Federated Single Sign-On (SSO) & Cross-Domain Authentication Hub

Posted on by Brett Kraiger

The Login Maze That Was Killing Our Productivity

Picture this: You're managing multiple brands under one roof. Your morning routine involves checking a dashboard on one domain, approving content on another, reviewing analytics on a third.

Each one asks you to log in. Again. And again.

The first time, you type your password carefully. By the third login of the day, you're fumbling for your password manager. By the tenth, you're just… not checking anymore. That analytics dashboard you built? Barely used. The approval workflow you spent weeks perfecting? People are finding workarounds.

This was our reality. We had built excellent internal tools across different brands and domains, but they felt like scattered islands. The cognitive load of managing multiple logins meant our team simply stopped using half of them.

The irony? These weren't external apps we couldn't control. These were our tools, built for our team. Yet the authentication layer made them feel like strangers to each other.

The problem seemed fundamental: browsers don't share cookies across different domains. It's a security feature, not a bug. But it was fragmenting our entire internal ecosystem.

I built a solution that makes logging in once actually mean once – across all our domains, all our brands, all our tools.

This week, I'll break down how this transformed our internal platform experience and why the technical "impossibility" wasn't so impossible after all.

The Login Wall Killing Your Internal Operations

I recently solved a problem that was costing teams hours every week – but the real impact went far beyond time savings.

The problem: When your internal tools live on different domains (analytics dashboard, content approval system, reporting tools), your team hits a login wall at every turn. Standard web technology doesn't allow authentication to cross these boundaries. So employees log in, switch tools, log in again, check a dashboard, log in again.

The friction compounds. People stop checking the tools they need. Data sits unused. Approvals slow down. Your investment in internal systems degrades because the access layer makes them feel scattered and disconnected.

What I Built

I developed a federated authentication hub that creates a "log in once, access everything" experience across completely separate domains – without rewriting existing tools or forcing everything onto one domain.

The Business Impact

Immediate returns:

  • Authentication friction reduced from 8+ logins daily to one
  • Tool adoption increased as barriers disappeared
  • 15-20 minutes saved per employee, per day (that's 65+ hours annually per person)

Strategic advantages:

Your disconnected tools now feel like an integrated enterprise platform. This matters when you're competing for talent – internal experience is a differentiator. It matters when scaling – new tools plug into the ecosystem seamlessly. It matters for security – centralised authentication means centralised control and audit trails.

Where This Creates Value

Multi-brand operations: Imagine running three brands, each with their own domain and tools. Your team shouldn't need three logins to do their job.

Agency environments: Picture managing client dashboards, internal reporting, and content systems – all requiring separate credentials. That friction disappears.

Enterprise micro-services: Teams building modular applications can maintain separation without sacrificing user experience.

The Bottom Line

The complexity gap between "this should be simple" and "this is technically impossible" is where competitive advantages hide.

Solving cross-domain authentication didn't just save time – it transformed a collection of utilities into a cohesive platform, improved tool adoption, and created infrastructure that scales with the business.

101 Automations

Sometimes the highest ROI isn't in building new features. It's in removing the barriers to using what you already have.

What internal friction is limiting your team's effectiveness?

The tools you ignore are the tools you don't trust to be easy

Your team isn't avoiding that analytics dashboard because they don't care about the data.

They're avoiding it because they have to log in again.

We discovered this building a federated authentication system across our internal platforms. The technical challenge was interesting – cross-domain cookies, federation protocols, one-time tokens – but the real insight was behavioural:

Friction doesn't just slow people down. It creates selective blindness.

When accessing a tool requires even 30 seconds of re-authentication, your brain starts calculating: "Is checking this worth the interruption?" Most of the time, unconsciously, you decide it isn't. The dashboard goes unchecked. The approval sits pending. The insight remains undiscovered.

We think of internal tools as "available" if they exist and function. But availability isn't binary – it's a spectrum. Every login screen, every context switch, every minor obstacle moves a tool further along that spectrum from "seamlessly integrated" toward "technically accessible but functionally invisible."

The breakthrough wasn't making our tools better. It was removing the walls between them so they felt like one coherent system instead of a collection of separate utilities.

This applies beyond authentication. Every small barrier you tolerate – the export-then-import workflow, the manual data copy, the "quick" Slack question to get a number – is quietly training your team what to ignore.

The most valuable automation isn't always the one that saves the most time. Sometimes it's the one that removes the friction that was making people avoid the right action entirely.

What are your teams avoiding because it's just slightly too annoying to access?

The Authentication Problem Nobody Talks About (Until It's Too Late)

I recently built a Federated SSO system that solves a specific headache: what happens when your internal tools live across completely different domains, and your team is sick of logging in 15 times a day?

Standard cookies don't work across unrelated domains. OAuth feels like using a sledgehammer for a thumbtack. So I built something in between – a redirect-chain federation that creates true "log in once, everywhere" access.

Here's where this approach makes the most sense:

Digital Agency Managing Client Microsites

Your agency runs internal dashboards, analytics tools, and content managers – some on your .agency.com domain, others embedded within client domains like .retailclient.com and .healthcareclient.org. Each tool requires separate logins, slowing down your team and creating security gaps when contractors leave.

With federated SSO, one authentication spreads seamlessly across all domains. Your content team logs in once at 9 AM and has instant access to every client CMS without re-authenticating.

Enterprise with Distributed Micro-Frontends

Your organisation has modernised into micro-frontends: HR tools on .people-platform.com, finance dashboards on .finance-hub.com, and operations apps on the main .company.com. Each team built their own auth, creating an authentication nightmare.

The federation hub becomes your single identity provider. Employees authenticate once, and the system securely propagates that session across every micro-frontend domain, regardless of who built it or where it's hosted.

SaaS Platform with White-Label Deployments

You offer a multi-tenant platform where enterprise clients get their own branded domains: analytics.clienta.com, analytics.clientb.com, etc. Your internal admin team needs access to all client instances, but logging into each separately is untenable.

One admin login grants federated access across every client domain. Your support team can jump between customer environments seamlessly while maintaining proper security boundaries.

Developer Consolidating Internal Utilities

You've built a collection of helpful internal tools over the years – deployment dashboards, database viewers, API testing interfaces – scattered across various domains and subdomains, each with its own basic auth or API key system.

Rather than implementing full OAuth everywhere, the federation hub wraps them all with consistent, secure authentication that actually works across your fragmented infrastructure.

The common thread? When your tooling lives across multiple top-level domains and OAuth feels like overkill, federated SSO bridges the gap between "too simple" and "too complex."

Building a Federated SSO System: Cross-Domain Authentication Without Third-Party Services

I recently built a centralised Single Sign-On platform that solves one of web authentication's thorniest problems: sharing authenticated sessions across completely unrelated top-level domains. When you have internal tools scattered across .company-a.com and .company-b.org, standard cookie-based auth breaks down. Here's how I architected around it.

The Core Challenge

Browsers isolate cookies by domain. You can't set a cookie on tool.domain-a.com from auth.domain-b.com. Third-party cookies are dying, and SharedWorkers don't cross TLDs. The solution? A redirect-chain federation protocol that turns the browser itself into a secure token courier.

Architecture Overview

The system consists of three layers:

1. Central Identity Provider (IdP) – A Node.js/Express application that handles all authentication logic. Users log in once here, and it becomes the source of truth for identity.

2. Federation Receivers – Lightweight endpoints deployed on each satellite domain that can receive and validate federation tokens, then set local auth cookies.

3. Auth Check Middleware – Universal Express middleware that protects routes and triggers the federation flow when needed.

The Federation Flow

When a user visits a protected resource on any domain:

  1. Auth Check Middleware detects missing local cookies and redirects to the central IdP
  2. IdP validates the user's session (or prompts login if needed)
  3. IdP generates a one-time federation token with short TTL (30-60 seconds)
  4. Redirect chain begins: IdP redirects to the Receiver on the original domain with the token as a URL parameter
  5. Receiver validates the token against the IdP via backend API call
  6. Receiver sets HttpOnly, Secure, SameSite=Lax cookies for its domain
  7. Final redirect returns the user to their original destination, now authenticated

Key Technical Implementations

Wildcard Cookie Strategy – Cookies are set at the parent domain level (.domain-a.com) to automatically cover all subdomains, eliminating per-subdomain setup.

One-Time Token Security – Federation tokens are single-use with 60-second expiry, stored in Redis with automatic cleanup. After validation, they're immediately destroyed.

CORS Management – Explicit CORS policies allow the Receiver → IdP validation calls while blocking other cross-domain requests.

HttpOnly + SameSite Enforcement – All auth cookies use HttpOnly (XSS protection), Secure (HTTPS-only), and SameSite=Lax (CSRF mitigation) flags.

The result: users authenticate once and gain seamless access to 15+ internal tools across 4 different domains, without ever seeing another login screen. No dependency on external auth providers, complete control over the security model, and sub-200ms federation handshakes.

Building a Federated SSO System: The Critical Decisions That Matter

When your internal tool sprawl reaches the point where engineers complain about logging into seven different systems, you face a choice: buy an enterprise SSO solution or build federation yourself. Here's how to think through building cross-domain authentication that actually works.

The Problem Detection Signal

The real indicator isn't just "multiple logins are annoying" – it's when authentication becomes a barrier to tool adoption. If developers skip using valuable internal tools because they can't remember credentials, or if onboarding takes days because of access provisioning across systems, you have a strategic problem, not just a convenience issue.

The Build vs Buy Decision

Enterprise solutions like Okta solve this, but at what cost? For internal tools with full control over the codebase, building federation might be faster than integrating a third-party IdP into legacy systems. The key question: Do you control the authentication layer of your satellite applications? If yes, custom federation is viable. If no, you're fighting uphill.

Architecture: The Token Handoff Problem

Cross-domain authentication breaks down to one challenge: how do you prove identity across domains without sharing session cookies? Browsers won't let tools.company.com read cookies from admin.company.com.

The redirect chain pattern solves this: your IdP generates one-time tokens, redirects users to the target domain with the token in the URL, and the receiver exchanges it for a local session. The critical decision here is token lifetime – too long creates security exposure, too short causes race conditions with slow networks.

Security: Where to Draw the Line

HttpOnly and SameSite cookies aren't optional – they're fundamental. But what about HTTPS enforcement? In pure internal environments behind a VPN, you could skip it. Don't. The added complexity is minimal, and habits formed in internal systems leak into production code.

The more nuanced question: Do federation tokens need cryptographic signatures, or is randomness + short TTL + single-use enough? For internal tools, the latter often suffices. Save the JWT overhead for external integrations.

Integration Strategy: The Middleware Question

Your federation is only valuable if adoption is effortless. The decision to build a universal auth middleware that any Express app can import with three lines of code determines whether you get 100% adoption or 30%.

Don't make engineers read documentation – make the secure path the easy path. If adding SSO to a new tool takes longer than 5 minutes, you've failed the developer experience test.

The Human-in-the-Loop Trade-off

Should account creation require approval? For internal tools, probably not – if someone has network access, automate their provisioning. Friction kills adoption faster than security risks in controlled environments. Save approval workflows for external access.

The real insight: federation isn't about authentication technology – it's about removing barriers while maintaining control.

When Your Team Stops Using Your Tools (Because They Can't Remember 12 Passwords)

I built a Federated Single Sign-On system that solved what seemed like a simple annoyance – multiple logins across our internal tools – but turned out to be killing our operational efficiency.

The Real Problem

Our team had internal dashboards, approval queues, analytics panels, and scheduling tools scattered across different domains. Each required separate authentication. The friction wasn't just annoying – it was a barrier that made people avoid using the tools entirely.

When checking analytics means logging in again, people stop checking analytics. When approving content requires another password, approvals get delayed. The tools weren't the problem. Access was the problem.

The Technical Challenge

Standard cookies don't work across unrelated top-level domains (like .yalldigital.com and .buylocal.org.nz). You can't just "share" authentication state.

I built a cross-domain federation protocol using a redirect-chain flow with one-time validation tokens. One central identity provider, multiple "receiver" instances on satellite domains. Log in once, and secure tokens automatically set local authentication cookies across every domain.

True "Log In Once, Everywhere."

The Transformation

Before: A loose collection of utilities that felt disconnected. High friction. Low utilisation.

After: A cohesive platform experience that feels like a single enterprise application. Tools actually get used because access is invisible.

The insight that drove this: Internal team experience directly impacts operational efficiency. When your tools have walls between them, your team builds walls in their workflow too.

Beyond Efficiency

This wasn't just about saving 30 seconds per login. It created:

  • Strategic positioning: Our internal platform now scales across brands without access friction
  • Security improvement: Centralised authentication means centralised security policies
  • Cultural shift: Tools went from "that thing I have to use" to "part of our platform"

The best automation projects don't just speed things up – they remove barriers you didn't realise were shaping behaviour.

Facing a similar challenge with fragmented internal tools? I'm always interested in discussing authentication architecture and cross-domain automation patterns.


101 Automations

Related Posts

AI-Powered Website Audit Engine

You know the moment: someone requests a free website audit, and your heart sinks a little.

Not because you don’t want to help. Because you know what’s coming.

You’ll spend an hour – maybe two – clicking through their site, taking notes, trying to articulate why something feels off. You’ll mention their slow load time, their buried contact form, the way their homepage tries to say everything and ends up saying nothing.