> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how the OIDC-conformant pipeline affects your use of Single Sign-On (SSO).

# Single Sign-On with OIDC

In the context of the OIDC-conformant authentication pipeline, single sign-on (<Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=SSO">SSO</Tooltip>) must happen at the <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=authorization+server">authorization server</Tooltip> (i.e., Auth0) rather than the application, which means that you must employ <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=Universal+Login">Universal Login</Tooltip> and redirect users to the login page. To learn more, read [Universal Login](/docs/authenticate/login/auth0-universal-login) and [Single Sign-On](/docs/authenticate/single-sign-on).

At a general level, when performing SSO:

1. If the user is not logged in locally, you should redirect them to your Auth0 login page (`/authorize`) for authentication using a redirect-based flow, such as the [Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow) or [Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post), depending on the type of application.
2. If the user was already logged in through SSO, Auth0 will immediately authenticate them without needing to re-enter credentials.

To determine whether users are logged in via SSO, use silent authentication, which either re-authenticates a user if they are already logged in or returns an error if they need to authenticate. In the legacy authentication pipeline, this could be achieved by using the `/ssodata` endpoint, which is deprecated in the OIDC-conformant pipeline. To learn more about how to configure silent authentication, read [Configure Silent Authentication](/docs/authenticate/login/configure-silent-authentication).

## Learn more

* [Access Tokens with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens)
* [External APIs with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-apis)
* [Authorization Code Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-auth-code-flow)
* [Client Credentials Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-client-credentials-flow)
* [Delegation with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-delegation)
* [Refresh Tokens with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-refresh-tokens)