Understanding Single Sign-On (SSO): Architecture, Components, and Workflow

What Is Single Sign-On (SSO)?

Single Sign-On (SSO) allows a user to authenticate once and then access multiple trusted applications without re‑entering credentials, improving user experience and simplifying identity management, especially in distributed or multi‑application environments.

Core Principle

The essence of SSO is centralized authentication: the user authenticates only on the SSO server, which then issues a token that other services can trust and validate.

Key Components

CAS Server (Authentication Center) : Handles username/password verification, maintains a global login ticket (TGT), issues service tickets (ST), and coordinates single logout.

CAS Client (Business System) : Does not perform login itself; it intercepts unauthenticated requests, redirects users to the CAS Server, and validates service tickets.

Browser : Carries cookies (TGC) and performs 302 redirects, transmitting tickets between the client and the server.

Architecture Diagram

Technical Sketch

┌──────────┐   │ Browser │   └────┬─────┘        │      ▼   ┌────────────┐          ┌────────────────┐   │ Client A │◄──────►│   SSO Server   │   │ Client B │        │ (Authentication Center) │   │ Client C │        └────────────────┘   └────────────┘

SSO Workflow

User attempts to access a protected resource on Client A.

Client A detects no local session and redirects the browser (302) to the CAS Server.

The CAS Server checks for a TGC cookie; if absent, it presents a login page.

User submits credentials; the CAS Server validates them and issues a Service Ticket (ST).

Client A receives the ST and, without involving the browser, validates the ticket with the CAS Server.

Upon successful validation, the CAS Server returns user information.

Client A creates a local session for the user, completing the login process.

Benefits and Use Cases

SSO greatly reduces the number of login prompts, streamlines session management across services, and centralizes security controls, making it ideal for micro‑service architectures, enterprise portals, and any scenario with multiple inter‑related applications.