Single Sign-On Overview
Start course
1h 41m

This Designing for Azure Identity Management course will guide you through the theory and practice of recognizing, implementing, and deploying the services on offer within your enterprise. Learn how to better the protection of your organization by designing advanced identity management solutions. Recommended for those who already have some experience with the subject, this course is comprised of 24 lectures, including demos, and expertly instructed by one of our MS Azure subject matter experts.

Learning Objectives

  • Study and understand what Azure AD Domain Services do and what they can offer
  • Learn to create and manage hybrid identities via Azure AD Connect 
  • Understand the principles of Azure MFA and SSO, and how to enable them
  • Recognize and deploy the key principles of Azure AD B2B and B2C 
  • Learn and utilize Privileged Identity Management

Intended Audience

This course is intended for:

  • IT professionals who are interested in getting certified with MS Azure
  • Those looking to become Azure architects and/or tasked with designing identity management solutions


  • A mid-range knowledge of MS Azure is recommended before starting this course
  • An understanding of identity management concepts

Related Training Content

For more courses related to MS Azure, visit our dedicated Content Training Library.





Unless an organization deploys a single sign-on solution, its users will be required to remember multiple usernames and passwords, one for each different application in use. Additionally, the IT department needs to maintain all of these different accounts and passwords manually. Single sign-on allows users to sign in once with one account in order to access domain-joined devices, corporate resources, SAS applications, and even web apps. After signing in, users can then launch apps right from the O365 portal or via the MyApps access panel. With single sign-on, IT administrators can centralize user account management, allowing them to automatically add or remove user access to applications based on group membership. In this lecture, we are going to discuss the various single sign-on options that are available when designing an identity management solution that incorporates single sign-on. 

Choosing a single sign-on solution for an application will largely depend on how the application is configured for authentication. Of all the single sign-on methods we are about to discuss, disabled is the only one that does not automatically sign users into applications without requiring a second sign-on to occur. When deciding on a single sign-on solution, it's important to know that cloud apps can use SAML, password-based, linked, and disabled methods for single sign-on. Of the bunch, SAML is the most secure method. On-prem apps, when configured for Application Proxy, can use password-based, Integrated Windows Authentication, or IAW, header-based, linked, or the disabled methods for single sign-on. The table that you see on your screen provides a summary of the single sign-on methods that are available. Use SAML for single sign-on whenever possible. 

This method works when applications are configured to use a SAML protocol. Use password-based single sign-on when an application authenticates with a username and password. Using password-based single sign-on offers secure application password storage and replay via a web browser extension or via mobile application. Password-based single sign-on uses the existing sign-in process that's provided by the application while allowing an administrator to manage the passwords for it. The linked single sign-on method is useful when an application is configured for SSO in another identity provider service. This SSO option doesn't add single sign-on to the application. Use disabled single sign-on when an application isn't ready for single sign-on. Users of the application will need to provide their username and password each time they launch the application.

 Use IWA SSO for applications that use Integrated Windows Authentication or for claims-aware applications. When using this method for SSO, Application Proxy connectors use Kerberos Constrained Delegation to authenticate users to the application. Header-based single sign-on should be used when an application uses headers for authentication. It should be noted that header-based single sign-on requires PingAccess for Azure AD. When using header-based SSO, Application Proxy uses Azure AD to authenticate the user and then passes traffic through the connector service.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.