[dswalter]

I'm largely in favor of SSO, but it's not without its downsides, going beyond capital costs: SSO can also be implemented in a way that introduces an onerous latency tax when using services.

[dijit]

Because of proxying? SSO (SAML/OAUTH2) are usually implemented with a token, like normal auth. There should be no penalty aside from login.

[justin_oaks]

> SSO can also be implemented in a way

Unless you're more specific, I'm going to assume that that "way" is the wrong way.

Initial login shouldn't add more latency than a couple web redirects. The authentication token/assertion should be validated only once and not be needed until it expires or the user logs out.

[scott_w]

I’m not sure about that beyond login. That said, Okta has gotten reasonably good when you have a Yubikey, so I’ve stopped complaining about it.