In a corporate environment, SSO authentication works through a central identity provider (IdP) that acts as the single source of truth for all user identities. Here is the step-by-step flow:
- The user logs in once, typically through a corporate login portal or Windows desktop login.
- The IdP authenticates the user against a directory (Active Directory, LDAP, or cloud directory).
- Upon success, the IdP issues a signed security token (SAML assertion or OAuth/OIDC token).
- When the user accesses any connected cloud app (Salesforce, Slack, Google Workspace, etc.), that app validates the token with the IdP.
- Access is granted without asking for credentials again — until the token expires.
The key protocols enabling this are SAML 2.0 (for enterprise apps), OAuth 2.0 (for authorization delegation), and OpenID Connect (for identity layer on top of OAuth). The miniOrange IdP maintains session state, so even if a user switches between 20 apps, only one authentication event occurs.