CONCEPT Cited by 1 source

SSO authentication (OpenID Connect)

Single sign-on (SSO) is the pattern where a user authenticates once against an identity provider (IdP) and then uses the resulting token to prove their identity to many downstream services — without re-entering credentials per service.

OpenID Connect (OIDC) is the dominant SSO protocol on the modern web. An OIDC IdP — called an OpenID Provider (OP) in the spec — issues ID Tokens after authenticating a user. An ID Token is a signed JWT carrying identity claims (iss, sub, email, name, aud, exp).

Why SSO is the "rare security-and-convenience win"

SSO is unusual among security technologies: it makes things both more secure and more convenient at the same time. Users sign in once and get access to many systems; operators get a single place to enforce MFA, password policy, off-boarding, session revocation, and audit.

This shape shows up across the wiki in different substrates:

• HTTP / web / mobile apps — canonical OIDC usage. Ingested examples: sources/2026-02-05-aws-convera-verified-permissions-fine-grained-authorization (Okta → Cognito → Lambda → Verified Permissions).
• SSH — sources/2025-03-25-cloudflare-opkssh-open-sourcing via OPKSSH, which smuggles a PK Token through an SSH certificate extension to make OIDC SSO work over SSH without protocol changes.
• Cross-partition federation — patterns/centralized-identity-federation applies SSO across AWS partitions to avoid per-partition IAM users.

What OIDC ID Tokens can and cannot do

Can: - Prove who the user is (to anyone who trusts the OP). - Carry arbitrary claims the OP chooses to include (groups, org, roles).

Cannot, on their own: - Serve as a key-based credential in protocols like SSH or E2E messaging, because they don't include the user's public key. The PK Token primitive (OpenPubkey) fills this gap.

Terminology

• IdP (identity provider): generic term for any system that authenticates users.
• OP (OpenID Provider): specifically an IdP that implements OIDC. This wiki uses "OP" when talking about OIDC and "IdP" when talking about identity providers more generally.
• Common OPs: Google, Azure AD / Entra, Okta, Auth0, AWS Cognito, GitHub.

Seen in

• sources/2025-03-25-cloudflare-opkssh-open-sourcing — OPKSSH extends OIDC SSO to SSH. "SSO is the rare security technology that both increases convenience — users only need to sign in once to get access to many different systems — and increases security."
• sources/2026-02-05-aws-convera-verified-permissions-fine-grained-authorization — Okta as OP, Cognito federating identity, pre-token-gen hook enriching claims.

Related

• concepts/pk-token — OIDC ID Token extended with a public key; the primitive enabling OIDC-SSO-over-SSH.
• systems/amazon-cognito — Amazon's OIDC OP + federation broker.
• systems/okta — enterprise IdP commonly federated-to.
• patterns/centralized-identity-federation — operating one OP across many targets.
• patterns/pre-token-generation-hook — the OIDC extension seam for injecting authorization attributes at token-issue time.