Methods and systems are provided that enable single sign-on (SSO) mechanisms on rich clients running hosting applications that include documents with one or more embedded web assets. An embedded web asset may be any resource (e.g., document, image, data, etc.) that is accessed via a browser from within a hosting application. In aspects, authentication of a user identity is required to access an embedded web asset. In particular, an identity management module is provided on a rich client. The identity management module is configured to maintain multiple credentials for multiple user identities that are associated with multiple applications, whether the applications are embedded applications or hosting applications. In this way, a user may access multiple applications, including embedded web assets, associated with each user identity—without signing into each application. That is, a user is able to login a single time for each user identity.