How to Design a Scalable Single Sign-On (SSO) System: Architecture, Flow, and Use Cases

Single Sign-On (SSO) provides a unified authentication entry for distributed applications, reducing user effort and centralizing security control across web, app, and mini‑program clients.

Core Value

Unified identity authentication

Reduced user operation cost

Centralized security control

Support for multiple systems and platforms

SSO System Design

The typical SSO architecture consists of an authentication server (Auth Server), user clients (browser or app), and an access layer/gateway (e.g., Nginx or API gateway). The Auth Server handles login, credential verification, and token issuance.

Components

Auth Server : Unified login, identity verification, token issuance.

User side (Browser / App) : Initiates login request and carries cookies or tokens.

Access Layer / Gateway : Single entry point, intercepts and forwards authentication state.

Overall Flow

User requests System A → System A detects unauthenticated → Redirect to SSO login page → SSO validates username/password → Generates Token/Ticket → Redirect back to System A → System A validates credential → Establishes local session

Real‑World Scenarios

Enterprise Intranet SSO (SAML)

Large enterprises integrate multiple internal applications into a unified identity platform. Benefits include mature security and enterprise integration; careful management of certificates and Assertion lifecycles is required.

Cloud Services & API Ecosystem (OIDC + OAuth2)

Targeting mobile and micro‑service platforms. Mobile apps use OIDC for interactive login, while backend services validate Access Tokens and call resource servers. Advantages are lightweight, cross‑platform, and fine‑grained authorization control.

Single‑Page Applications (SPA) with Shared Session

Multiple front‑end sub‑domains share login state. Implementation uses a common domain with an authentication gateway to handle login requests, set cross‑subdomain secure cookies, or employ a central token exchange mechanism.