An identity gateway or single sign-on (SSO) system provides centralized authentication, allowing users to access multiple applications and services with a single login session at a central identity provider. Instead of managing separate logins for each system, users authenticate once and gain access across connected services.
How SSO works
When you log into a service that uses SSO, the authentication request is redirected to a central identity provider. You authenticate there, with a username and password, multi-factor authentication, or other methods, and receive a secure token. That token is then accepted by any connected service, proving your identity without requiring you to log in again.
The identity provider manages credentials, enforces authentication policies, and issues tokens. Individual applications trust these tokens and grant access based on the authenticated identity.
Benefits of centralized authentication
SSO offers significant advantages for both users and organizations.
For users, SSO means fewer passwords to remember and manage. Instead of juggling credentials for dozens of services, you maintain one strong authentication relationship.
For organizations, SSO provides centralized governance and monitoring of authentication events. Security policies, like requiring multi-factor authentication, can be enforced consistently across all connected applications.
For security, SSO reduces the risk of password reuse and phishing attacks. When users manage fewer passwords, they're more likely to use strong, unique credentials.
Key protocols
Several standardized protocols enable SSO and federated identity.
SAML 2.0 (Security Assertion Markup Language) is widely used in enterprise and government environments. It defines how authentication assertions (and related attributes) are exchanged between identity providers and service providers.
OAuth 2.0 is an authorization framework that enables users to grant applications access to their resources without sharing their credentials. It's widely used for API access and third-party integrations.
OpenID Connect builds on OAuth 2.0 to add an identity layer. It provides a standardized way for applications to verify user identity and obtain basic profile information. OpenID Connect is increasingly used in modern web and mobile applications.
SSO in digital identity ecosystems
In state digital identity programs, SSO platforms can serve as the centralized entry point for residents accessing government services. By consolidating authentication under one state-managed system, agencies reduce credential fatigue, streamline access across services, and maintain centralized oversight.
Identity verification can be integrated into the SSO platform, with flexibility to use different verification methods depending on program requirements and risk levels. Lower-assurance use cases might require only basic authentication, while high-assurance use cases might require stronger proofing.
Risks and mitigations
SSO introduces a single point of failure. If those central credentials are compromised, an attacker could gain access to multiple systems. This risk is mitigated through strong authentication requirements, particularly multi-factor authentication, and continuous monitoring for suspicious activity.
Organizations should also plan for SSO outages. If the identity provider becomes unavailable, access to all connected services could be affected. Redundancy and failover mechanisms help ensure availability.
Connecting SSO and verifiable digital credentials
Single sign-on (SSO), state-endorsed digital identity, and verifiable digital credentials can be combined to support different assurance levels across government services. In this model, SSO provides convenient access and session management, while higher-assurance credentials, such as a state-endorsed digital identity or mobile driver’s license (mDL), are used selectively when stronger identity assurance is required.
For routine access, a user may authenticate through the State’s SSO system to establish a trusted session. For higher-risk transactions (such as accessing sensitive records, submitting regulated applications, or performing legally significant actions), the system can require presentation of a state-issued digital credential, such as an mDL, to step up the assurance level. This allows agencies to apply stronger identity verification only where appropriate, without imposing unnecessary friction on all users.
State-endorsed digital identity credentials can also serve as a trusted foundation across agencies. Once issued, these credentials can be verified cryptographically without requiring each agency to independently re-proof identity or maintain its own identity store. This reduces reliance on repeated identity verification checks across programs, lowering operational costs and vendor spend while improving consistency. At the same time, it supports consistent assurance levels across services and avoids unnecessary duplication or centralization of personal data.
In addition to high-assurance credentials such as a state-endorsed digital identity or mDL, lower-assurance credentials (such as permits, passes, or program approvals) can be integrated into the same SSO and identity gateway framework. In this model, SSO establishes a trusted session, while verifiable credentials are used to prove specific facts about eligibility or authorization when required. For example, a user authenticated through the State’s identity gateway may present a credential confirming that a permit is valid or a pass is active, without re-entering data or requiring the agency to perform additional backend checks. This approach allows agencies to separate identity authentication from program-specific eligibility, reduce repeated verification steps, and support consistent access patterns across services.
By separating authentication (SSO), identity assurance (state-issued digital credentials), and authorization (attribute or entitlement verification), this architecture enables risk-based access control, data minimization, and cross-agency interoperability. Agencies retain flexibility to define when higher assurance is required, while residents benefit from a predictable and streamlined experience.
Want to keep learning?
Subscribe to our blog.
