> Single sign-on (SSO) is a mechanism for outsourcing the authentication for your website (or other product) to a third party identity provider, such as Google, Okta, Entra ID (Azure AD), PingFederate, etc.

Or the IdP is administered by the enterprise's own IT operation.

The outsourcing of your security to (and also consequently leaking information to) a third party IdP is a fairly new phenomenon in 'security'.

Someone must have paid a lot of money to promote that idea.

Why? It is a screaming good deal for >90% of companies to take as many problems like “employee credentials can be used to access user passwords”, “we need to develop, release, operate, and support something where small mistakes introduce security breaches + hire people capable of property doing that work”, and “if someone gets this private key they can use it to impersonate any user” off their plates as they can.

It’s good that Bob’s App Factory cares enough about security to hand off hard parts to Google for $X/mo if they’re not confident in their own ability to handle it better themselves. I trust Google more with my data than any other company in the world, including Bob’s. Bob’s a great guy but I doubt his IT department is reviewing every change in keycloak and preventing unilateral access to hmac keys.

> Someone must have paid a lot of money to promote that idea.

I doubt it. Once you notice how bad the median enterprise IT operation is at running an IdP the idea promotes itself.

But I really like checking my email without signing in to a VPN.

I don't understand the problem. The incentives seem to be aligned.

The IdP company makes money off their security product. This means they are more likely to invest into security, because it's their business that is at stake.

Meanwhile the average company doesn't make money off a secure authentication flow. They make money from selling their SaaS product. Their goal is to spend as little on security as possible.