Single-Sign-On (SSO) process authenticates recognized users and opens access to multiple applications, to which they have been granted rights. Logging in the first time authorizes the users to access all applications and enables them to switch between them as needed. The users then don’t need to enter their password each time. This lasts until the Users log out of the session.
For SSO to work with SharePoint and related applications, all of them must be in the same Intranet Zone where by default the Windows logon credentials are shared. If an application lies in the Extranet Zone or in the Internet Zone, then its users will be prompted for password each time they try to access it.
With the help of Claims Based Authentication (CBA) and Active Directory Federation Services (AD FS) in SharePoint 2013, Users are provided with an SSO capability allowing them to use the data and applications they need. Users’ credentials are stored in an encrypted format within an SSO credentials database. These are passed on to the backend enterprise applications on behalf of the Users whenever they try to access an application.