SSO implementation overview
Single sign-on (SSO) enables a user to gain access to multiple applications with one set of credentials (often username and password). SSO provides both authentication (verifying the user’s identity) and authorization (the access the user should have), allowing the user to open and use the templated site without needing to reauthenticate.
SSO use cases
With SSO, your site can allow your customers to browse without signing in, require them to sign in right away, or to sign in at any point in their journey. Sign-in also goes hand in hand with sign-out—you can decide whether a user signing out of the template site also means they will be signed out of your main site. Sign-in use cases include:
- The user is signed in on your main site and clicks the link that directs them to the template site. Their sign-in is preserved, allowing them to use the template site as an authenticated user.
- The user is not signed in on the partner site and clicks the link that redirects them to the template site. When they go to sign in on the template site, they should be redirected to your identity provider (IdP) to sign in, then back to the template site once sign in is complete.
Sign-out use cases include:
- The user signs out of the template site. When they return to your main site, they can also be signed out on your main site.
- The user’s session times out after an extended period of inactivity (Expedia’s default is 60 minutes). The user will be signed out of both the main site and the template site.
Supported SSO protocols
Expedia uses industry-standard SSO protocols and can align with what you already have in place. Supported protocols include:
- SAML v2: Security Assertion Markup Language (SAML) uses an XML-based framework for authentication. SAML v2 (also known as SAML 2.0) became the standard protocol to enable web-based, cross-domain SSO in 2005.
- OpenID Connect: OpenID Connect (OIDC) is an open-source authentication protocol based on OAuth 2.0. It is a trusted protocol that’s used by many technology companies for web-based, mobile, and JavaScript clients.
- OAuth 2.0: OAuth 2 enables access to user accounts on an HTTP service, and it provides authorization flows for mobile, web, and desktop applications.
Want to learn more? We’ve provided some relevant links on our Standards and resources page.