TL;DR

Single Sign-On (SSO) is an authentication method that lets users log into multiple applications with one set of credentials, authenticated once through a central identity provider. In recruitment, it means a recruiter logs into Okta once and gets access to their ATS, sourcing tools, background check platform, and job boards without separate logins. It reduces password fatigue, simplifies IT administration, and is a standard security requirement in enterprise environments.

How Single Sign-On Works

SSO delegates authentication to a single trusted authority - the identity provider (IdP) - instead of letting each application manage its own passwords. When a user tries to access an application connected to the SSO system, the application doesn't ask for a password. Instead, it redirects the user to the IdP. The IdP authenticates the user (checking credentials, enforcing MFA, evaluating device trust policies), then sends a signed token back to the application confirming the user's identity. The application grants access based on that confirmation.

The session created after first authentication is shared. Once a recruiter authenticates with Okta in the morning, that session is valid for the rest of the day (or until the session timeout, typically 8-12 hours in enterprise settings). When they open a second connected application, the browser silently presents the existing session to the IdP, the IdP confirms it's still valid, and the user is logged into the new application without seeing a login prompt. This is the "single sign" in Single Sign-On.

The underlying protocols vary. SAML 2.0 is the enterprise standard for browser-based SSO, particularly common with older ATS platforms and HRIS systems. OpenID Connect (OIDC), built on OAuth 2.0, is more common for modern SaaS applications and mobile apps. Most enterprise identity providers (Okta, Azure AD, Google Workspace) support both. When an ATS vendor says they support SSO, the first question is which protocols: SAML, OIDC, or both.

SSO and user provisioning are related but separate capabilities. SSO handles authentication - who gets in and under what conditions. User provisioning handles lifecycle management - creating accounts when someone joins, updating attributes when they change roles, deactivating accounts when they leave. The standard for automated provisioning is SCIM (System for Cross-domain Identity Management). Many enterprise ATS deployments combine SSO for authentication with SCIM for provisioning, giving IT complete control over user lifecycle from the IdP.

Why It Matters in Recruitment

Recruiters use more applications than most office workers. A typical recruiter at a staffing agency might touch their ATS, a sourcing tool, a video interview platform, a job board portal, a background check vendor, a scheduling tool, and a CRM in a single day. Without SSO, each of those tools has its own username and password, its own session timeout, its own MFA prompt. The cognitive overhead is real, and the security risk of password reuse across all of them is significant.

SSO addresses both problems simultaneously. Recruiters authenticate once with strong corporate credentials and MFA, then move freely between tools. IT maintains one identity record per user in the IdP, with role and group assignments that flow to connected applications automatically. The mean time to revoke access when someone leaves drops from hours (chasing down every system) to minutes (deactivating one IdP account).

For staffing agencies subject to client security audits or contractual security requirements, SSO is increasingly a baseline expectation. Enterprise clients placing large numbers of requisitions through a staffing agency may require the agency to demonstrate that only authorized personnel can access candidate data - SSO with centrally enforced MFA is a direct answer to that requirement.

Single Sign-On in Practice

A staffing agency with 200 recruiters across three offices decides to roll out Okta SSO after a security audit flags that 30% of their application accounts have no MFA enabled. IT configures Greenhouse, Bullhorn, LinkedIn Recruiter, HireRight, and their internal CRM as SAML applications in Okta. Each application gets an Okta-issued identity certificate and an attribute mapping.

After rollout, every recruiter logs into Okta once in the morning using their corporate email, password, and an Okta Verify push notification on their phone. From the Okta dashboard, they click into Greenhouse - no separate login. They open Bullhorn in another tab - no separate login. When a senior recruiter is promoted to branch manager, IT updates their Okta group membership, and the new permissions propagate to all connected applications at next login. When a recruiter resigns, one Okta deactivation cuts access to all 12 connected tools simultaneously.

Key Considerations