Skip to content
Home » IT Policies » Single Sign-On (SSO) Policy

Single Sign-On (SSO) Policy

1. Purpose

The purpose of this Single Sign-On (SSO) Policy is to establish requirements for the implementation, management, and use of Single Sign-On technologies to improve authentication security, enhance user experience, strengthen access controls, and support centralized identity management.

Single Sign-On enables users to authenticate once and gain access to multiple authorized systems and applications without repeatedly entering credentials. Properly implemented SSO improves security by centralizing authentication controls, reducing password fatigue, supporting multi-factor authentication, and improving visibility into access activities.

This policy establishes governance and security requirements for SSO environments across the organization.

2. Scope

This policy applies to:

  • All employees
  • Contractors
  • Consultants
  • Temporary personnel
  • Interns
  • Third-party personnel authorized to access organizational resources

This policy applies to:

  • Identity providers
  • Single Sign-On platforms
  • Cloud applications
  • Software-as-a-Service (SaaS) applications
  • Internal business applications
  • Web applications
  • Mobile applications
  • Federated identity services
  • Authentication infrastructure

The policy applies to all systems integrated with organizational SSO services.

3. Policy Statement

The organization shall implement and manage Single Sign-On solutions in a secure and controlled manner to support centralized authentication, access management, and security monitoring.

Applications that support secure integration with approved SSO technologies should use organizational SSO services whenever feasible.

All SSO implementations shall comply with organizational security, identity management, and access control requirements.

4. Objectives

The objectives of this policy are to:

  • Improve authentication security.
  • Reduce password-related risks.
  • Centralize identity and access management.
  • Support enforcement of multi-factor authentication.
  • Improve user experience and productivity.
  • Strengthen access governance.
  • Improve visibility into authentication activities.
  • Support compliance and audit requirements.

5. Definitions

Single Sign-On (SSO)

An authentication mechanism that allows users to authenticate once and gain access to multiple authorized systems and applications.

Identity Provider (IdP)

A system responsible for authenticating users and providing identity assertions to applications and services.

Service Provider (SP)

An application or service that relies on an Identity Provider for authentication.

Federation

A trust relationship between systems that enables identity information to be shared securely.

Authentication Assertion

Information provided by an Identity Provider confirming successful user authentication.

Federated Identity

A user identity that is trusted across multiple systems or organizations.

6. Roles and Responsibilities

Executive Management

Responsible for:

  • Supporting SSO initiatives.
  • Providing resources for implementation and maintenance.
  • Reviewing significant authentication and identity risks.

Information Security Team

Responsible for:

  • Establishing SSO security requirements.
  • Reviewing SSO integrations.
  • Monitoring authentication risks.
  • Investigating authentication-related incidents.
  • Managing policy compliance.

Information Technology Team

Responsible for:

  • Managing SSO infrastructure.
  • Implementing application integrations.
  • Maintaining identity provider configurations.
  • Supporting user access management.
  • Monitoring system availability.

Application Owners

Responsible for:

  • Supporting approved SSO integrations.
  • Participating in security reviews.
  • Maintaining application security requirements.
  • Coordinating authentication changes.

Users

Responsible for:

  • Protecting authentication credentials.
  • Following organizational authentication requirements.
  • Reporting suspected account compromise.
  • Using SSO services appropriately.

7. Single Sign-On Program

The organization shall maintain a Single Sign-On Program that includes:

  • Identity provider management
  • Application integration
  • Authentication controls
  • Federation management
  • Access governance
  • Monitoring and logging
  • Incident response integration
  • Compliance oversight

The program shall be reviewed periodically for effectiveness.

8. Approved SSO Platforms

Only approved SSO platforms may be used to provide centralized authentication services.

Approved platforms shall:

  • Support secure authentication protocols.
  • Support multi-factor authentication.
  • Provide logging and monitoring capabilities.
  • Support access management controls.
  • Meet organizational security requirements.

Unauthorized SSO solutions shall not be used.

9. Identity Provider Security

Identity Providers shall be secured according to organizational security requirements.

Security controls shall include:

  • Strong authentication controls
  • Multi-factor authentication
  • Administrative access restrictions
  • Logging and monitoring
  • Secure configuration standards
  • Regular security reviews

Identity Providers shall be considered critical security systems.

10. Supported Authentication Standards

SSO implementations should utilize approved industry-standard authentication protocols whenever feasible.

Examples include:

  • Security Assertion Markup Language (SAML)
  • OpenID Connect (OIDC)
  • OAuth-based authentication mechanisms
  • Other approved federation standards

Authentication protocols shall be configured securely.

11. Multi-Factor Authentication Integration

Multi-factor authentication shall be integrated with SSO services whenever technically feasible.

MFA shall be required based on:

  • Risk level
  • Application sensitivity
  • User role
  • Access method
  • Regulatory requirements

SSO shall not be used to bypass MFA requirements.

12. Application Integration Requirements

Applications integrated with SSO shall:

  • Use approved authentication methods.
  • Support centralized access control.
  • Comply with organizational security standards.
  • Participate in logging and monitoring where feasible.

Application integrations shall be reviewed prior to production deployment.

13. Access Control Integration

SSO implementations shall support organizational access control requirements.

Access decisions shall be based on:

  • User identity
  • Assigned roles
  • Business requirements
  • Least privilege principles
  • Need-to-know principles

Access rights shall be managed through approved processes.

14. User Provisioning and Deprovisioning

SSO-connected applications shall support user lifecycle management where feasible.

User lifecycle activities include:

  • Account creation
  • Access modifications
  • Role updates
  • Account suspension
  • Access revocation

Access changes shall occur in accordance with organizational IAM requirements.

15. Federated Identity Management

Federated identity relationships shall be formally approved and documented.

Federation arrangements shall:

  • Define trust boundaries
  • Establish security requirements
  • Identify responsibilities
  • Include monitoring requirements

Federated access shall be reviewed periodically.

16. Third-Party Integrations

Third-party applications integrated with organizational SSO services shall undergo security review before implementation.

Security reviews may evaluate:

  • Authentication methods
  • Data sharing practices
  • Security controls
  • Compliance obligations
  • Vendor security posture

Third-party integrations shall be approved prior to deployment.

17. Administrative Access Controls

Administrative access to SSO systems shall be subject to enhanced security controls.

Controls shall include:

  • Multi-factor authentication
  • Role-based access control
  • Least privilege principles
  • Administrative activity logging
  • Periodic access reviews

Administrative privileges shall be restricted to authorized personnel.

18. Session Management

SSO sessions shall be managed securely.

Session controls may include:

  • Session timeouts
  • Re-authentication requirements
  • Risk-based authentication triggers
  • Session termination controls

Session management settings shall align with organizational risk requirements.

19. Monitoring and Logging

SSO systems shall generate logs sufficient to support security monitoring, investigations, and auditing.

Logged events may include:

  • Authentication attempts
  • Successful logins
  • Failed logins
  • MFA events
  • Application access events
  • Administrative actions
  • Federation events

Logs shall be protected according to organizational requirements.

20. Availability and Resilience

SSO services shall be designed and maintained to support business continuity requirements.

Availability measures may include:

  • Redundancy
  • Backup capabilities
  • Disaster recovery planning
  • Monitoring and alerting
  • Capacity management

Critical authentication services shall receive appropriate resilience protections.

21. Security Incident Management

Security incidents involving SSO services shall be managed according to the Incident Response Policy.

Incident response activities may include:

  • Access revocation
  • Session termination
  • Credential resets
  • Forensic analysis
  • Corrective actions

Authentication-related incidents shall be investigated promptly.

22. Compliance and Auditing

Compliance with this policy shall be verified through:

  • Authentication reviews
  • Access control assessments
  • Internal audits
  • External audits
  • Security assessments

Findings shall be documented and addressed through corrective action processes.

23. Exceptions

Exceptions to this policy must:

  • Be documented
  • Include business justification
  • Include risk assessment
  • Identify compensating controls
  • Be approved by management
  • Be reviewed periodically

Temporary exceptions shall include expiration dates.

24. Enforcement

Violations of this policy may result in:

  • Removal of application access
  • Suspension of user privileges
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

25. Review and Maintenance

This policy shall be reviewed:

  • At least annually
  • Following significant authentication incidents
  • Following major technology changes
  • Following regulatory changes
  • Following updates to SSO platforms

Updates shall be approved by executive management.

26. Related Policies

  • Information Security Policy
  • Identity and Access Management Policy
  • Access Control Policy
  • Multi-Factor Authentication Policy
  • Password Policy
  • Privileged Access Management Policy
  • Security Monitoring and Logging Policy
  • Incident Response Policy

27. Policy Approval

Policy Owner: Chief Information Security Officer (CISO) or Information Security Manager

Approved By: Executive Management

Effective Date: __________________

Review Date: __________________

Version: 1.0