🔐 Inbound SSO (Single Sign-On)

Definition:
Inbound SSO means users from an external identity provider (IdP) can sign into your application or service using their existing credentials.

Your application becomes the “Service Provider” (SP).

✅ Example:

A company uses Microsoft Entra ID (Azure AD) as their IdP. They want employees to log into a third-party learning platform (e.g., Coursera for Business) using their corporate credentials.

  • IdP: Microsoft Entra ID (external)

  • SP: Coursera for Business (your app)

Your app accepts the login from the IdP.

📊 Inbound SSO Diagram

[User]
|
| 1. Login request
v
[Your App (SP)] ------------------------->
| 2. Redirect to external IdP (Microsoft Entra)
|<-------------------------------
|
| 3. Assertion/Token Received
v
[User Authenticated in Your App]

🔐 Outbound SSO

Definition:
Outbound SSO means your app is the identity provider (IdP), and you allow users to sign into external services using credentials stored in your system.

Your system “provides” the identity to other apps.

✅ Example:

You build a centralized employee portal that connects to:

  • Jira

  • Slack

  • ServiceNow

Users log in once to your portal and get SSO access to all connected services via SAML or OIDC.

  • IdP: Your portal

  • SPs: Jira, Slack, ServiceNow

Your app pushes the identity.

📊 Outbound SSO Diagram

[User]
|
| 1. Login to Your Portal (IdP)
v
[Your Portal] ---------------------------> [Slack]
| 2. SAML Assertion / Token
v
[User Authenticated in Slack]

🔁 Summary Table

Feature Inbound SSO Outbound SSO
Who owns the login? External IdP Your system (IdP)
Your role Service Provider (SP) Identity Provider (IdP)
Example Sign in with Google/Microsoft on your app Users access Slack from your internal portal
Protocols SAML, OIDC SAML, OIDC