Single Sign-On (SSO) is an authentication scheme in which a user logs in once to an identity provider (IdP) and is then granted access to multiple downstream applications without entering credentials again. The downstream applications trust the IdP through a federation protocol — most commonly SAML 2.0 in enterprise contexts and OpenID Connect (OIDC) on top of OAuth 2.0 in modern web stacks. SSO is the table-stakes feature that distinguishes "team plan" from "enterprise plan" pricing for almost every SaaS vendor.

In a self-hosting context

When you self-host the OSS alternatives in this directory, you bring your own IdP. Keycloak and Authentik are the two dominant open-source identity providers; both speak SAML and OIDC and federate against existing directories like LDAP, Active Directory, GitHub, or Google. Self-hosting these closes the "SSO tax" gap that Auth0 and similar managed IdPs charge for. See SAML vs OIDC for which protocol to pick when wiring a downstream app.