SSO: Single Sign-On

Definition

Traditional SSO vs. EUDI Wallet-Based Authentication

In traditional centralized SSO (such as enterprise SAML-based SSO or consumer-facing "Login with Google/Facebook"), all authentication flows pass through a central identity provider. When a user accesses Service A, they are redirected to the IdP, authenticate there, and receive a token. When they access Service B, the same IdP issues another token. The IdP maintains a session and has complete visibility into which services the user accesses, when they access them, and how frequently. This creates a surveillance capability that is fundamentally incompatible with the privacy requirements of the EUDI Wallet.

The EUDI Wallet inverts this model. The user authenticates locally to their wallet using biometrics, and the wallet stores pre-issued verifiable credentials. When accessing Service A, the wallet presents relevant credentials directly to Service A without contacting any third party. When accessing Service B, the wallet presents credentials directly to Service B. The credential issuer (analogous to the IdP in traditional SSO) has no knowledge of these presentation events. Furthermore, pairwise identifiers ensure that Services A and B cannot correlate their records to determine they are serving the same person.

This architectural difference delivers the convenience benefits of SSO (one authentication enables access to many services) while eliminating the privacy cost (no central entity tracks all service access). The trade-off is that the EUDI Wallet model does not natively support the session propagation features of traditional SSO, where logging out from the IdP simultaneously terminates all service sessions. Each relying party manages its own session independently, which is actually a security advantage in many scenarios (a compromised session at one service does not affect sessions at other services).

EUDI Wallet Integration with Enterprise SSO

Large organizations across Europe rely heavily on enterprise SSO for managing employee access to internal applications. Migrating these systems entirely to EUDI Wallet-based authentication would be impractical and unnecessary, as enterprise SSO serves a different purpose (managing access to corporate resources) than the EUDI Wallet (managing portable personal identity credentials). The practical approach is integration, where the EUDI Wallet serves as an authentication method within the existing SSO framework.

In this integration model, the enterprise SSO system (such as Microsoft Entra ID, Okta, or Keycloak) is configured to accept EUDI Wallet credential presentations as a valid authentication method alongside traditional username/password or existing MFA methods. When an employee presents their EUDI Wallet credentials, the SSO system verifies the credentials, creates an authenticated session, and issues the usual SSO tokens for the enterprise application suite. The wallet handles the initial identity assertion while the enterprise SSO handles the session management and authorization within the corporate environment.

This hybrid approach is particularly valuable for organizations that employ workers across multiple EU member states, as the EUDI Wallet provides a unified, cross-border authentication method that works regardless of the employee's nationality or home country. It also supports strong authentication that meets regulatory requirements (such as PSD2 SCA for financial institutions) while maintaining compatibility with the organization's existing IT infrastructure.

Future of SSO in the EUDI Wallet Era

The EUDI Wallet's approach to authentication is likely to influence the evolution of SSO technology more broadly. The privacy advantages of decentralized credential presentation are becoming increasingly important as data protection regulations tighten and users become more privacy-conscious. Technology vendors are already exploring how to incorporate verifiable credential-based authentication into their SSO products, creating a convergence between traditional SSO convenience and wallet-based privacy.

The OpenID Foundation's work on OpenID4VP (Verifiable Presentation) and the IETF's work on SD-JWT provide the protocol bridges that enable this convergence. Existing SSO systems that support OpenID Connect can add EUDI Wallet support through relatively straightforward protocol extensions, as OpenID4VP shares architectural principles with OpenID Connect. This protocol compatibility ensures that the transition from traditional SSO to wallet-enhanced authentication can happen incrementally rather than requiring wholesale system replacement.

For citizen-facing government services across the EU, the EUDI Wallet is expected to become the primary authentication mechanism, effectively replacing the patchwork of national SSO systems (eIDAS nodes, SPID, BankID, etc.) with a unified, privacy-preserving authentication experience. Citizens will authenticate once to their wallet and access government services across all 27 member states without maintaining separate accounts or dealing with different authentication systems in each country.

Related Terms