# Single Sign-On (SSO) Patterns One-sentence definition: Authenticate once to obtain tokens/kerberos tickets for multiple services. ## Key Facts - Web SSO via federation (SAML/OIDC) with identity provider (IdP). - Enterprise SSO via Kerberos in AD domains; SPNEGO for web. - Benefits: fewer passwords, central policy; risks: SSO token theft. - Protect IdP (MFA, HA); short-lived tokens; strong session controls. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose SSO to reduce credential sprawl; protect IdP as crown jewel. **Mnemonic:** “One **login**, many **doors**.” ## Mini Scenario Q: Compromise of IdP—impact? A: Pivot to many apps; prioritize IdP hardening and response. ## Revision Checklist - Two SSO types (federation/Kerberos). - IdP protections. - Token lifetime rationale. ## Related [[Federation with SAML 2.0]] · [[OpenID Connect (OIDC) and JWT]] · [[Kerberos in Enterprise SSO]] · [[Token Security (JWT JWE JWS) and Pitfalls]] · [[Risk-Based and Adaptive Authentication]] · [[Domain 5 - Index]]