Putting it Together - without Single sign-on
If a user wants to access an application, but is not logged in to that application (i.e. has not yet established a session), the user will generally go to the application and click a 'login' button to do so. At this point, the application now needs to identify the user. In a typical scenario, the application will ask the user to sign-on - to enter their credentials. If the credentials are valid, the application will go ahead and set up a session, and the user is now logged in. If that user subsequently goes to another application, the same steps will have to be followed, with the user entering their (possibly different) credentials for every application.
Adding in Single Sign-On
When a single sign-on system such as Earthdata Login is used, this changes. As before, if a user wants to access an application, but is not currently logged in to that application, the user will go to the application and click a 'login' button to do so. The application now needs to identify the user, but instead of asking the user for credentials, it asks Earthdata Login to identify the user. There are two different scenarios for what happens next:
If the user has not recently signed in using Earthdata Login, then Earthdata Login will ask the user for his/her credentials. If the credentials are valid, Earthdata Login will tell the application who the user is, and the application can now set up the session - the user is logged in. This scenario is similar to the one without single sign-on, with the exception that the user provides the credentials to Earthdata Login, and not the application.
The other scenario occurs when the user has recently signed in using Earthdata Login - for example, they have used the Earthdata Login GUI, or have already logged in to an application that uses Earthdata Login single sign-on as described in the above scenario. In this case, Earthdata Login already knows who the user is, so when the application asks Earthdata Login to identify the user, it can simply tell the application who the user is without the need to request the user credentials again. Thus the user effectively logs in to the application without needing to provide any username or password.