single sign on (sso) laravel

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

Achieving Seamless Single Sign-On in Multi-App Laravel Environments

As a senior developer working with multi-application setups in Laravel, you've hit upon one of the most common and challenging architectural problems: implementing true Single Sign-On (SSO) where authentication flows seamlessly between different applications hosted on the same server. The desire to log into Site A and instantly be logged into Site B is completely valid, but as you’ve experienced with SAML and other packages failing, it often signals that the solution lies not in complex external federation protocols, but in mastering how Laravel manages internal session state.

This post will dissect why traditional SSO solutions can be overly complicated for same-server applications and provide a practical, robust method for achieving true cross-site authentication using native Laravel features.

Why External SSO Solutions Often Fail Internally

You mentioned trying SAML and OpenID protocols. These are designed primarily for federating trust between separate domains (e.g., logging into Google and having it automatically grant access to a third-party service). When all your applications reside on the same server, you don't need external federation; you need internal session synchronization.

The reason many packages fail in this scenario is that they assume an external identity provider exists. Your issue isn't with the SAML configuration itself, but rather how Laravel’s built-in Session and authentication guards handle state persistence across completely independent route calls when those routes are conceptually separate applications.

When you try to manually manage sessions using file storage (as seen in your example) or custom session IDs between distinct requests, you introduce fragility. The core principle must be: All applications share a single, authoritative source of user identity.

The Recommended Approach: Centralized Session Management

Since all three Laravel applications reside on the same server, the most reliable and efficient method for SSO is to establish a single point of truth for user authentication and session storage. This means Site A becomes your Identity Provider (IdP), and Site B acts as a Service Provider (SP) that trusts the session established by Site A.

Strategy: Using Database Sessions

Instead of relying on file storage which is easily corrupted and difficult to scale, leverage Laravel's Eloquent capabilities to store user sessions in your database. This ensures that when any application requests session data, it queries the same source of truth.

Step 1: Centralize Authentication (Site A)
Ensure Site A handles all login and stores the resulting authenticated user details in the database. Use Laravel’s built-in authentication scaffolding to manage this cleanly.

Step 2: Session Sharing (The Bridge)
When a user successfully logs into Site A, instead of just setting a standard session cookie, you need to create or update a cross-application token/session marker.

For simple SSO on the same server, you can use Laravel's session mechanism coupled with a unique identifier that links all sessions. If you are using Sanctum or standard web sessions, ensure that when a user logs in via Site A, their authenticated status is persisted robustly.

If you must pass information between routes (as your example suggests), the best practice is to use an encrypted token stored in the session, which both applications can validate against. This moves the responsibility from external protocols back into controlled application logic.

Refined Code Example Concept

Instead of passing raw file paths, let's conceptualize how Site B would verify a session established by Site A:

Site B (Web Route Logic)

use Illuminate\Support\Facades\Session;
use Illuminate\Support\Facades\Auth;

Route::get('/', function () {
    // 1. Check if an SSO token exists in the session
    if (!Session::has('sso_token')) {
        return redirect('/login'); // Redirect to standard login if no SSO established
    }

    $ssoToken = Session::get('sso_token');

    // 2. Validate the token against a secure source (e.g., database lookup)
    // In a real application, this would involve validating a JWT or encrypted payload
    if (!Auth::check()) {
        // If the session is valid but the user isn't authenticated locally (error state)
        return redirect('/error');
    }

    // 3. If validation passes, ensure the user context is correct (optional but good practice)
    $user = Auth::user();
    
    // Set the site-specific session data based on the verified identity
    Session::put('site_b_user_id', $user->id);

    return view('welcome');
});

This approach decouples the applications slightly while ensuring that all authentication decisions flow back to a single user record managed by your central database. For more advanced token management, exploring how Laravel handles API tokens can provide a solid foundation for secure cross-application communication, aligning with best practices promoted by resources like laravelcompany.com.

Conclusion

Achieving SSO without complex external federation protocols on a same-server setup boils down to robust internal session management. Abandon the pursuit of an external SAML solution if your scope is internal. Instead, focus on creating a centralized authentication mechanism in Site A and ensure that Site B trusts the authenticated state passed through secure, verifiable tokens or session markers. By treating all applications as components of a single system governed by one identity source, you can build a seamless user experience without running into infinite exceptions.