It's not a password store, SSO services like OneLogin are federated services that authenticate users with encrypted tokens. In a SAML transaction, or with OAuth, a username/password combination is never exchanged. How is this better, aside from user experience? For starters, the ability to disrupt access benefits from a single point rather than having to change passwords in every app. It also benefits from relying on a credential from a directory service that can then be used to provision access within the target application, which means you can have more granular role-based or dynamic access based on metadata like time of day or geolocation.
