The techniques disclosed herein provide an enhanced single sign-on flow for secure computing resources, such as a virtual machine or hosted applications. In some configurations, the techniques process different types of security data, e.g., credentials, tokens, certificates, and reference objects at specific computing entities of a system to provide a single sign-on flow for providing access to secure computing resources from a client computing device. In one illustrative example, a select type of security data, such as a certificate, is generated from a token and a claim at a particular computing resource, such as an agent operating on a virtual machine. In another example, a signed version of the certificate can be stored and verified at the virtual machine. By generating certificates at such particular computing resources, the computing resource can verify a person's credentials using a secure single sign-on flow without requiring the person to provide credentials multiple times.