
Having a single sign-on (SSO) system can simplify the login process for users, reducing the need for multiple usernames and passwords.
SSO systems can be implemented using various technologies, including OAuth, OpenID Connect, and SAML 2.0.
These systems allow users to access multiple applications with a single set of credentials, making it easier to manage accounts and reduce the risk of password fatigue.
SSO systems can also provide a more secure way to authenticate users, as users only need to remember one set of credentials.
Prerequisites
To configure SSO, you need a Microsoft Entra user account, which you can create for free if you don't already have one.
You'll also need to have one of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal. These roles are crucial for setting up SSO.
To get started, you'll need to complete the steps in the Quickstart: Create and assign a user account. This will give you a solid foundation for configuring SSO.
Here's a quick rundown of the roles you'll need to have:
- Cloud Application Administrator
- Application Administrator
- Owner of the service principal
Enable Single Sign-On
To enable single sign-on (SSO) for an application, you'll need to sign in to the Microsoft Entra admin center as a Cloud Application Administrator. From there, browse to Identity > Applications > Enterprise applications > All applications, and search for the existing application you want to enable SSO for.
To configure the application for SSO, select Single sign-on in the Manage section, and then choose SAML to open the SSO configuration page. You'll need to follow the specific configuration guide for your application, which can be found in the gallery.
The process of configuring SSO varies depending on the application, so be sure to check the configuration guide for the specific steps needed. For example, with the Microsoft Entra SAML Toolkit 1, you'll need to record the values of the Login URL, Microsoft Entra Identifier, and Logout URL properties.
Here are the key steps to enable SSO for an application:
- Sign in to the Microsoft Entra admin center as a Cloud Application Administrator
- Browse to Identity > Applications > Enterprise applications > All applications
- Search for the existing application and select it
- Select Single sign-on and then choose SAML to open the SSO configuration page
- Follow the specific configuration guide for your application
Configure SSO in the Application
To configure single sign-on in the application, you need to register the user account with the application and add the SAML configuration values that you previously recorded.
First, sign in to the application with the credentials of the user account that you already assigned to the application, and select SAML Configuration at the upper-left corner of the page.
Next, select Create in the middle of the page and enter the values that you recorded earlier for Login URL, Microsoft Entra Identifier, and Logout URL.
You'll also need to upload the certificate that you previously downloaded by selecting Choose file.
After creating the SAML configuration, copy the values of the SP Initiated Login URL and the Assertion Consumer Service (ACS) URL to be used later.
To update the single sign-on values, navigate to the Microsoft Entra admin center and select Edit in the Basic SAML Configuration section on the Set up single sign-on pane.
A fresh viewpoint: How to Cancel Microsoft Account
Then, enter the Assertion Consumer Service (ACS) URL value that you previously recorded for Reply URL (Assertion Consumer Service URL), and enter the SP Initiated Login URL value that you previously recorded for Sign on URL.
Finally, select Save to update the single sign-on values in your tenant.
Here's a quick checklist of the steps to configure SAML settings:
- Sign in to the application with the credentials of the user account
- Select SAML Configuration and Create
- Enter the recorded values for Login URL, Microsoft Entra Identifier, and Logout URL
- Upload the certificate by selecting Choose file
- Copy the values of the SP Initiated Login URL and the Assertion Consumer Service (ACS) URL
Testing and Authentication
To test single sign-on, follow these steps: in the Set up single sign-on pane, select the Test option and sign in to the application using your Microsoft Entra credentials.
You can test SSO by signing in to the application using the Microsoft Entra credentials of the user account that you assigned to the application.
To authenticate AWS CLI with SSO, use the command `aws configure sso`, which allows you to create a CLI Profile (a combination of a single account and a single role) with default region, format, and other properties.
Discover more: How to Cancel My Aws Account
To test your SP-initiated SSO, log in using the URL `my.tealiumiq.com/login/sso` and ensure you're logged in using the Test URL from under Certificate Details in your browser.
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
To switch between profiles in AWS CLI, you can use the `aws sso` command with the profile name, rather than logging in again with `aws sso login`.
Check this out: Aws Sso Azure Ad
AWS CLI and Boss Way
The AWS CLI can be a powerful tool for managing your AWS accounts, but it can be frustrating to deal with the hassle of logging in and out of multiple accounts. Engineers often overlook the single-sign on capabilities of the AWS CLI.
To authenticate the AWS CLI with SSO for multi-account orgs, you can use the `aws configure sso` command. This will help you take advantage of the SSO capabilities of the AWS CLI.
A CLI Profile, also known as a named profile, is a combination of a single account and a single role that can have default region, format, and other properties. You can edit your `~/.aws/config` file to create a new profile.
To create a new profile, you can copy an existing profile section, paste it as a new section, and then pick a good profile name. You can also use the `aws sso login` command to log in to the ORG and then switch to the new profile.
You can have multiple profiles, and you can switch between them without having to log in again. This is because you're already signed in to the ORG, so you don't need to defeat the "Single" in "Single Sign-On" by logging in again.
SSO Basics
Single Sign-On (SSO) is a process that allows users to access multiple applications with a single set of credentials. This is made possible through a trust relationship between an application, known as the service provider, and an identity provider, like OneLogin.
The trust relationship is often based on a certificate that is exchanged between the identity provider and the service provider. This certificate is used to sign identity information, such as tokens containing the user's email address or username.
To access an application, a user first browses to the service provider. The service provider then sends a token to the SSO system, which contains some information about the user. The SSO system checks if the user has already been authenticated, and if so, grants access to the application. If not, the user is prompted to log in with their credentials.
Here's a simplified overview of the SSO process:
- A user browses to the service provider.
- The service provider sends a token to the SSO system.
- The SSO system checks if the user has already been authenticated.
- The user is prompted to log in if not already authenticated.
- The SSO system validates the user's credentials and sends a token back to the service provider.
- The service provider validates the token and grants access to the application.
What Makes a True System
A true Single Sign-On (SSO) system is built on a trust relationship between the application and the identity provider. This trust relationship is often based on a certificate exchanged between the two parties.
To qualify as a true SSO system, it must provide seamless access to all company-approved applications and websites without requiring users to log in again. This includes cloud applications as well as on-prem applications, often available through an SSO portal.
Take a look at this: MH Message Handling System
The key difference between a true SSO system and password vaulting or password managers is the trust relationship. With password vaulting, you may have the same username and password, but you still need to enter them each time you move to a different application or website.
A true SSO system uses tokens to authenticate users, which are validated according to the trust relationship set up between the Service Provider and the Identity Provider.
Here are the key characteristics of a true SSO system:
This trust relationship is what sets a true SSO system apart from password vaulting or password managers.
What is a Token?
A token is a collection of data passed from one system to another during the SSO process.
The data can be as simple as a user's email address and information about which system is sending the token.
Tokens must be digitally signed for the token receiver to verify that the token is coming from a trusted source.
The certificate used for this digital signature is exchanged during the initial configuration process.
A different take: Data Transfer Project
What Is SaaS
Software as a Service, or SaaS, is a way for applications to run on the internet rather than on individual computers.
Platforms like OneLogin that run in the cloud can be categorized as a Software as a Service solution, making it easy to access and manage SSO functionality from anywhere.
SaaS allows businesses to use applications without having to install or maintain them on their own servers.
This approach has become increasingly popular, as it reduces the need for hardware and IT support, freeing up resources for more strategic initiatives.
By running applications in the cloud, SaaS solutions like OneLogin can be easily scaled up or down to meet changing business needs.
Explore further: Website to Download Free Software
Implementation and Security
Single Sign-On (SSO) can be a game-changer for reducing help desk workload, but it's essential to consider its security implications. SSO can cut down on password-related issues, but it's not a foolproof solution. Administrators can centrally control requirements like password complexity and multi-factor authentication (MFA) to ensure security.
Check this out: Duo Security Sso
When implementing SSO, clear objectives and goals are crucial. You should consider the types of users you're serving, their requirements, and the solution's scalability. Ask yourself: Are you looking for an On Prem solution or a Cloud Based solution? Will this solution be able to grow with your company and your needs?
To ensure only trusted users are logging in, you'll need to consider features like MFA, Adaptive Authentication, Device Trust, IP Address Allow Listing, etc. These features can be implemented during SSO setup to enhance security.
Is Secure
SSO can be a secure solution, especially when administrators can centrally control requirements like password complexity and multi-factor authentication (MFA).
Administrators can more quickly relinquish login privileges across the board when a user leaves the organization, which is a huge time-saver for the help desk.
But SSO is not foolproof, and you might have applications that you want to have locked down a bit more.
This is where an SSO solution that gives you the ability to require an additional authentication factor before a user logs into a particular application comes in handy.
It's also possible to prevent users from accessing certain applications unless they are connected to a secure network, which is an added layer of security.
How is Implemented?
To implement a Single Sign-On (SSO) solution, you need to set clear objectives and goals for your implementation. This involves answering key questions to ensure a successful rollout.
You should consider the different types of users you're serving and their varying requirements. For instance, employees, customers, or partners may have distinct needs.
Are you looking for an On Prem solution or a Cloud Based solution? This decision will impact the implementation process.
A well-planned SSO solution should be able to grow with your company and adapt to changing needs.
To ensure only trusted users are logging in, you'll want to consider features like Multi-Factor Authentication (MFA), Adaptive Authentication, Device Trust, IP Address Allow Listing, and more.
The systems you need to integrate with will also play a crucial role in the implementation process. This may include various applications, services, or databases.
API access may also be necessary, depending on your specific requirements.
Configure Okta User Provisioning
To configure Okta user provisioning for Meta Work Accounts, you must complete several main steps. First, you need to configure Meta Work Accounts, which involves setting up the necessary settings in Meta.
You'll also need to add and configure the Meta Work Accounts app in Okta, which requires logging in to the Okta Admin Console and searching for the Meta Work Accounts app. Once found, you'll need to enter your application name and click the Done button.
After adding the app, you'll need to configure SSO authentication in Meta and Okta, which requires switching to the browser tab with the Meta Work Accounts app page in Okta and activating the Provisioning tab.
To configure automatic user provisioning in Okta, you'll need to click the Configure API integration button and select the Enable API integration option. You'll then need to authenticate with Meta Work Accounts using your admin credentials and click the Add to Work Accounts button.
Here's an interesting read: How to Add Email Accounts
Here's a summary of the steps to configure Okta user provisioning:
- Configure Meta Work Accounts
- Add and configure the Meta Work Accounts app in Okta
- Configure SSO authentication in Meta and Okta
- Configure automatic user provisioning in Okta
By following these steps, you'll be able to enable SSO authentication and automatic user provisioning of Meta Work Accounts with Okta.
Types and Providers
Federated Identity Management (FIM) is the larger concept that Single Sign-On (SSO) is a part of. It's a trust relationship created between two or more domains or identity management systems.
There are several types of SSO, including Federated SSO, which is a part of FIM. OAuth 2.0 is another framework that's part of FIM, focusing on sharing user identity information across domains.
Some popular SSO solutions include Active Directory, Active Directory Federation Services (ADFS), and Lightweight Directory Access Protocol (LDAP). These solutions provide Single Sign-on capabilities and are often used in conjunction with each other.
Here are some of the key players in the SSO landscape:
- Federated Identity Management (FIM)
- OAuth 2.0
- OpenID Connect (OIDC)
- Security Access Markup Language (SAML)
- Active Directory
- Active Directory Federation Services (ADFS)
- Lightweight Directory Access Protocol (LDAP)
Software vs Solution
When researching SSO options, you might see them referred to as SSO software vs an SSO solution vs an SSO provider.
Consider reading: Jumpcloud vs Azure Ad

In many cases, the difference is simply in the way companies have categorized themselves.
A piece of software suggests something that is installed on-premise.
It is usually designed to do a specific set of tasks and nothing else.
A solution suggests that there is the ability to expand or customize the capabilities of the core product.
For example, OneLogin is known as an SSO solution provider.
Types of?
Types of Single Sign-On (SSO) solutions can be confusing, but let's break it down. Single Sign-On is actually a part of a larger concept called Federated Identity Management (FIM).
FIM creates a trust relationship between two or more domains or identity management systems. Single Sign-on is often a feature that's available within a FIM architecture. This is why some people refer to SSO as federated SSO.
OAuth 2.0 is a specific framework that's part of a FIM architecture. It focuses on the trusted relationship that allows user identity information to be shared across domains.
If this caught your attention, see: Why Identity Is Important

OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0, providing Single Sign-on functionality.
Same Sign On, on the other hand, is not the same as Single Sign-on. It doesn't involve any trust relationship between entities and relies on duplicated credentials being passed in when necessary. It's not as secure as Single Sign-on solutions.
Here are some common systems associated with Single Sign-on:
- Active Directory, specifically Active Directory Directory Services (ADDS), a centralized directory service from Microsoft.
- Active Directory Federation Services (ADFS), a type of FIM system that provides Single Sign-on capabilities.
- Lightweight Directory Access Protocol (LDAP), an industry standard for organizing and querying directory information.
LDAP solutions like OpenLDAP provide authentication through support of authentication protocols like Simple Authentication and Security Layer (SASL).
IdP Configuration
To configure your Identity Provider (IdP), you'll need to download the Tealium metadata file and import it into your IdP. This file is crucial for setting up a new SSO connection.
The process varies depending on your IdP, but you can find specific instructions in the IdP Configuration Instructions section of the Tealium documentation. For example, if you're using Amazon AWS, you'll need to follow the instructions in the Amazon AWS documentation to download your metadata file.
For another approach, see: How Cancel Amazon Account
Once you've downloaded the metadata file, you'll need to create a new Tealium application in your IdP and download your IdP metadata file. Each IdP has a different configuration for accessing and downloading a metadata file.
Here's a list of some supported IdPs and their respective configuration instructions:
After you've configured your IdP and collected the required information, you can click Continue in the Tealium New SAML Single-Sign on (SSO) Connection wizard.
Okta Configuration
To configure Okta for Meta Work Accounts, you'll need to complete four main steps. The first step is to configure Meta Work Accounts, which involves logging in to the Okta Admin Console and selecting the Applications option. From there, you'll search for the Meta Work Accounts app and click the Add Integration button.
The second step is to add and configure the Meta Work Accounts app in Okta, which requires you to enter your application name in the Application label field. You'll also need to click the Done button and leave the browser tab open to configure SSO authentication and automatic user provisioning in Meta.
Intriguing read: Scalable Network Application Package
To configure automatic user provisioning in Okta, you'll need to switch to the browser tab with the Meta Work Accounts app page and activate the Provisioning tab. You'll then click the Configure API integration button and select the Enable API integration option.
Here's a step-by-step guide to configuring automatic user provisioning in Okta:
- Switch to the browser tab you left open with the Meta Work Accounts app page in Okta.
- Activate the Provisioning tab.
- Click the Configure API integration button.
- Select the Enable API integration option.
- Click the Authenticate with Meta Work Accounts button.
- Click the Add to Work Accounts button.
- Log in to Meta Work Accounts using your admin credentials.
- Click the Save button after configuring your new application.
- Close the pop-up window.
- Click the Test API Credentials button.
- Click the Save button.
- Select the To App option from the left panel of the Provisioning tab.
- Select the following options: Provisioning to App, Provision user accounts, and Provision groups.
- Click the Save button.
Once you've completed these steps, you'll have enabled SSO authentication and automatic user provisioning of Meta Work Accounts with Okta.
Supported IdPs
Tealium SSO supports connections to several popular Identity Providers (IdPs).
If you're using Amazon AWS, you can easily connect it to Tealium SSO.
Tealium also supports connections to ADFS (Active Directory), Azure, Jumpcloud, OneLogin, and Okta.
These IdPs have specific configuration instructions available on the Tealium website.
To connect to any of these IdPs, you'll need to download a metadata file from your IdP account.
Here are the IdPs supported by Tealium SSO:
- Amazon AWS
- ADFS (Active Directory)
- Azure
- Jumpcloud
- OneLogin
- Okta
If you're using an IdP not listed above, you can still connect it to Tealium SSO, but additional testing and configuration time may be required.
Featured Images: pexels.com


