leavers flow automatically — SCIM 2.0 is the open standard for provisioning, supported by Okta, Azure AD, and most leading SaaS apps. Audit SSO sign-ins centrally and feed the logs to your SIEM. Never let a SaaS vendor put SSO behind a higher pricing tier you cannot afford and then accept username-password as the alternative — the security cost is paid in the next breach.
Related reading
Multi-factor authentication: essential, but not all factors are equal
SMS MFA was good in 2014 and risky in 2026. Here is how to ladder up to phishing-resistant factors without breaking your help desk.
Privileged Access Management: the controls that protect your crown jewels
A domain admin account is more valuable than any laptop. PAM tooling stores, rotates, and audits privileged credentials so a breach does not become a takeover.
Passwordless authentication: passkeys, hardware keys, and what to deploy now
Passkeys reached critical mass in 2025. The technical foundations, deployment patterns, and pitfalls for Azerbaijani enterprises that want to leave passwords behind.