VDR glossary · Security

Single sign-on SSO

Letting users reach the data room through their existing corporate identity provider instead of a separate password.

Single sign-on, usually shortened to SSO, lets a person reach a virtual data room using the identity they already have with their employer instead of creating and remembering a separate password for the room. When SSO is enabled, the data room hands the login step off to a trusted identity provider such as Microsoft Entra ID, Okta, or Google Workspace. The user proves who they are once to that provider, and the room accepts that verified identity through a standard protocol like SAML 2.0 or OpenID Connect. Nothing about who can see which files changes; SSO only governs how a user is authenticated at the door, after which the room’s own permission rules take over.

How does single sign-on work in a data room?

SSO splits two jobs that a password normally bundles together: proving identity and granting access. The identity provider owns the first job, and the data room owns the second. When a user clicks into the room, the room redirects the browser to the corporate login page, the provider checks the credentials (often adding two-factor authentication of its own), and it returns a signed assertion confirming the user’s verified email and, sometimes, their group membership. The room trusts that signature and opens a session.

How single sign-on authenticates a data room userA user is redirected from the data room to their corporate identity provider, verifies once, and returns with a signed assertion that opens a room session.User opensthe data roomIdentity providerverifies onceRoom sessionopensredirectsigned assertion

Because the room never stores the password, revoking someone’s access can be as fast as disabling their account in the corporate directory, and every room they touch closes at once.

Why does SSO matter for M&A and due diligence?

In a live deal the biggest access risk is not a broken password; it is a valid password that outlives the person’s need for it. An analyst leaves the advisory firm, a junior rotates off the deal, or a laptop is lost, and a standalone room login can quietly stay active for weeks. SSO closes that gap. Because access is tied to the employer’s directory, deprovisioning a leaver in one place instantly removes their route into every deal room. SSO also raises the baseline: password policies, session timeouts, and phishing-resistant multi-factor prompts are enforced centrally rather than left to each user. For buy-side and sell-side teams running due diligence under a purchase agreement’s confidentiality clauses, that centralized control is often a procurement requirement, not a nicety. It does not replace the room’s own access controls; SSO decides who gets in the door, while roles and per-file rules still decide what they see once inside.

A concrete example

A private equity firm invites its legal, tax, and financial advisers into a target’s data room. Rather than issuing forty individual room passwords, the firm connects each adviser’s Okta or Entra tenant. Advisers log in with their normal work credentials, and their role-based access control assignment (legal sees the contracts folder, tax sees the returns) is applied automatically. Midway through the deal an associate resigns. Their firm disables the account that evening, and the next morning they can no longer reach the room, with no email to the seller and no permission to manually revoke. That is SSO doing its quiet job.

How should you evaluate SSO in a VDR?

Not every provider means the same thing by “SSO.” Use this checklist when comparing options.

CapabilityBasic offeringStrong offering
ProtocolsProprietary or Google onlySAML 2.0 and OpenID Connect
Provider supportOne identity providerEntra ID, Okta, Ping, Google, and custom
ProvisioningManual invite per userSCIM auto-provision and deprovision
EnforcementOptional per userMandatory for a whole workspace
Guest handlingSSO for internal staff onlySSO plus secure options for external guests
PricingLocked to top tier onlyAvailable across relevant plans

The most common mistakes are assuming SSO is included when a provider gates it behind an enterprise tier at extra cost (pricing here is indicative, confirm with the provider), enabling it for internal staff while outside advisers still use weak standalone logins, and skipping SCIM so that leavers are removed from the directory but not from the room. For a fuller picture, see our VDR security features checklist and the deeper walkthrough in virtual data room security. When SSO is a deciding factor, our side-by-side comparisons show which providers support it natively, and each provider review records what we confirmed in hands-on testing.

FAQ

Is single sign-on the same as two-factor authentication? No. SSO is about where you authenticate, letting one trusted identity provider vouch for you across many applications. Two-factor authentication is about how strongly you authenticate, adding a second proof such as a one-time code. They work best together: SSO routes the login to a provider that then enforces a second factor, so the room inherits both the convenience and the stronger check.

Does SSO make a data room more or less secure? More secure when configured well, because access is centralized, password reuse drops, and revoking a leaver is immediate. The trade-off is concentration: if the identity provider account itself is compromised, it can unlock everything, which is exactly why phishing-resistant multi-factor on the provider side matters.

Can outside advisers use SSO for a data room? Often yes. Many rooms let external firms connect their own identity provider, so advisers log in with their own corporate credentials. Where an outside party has no compatible provider, the room should still offer a secure standalone login with mandatory two-factor authentication rather than a plain password.