Secure single sign-on to software applications

What is claimed is: 1. A computer-implemented method for facilitating single sign-on to third-party applications on a client device, the method comprising: receiving a security policy of an organization to which a user of the client device belongs; receiving, by an identity provider (IDP) from a remote third-party application being used on the client device by the user, a request for identity verification of the user; generating, by the IDP, a token comprising a public token portion and a corresponding private token portion; providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language; requesting, by the client script, the token; receiving, by the client script from the IDP, the token; requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device; identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain; verifying, by the trusted broker application, that the remote third-party application is authorized for use with single sign-on, and that the client device conforms to the security policy; providing, by the trusted broker application to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the remote third-party application and that the client device conforms to the security policy; associating, by the IDP, the public token portion with the user; and initiating, by the identity provider, authentication of the user by the remote third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the remote third-party application. 2. A computer-implemented method for facilitating single sign-on to third-party applications, the method performed by a client device and comprising: receiving a security policy of an organization to which a user of the client device belongs; receiving a request from the user to initiate single sign-on to a third-party application; requesting an identity provider (IDP) to verify an identity of the user; and responsive to requesting the IDP to verify the identity of the user: receiving a client script from the IDP; requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device; identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain; verifying, by the trusted broker application, that the user is authorized to use single sign-on with the third-party application, and that the client device conforms to the security policy; and providing, by the trusted broker application to the IDP, an indication that the user is authorized to use single sign-on with the third-party application and that the client device conforms to the security policy. 3. The computer-implemented method of claim 2 , further comprising obtaining, by the client script from the IDP responsive to requesting the IDP to verify the identity of the user, a token comprising a public token portion and a corresponding private token portion. 4. The computer-implemented method of claim 3 , further comprising providing, by the trusted broker application to the IDP along with the indication that the user is authorized, the public token portion. 5. The computer-implemented method of claim 4 , further comprising: the trusted broker application of the client device polling the IDP to determine whether the user has been verified to be authorized to use the third-party application, the polling comprising the trusted broker application providing the IDP with the private token portion. 6. The computer-implemented method of claim 2 , further comprising: responsive to receiving a notification from the IDP that the user is authorized to use the third-party application, invoking the third-party application. 7. The computer-implemented method of claim 6 , wherein invoking the third-party application uses an application uniform resource locator interpreted by an operating system of the client device. 8. The computer-implemented method of claim 6 , further comprising: receiving, by the third-party application from the IDP, an initiation of an authentication flow, the initiation comprising an indication of verification that the user is authorized to use single sign-on with the third-party application. 9. A non-transitory computer-readable storage medium storing instructions that when executed by a computer processor of a client device perform actions comprising: receiving a security policy of an organization to which a user of the client device belongs; receiving, by an identity provider (IDP) from a remote third-party application being used on the client device by the user, a request for identity verification of the user; generating, by the IDP, a token comprising a public token portion and a corresponding private token portion; providing, by the IDP to the remote third-party application, a client script implemented in a browser scripting language; requesting, by the client script, the token; receiving, by the client script from the IDP, the token; requesting, by the client script, invocation of an application of the client device to perform verification of the identity of the user, the invocation using an authenticatable link specifying a network domain and being interpreted by an operating system of the client device; identifying, by the operating system of the client device querying a service running at the network domain of specified by the authenticatable link, that a trusted broker application of the client device is an application registered by the network domain for use with the network domain; verifying, by the trusted broker application, that the remote third-party application is authorized for use with single sign-on, and that the client device conforms to the security policy; providing, by the trusted broker application to the IDP, the public token portion and an indication that the user is authorized to use single sign-on with the remote third-party application and that the client device conforms to the security policy; associating, by the IDP, the public token portion with the user; and initiating, by the identity provider, authentication of the user by the remote third-party application, the initiating comprising sending an identifier indicating verification of an identity of the user to the remote third-party application. 10. The non-transitory computer-readable storage medium of claim 9 , the actions further comprising: the trusted broker application of the client device polling the IDP to determine whether the user has been verified to be authorized to use the third-party application, the polling comprising the trusted broker application providing the IDP with the private token portion. 11. The non-transitory computer-readable storage medium of claim 9 , the actions further comprising: responsive to receiving a notification from th