A practical look at identity, sessions, OAuth 2.0, OpenID Connect, and tenant isolation.

Single Sign-On is often summarized as "log in once and access many applications." That is correct, but incomplete. A real SSO system must also answer several security questions:

Which application is requesting access?

Which organization owns that application?

Is the user allowed to use it?