Authentication protocols
What is SSO?
Also known as: Single Sign-On
Authentication scheme that lets a user log in once and access multiple applications without re-entering credentials. Typically implemented via SAML 2.0 or OIDC. In NHI context, SSO applies to human access into management tools; machine-to-machine auth uses service accounts, not SSO.
More terms in Authentication protocols
- SAMLAn XML-based open standard for exchanging authentication and authorization assertions between an Identity Provider (IdP) and a Service Provider (SP). Used by enterprise Single Sign-On. Cremit Argus supports SAML 2.0 with any compliant IdP (Okta, Azure AD, Google Workspace, Ping, JumpCloud, etc.).
- SCIMAn open standard for automatically provisioning and de-provisioning users and groups between identity systems. When an employee is suspended in the IdP, SCIM propagates that change to downstream apps in real time, so access is revoked without a ticket.
- OAuthA delegation protocol that lets a user grant a third-party app access to their data without sharing the password. The tokens OAuth issues (access tokens, refresh tokens) are themselves NHIs and need rotation, scope review, and detection when leaked.
- OIDCAn identity layer on top of OAuth 2.0 that adds authentication (who the user is) to OAuth's delegation (what they can do). Preferred over SAML for modern web and mobile SSO because it uses JSON and HTTP, not XML.
- JWTA compact, signed token format used to transmit identity and permission claims between parties. Signed JWTs are tamper-evident; leaked JWTs are usable until they expire or are blacklisted, so short expirations matter.