diff --git a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java
index f9916daae..bf9020ab5 100644
--- a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java
+++ b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java
@@ -132,6 +132,22 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
 		}
 		return certificate;
 	}
+	
+	@Override
+	public Certificate authenticateSingleSignOn(Object data) {
+		assertContainerStarted();
+		Certificate certificate = this.privilegeHandler.authenticateSingleSignOn(data);
+		StrolchRealm realm = getContainer().getRealm(certificate);
+		try (StrolchTransaction tx = realm.openTx(certificate, StrolchPrivilegeConstants.LOGIN)) {
+			tx.setSuppressDoNothingLogging(true);
+			tx.setSuppressAudits(true);
+			// the id should be set with the username!! But how to get from data?
+			Audit audit = tx.auditFrom(AccessType.CREATE, StrolchPrivilegeConstants.PRIVILEGE,
+					StrolchPrivilegeConstants.CERTIFICATE, "sso");
+			tx.getAuditTrail().add(tx, audit);
+		}
+		return certificate;
+	}
 
 	@Override
 	public PrivilegeContext validate(Certificate certificate) throws PrivilegeException {
diff --git a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java
index adc055c4f..6c4a8dc18 100644
--- a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java
+++ b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java
@@ -42,6 +42,19 @@ public interface PrivilegeHandler {
 	 * @see li.strolch.privilege.handler.PrivilegeHandler#authenticate(String, char[])
 	 */
 	Certificate authenticate(String username, char[] password);
+	
+	/**
+	 * Authenticates a user on a remote Single Sign On service. This is implemented by the
+	 *
+	 * @param data
+	 * 		the data to perform the SSO
+	 *
+	 * @return the {@link Certificate} for the user
+	 *
+	 * @throws PrivilegeException
+	 * 		if something goes wrong with the SSO
+	 */
+	Certificate authenticateSingleSignOn(Object data) throws PrivilegeException;
 
 	/**
 	 * Returns the {@link PrivilegeContext} for the given certificate