Single Sign-On Basics


Single Sign-On (SSO) is a process that allows users to access multiple authorized applications without having to log in separately to each application. SSO allows organizations to validate user names and passwords against a corporate user database (such as Active Directory), rather than having separate user credentials managed by Vault and other applications. In Vault, some users may be configured to use SSO, while others use traditional usernames and passwords, meaning that an organization could use SSO for internal users and not for external users.

More information about Vault’s SSO options can be found in Single Sign-On DetailsConfiguring Single Sign-On, and Single Sign-On FAQ.

Terms

  • Identity Provider (IdP): Service responsible for user authentication and authorization
  • Service Provider (SP): Application, such as Vault, to which the IdP gives users access

Example

At VeevaPharm, employees access a clinical trial management system and an IT ticket system, in addition to Vault. VeevaPharm uses SSO to avoid requiring employees to log in separately to each application. There are two different ways that VeevaPharm might use SSO:

  • Identity Provider-Initiated SSO: When Tom arrives at work in the morning, he logs into his SSO-enabled applications through the identity provider’s portal. After that, he opens Vault, but he bypasses the login screen and goes directly to the Home tab because the SSO system has already logged him in.
  • Service Provider-Initiated SSO: When Tracy arrives at work, she opens Vault directly. From there, she’s redirected to login through the identity provider’s portal. After that, she’s redirected back to Vault.

Last Updated: