Picking the right single sign on tool
to protect your network
Editorial management positions:
• What’s new in the SSO world
• 5 megatrends in SSO
• How the various products stack up
• Centrify’s Identity Service (and AVG SSO)
• Microsoft’s Azure AD Premium
• Okta’s Identity and Mobility Management
• Ping Identity’s Ping One
• Secure Auth’s IdP
Lots of other SSO tools
• NetIQ, WSO2, Covisint, CA, Janrain, RSA,
Radiant Logic, SalesForce and Sailpoint all
turned me down for my review. Boo!
• Allidm, Atricore, JoshuaTree, nLight, OpenIAM,
OpenIDM, OpenRegistry, OSIAM and Soffid
are all open source tools
What is new
• RSA has purchased Symplified
• SmartSignIn was acquired by PerfectCloud
• LogMeIn Meldium
• Salesforce identity management service
• Intel/McAfee bundles Cloud Identity Manager
with Web Gateway
Broad issues: 1- MFA
3- Cloud is king
4- ID providers
5- Apps galore
• Copies of this presentation:
• My blog: http://strominator.com
• Follow me on Twitter: @dstrom
• Old school: firstname.lastname@example.org
The single sign on field has widened its reach in terms of overall functionality and integration across the enterprise network. There are support for additional authentication factors, major integration points with mobile device managers and identity providers, and cloud-based solutions. I review 7 different tools and talk about which are more appropriate for particular situations.
My name is David Strom and I have been covering enterprise technology for more than 25 years, starting out in IT and end user computing back in the early 1980s when PCs were first coming into companies. I then moved into tech journalism and you can see here some of the places that I have written for including the New York Times and various TechTarget properties. I have also written two books on computer networking and built dozens of technical websites as well.
products have expanded their support for additional authentication factors. Back three years ago, one additional factor was about what you could expect. Now, all of the products have solid multifactor authentication (MFA) protection with some such as Okta and Centrify creating their own one-time password mobile apps
few products are moving towards integrating mobile device management (MDM) as part of their identity service offerings. Gartner sees a bright future when the two types of products can be better integrated, and we agree. While not yet as capable as a true MDM tool such as VMware’s AirWatch or Citrix’ Xen Mobile, these SSO tools such as Okta, Ping and Centrify have a better mobile focus and could be a good choice if you want to protect your mobile endpoints with more than just their login passwords but don’t want to purchase a separate MDM solution.
are focused on their cloud-based solutions. The cloud vendors typically supply two URLs: one for users for a common login to their apps, and another one for IT administrators for management tasks. This means these have only a small footprint for their on-premises software, mostly for handling Active Directory synchronization and browser extensions. This can be a challenge for a multi-tenant environment such as a reseller or an MSP offers: fortunately, Ping and AVG have MSP versions so they can provision multiple end user customers quickly and more capably.
products have deepened their support for multiple identity management providers. Products have gotten more serious about publishing their own identity APIs and SDKs. That along with the ability to reach into the Active Directory schema means that it is now easier to automatically provision hundreds of users at once with very little operator intervention. This makes SSO tools useful if you have to onboard a lot of staff quickly, such as for an incoming college class or if you are merging with another corporation and want their employees to have access to your corporate applications infrastructure, or where you intend to federate your identity access.
almost all of the products now support thousands of applications for their automated sign-on routines can some come with catalogs that you can browse to find your particular apps. Overall the products are getting easier to install and integrate into your existing collection of apps and servers. While the vast majority of these apps are just stored username/password pairs, this still demonstrates that vendors have gotten better at making their tools much more capable and applicable in a greater number of situations.
Microsoft’s Azure Active Directory supports more than 1500 SaaS-based apps for its SSO.
Centrify has a nice summary map that shows you where your devices are located.
On the left you see some of the MDM settings which is as capable as a full-blown MDM product.
On the right is the properties sheet for how you configure its AD connector, which is where Centrify had its origins.Centrify has been around the AD space for several years and its integration is fairly seamless. Once you download the connector and install it on your Windows Server, there isn’t much to do. You can set up an active/active redundant support for a second AD server by just installing a second or third connector: these take care of doing the load balancing of AD authentication requests and automatically failover if there is some connection issue. It supports Windows Servers since the 64-bit 2003 vintage. It also supports Integrated Windows Authentications so you can sign into your local Windows desktops and apps.
Okta supports MFA on an individual app level. Over the past several years, Okta has beefed up its MFA functionality. It now offers a mobile app, Okta Verify, as a one-time password generator. It also supports other MFA methods, including Google Authenticator, SMS texts, Symantec VIP, RSA SecurID and Duo Security tokens, along with choosing from a list of security Q&A. MFA credentials can be demanded every time, or periodically or for specific groups. They also can be set up to protect particular apps.
Speaking of mobile apps, Okta has its own mobile app that can provide a secure browsing session and allow you to sign in to your apps from your phone, just as you would do from your desktop. It contains some MDM functionality, although it is not as capable as a full MDM tool such as an AirWatch.
There are now 11 preset report types, including showing unused applications. That can come in handy when it is time to renegotiate your software licenses.
OneLogin’s MFA policy page has several options and supports a variety of one time password techniques.
OneLogin was the other co-winner of my2012 review and while it is still strong, its user interface has become a bit unwieldy and it has fallen in terms of our overall score.
free forever” trial account that doesn’t include MFA and other advanced features but might be useful to try it out. Impressively, this includes unlimited users and up to 8 protected apps.
For Okta’s AD import you’ll need to download and install its AD Domain Agent to your Windows Server 2003 R2 or later. It took a call to their tech support to activate this agent. Once you connect to a local AD domain, you next import and assign users. The process is a bit more involved than Centrify.
. There are several different editions, beginning at $2/user/month. The enterprise version, which includes MFA and user provisioning, costs $8/user/month. This includes basic support: premium 24x7 support is extra. MDM features adds an additional $4/user/month.
Onelogin supports a variety of applications, here is a quick search of the various Google Apps and how they connect to each one
OneLogin also has numerous SAML toolkits in a variety of languages such as .Net, Java and Ruby to make it easier to integrate your apps into its SSO routines. If you have homegrown apps and you want to make use of this protocol, this is reason enough to consider them on your short list.
Ping has been in the identity management space for many years and has some of the largest customers around the world, including doing Walmart’s SSO. When they began they were mostly an on-premises solution with their PingFederate product but recently they have focused on the cloud and offer a series of related products including their cloud-based PingOne, their web access tool PingAccess and their OTP soft token generator PingID. They also have a mobile app where you can access your portal page too. While that is a lot of different software bits to keep track of, it is how they can be flexible in supporting lots of different circumstances. Ping would be a stronger product if they would consolidate some of their various features and focus on the cloud as a primary delivery vehicle. If that isn’t important to you, or if you have complex federation needs, then you should give them more consideration and you will probably end up with using their on-premises Ping Federate.
Ping provides these instructions on how to integrate a typical app with its SSO routines.
Pricing starts at $2 per user per month for PingOne.
PingOne supports four identity providers: their own through either their Ping Federate or PingOne, Google’s OpenID using OAuth, AD through its own connector, or a third-party SAML connector. The AD connector needs .Net Framework v4 to work.
Out of all the products Itested, SecureAuth has the most flexibility and the worst user interface, a combination that can be vexing at times. It is easy to get lost in its series of cascading menus, and while it still remains a very capable product, the others have passed it by in terms of ease of configuration.
The real strength of SecureAuth always has been with its various post-authentication workflow activities. There is a large list of actions that can happen after your users authenticate themselves, and it has gotten larger since we last looked at them. For example, you can bring a user to an app store catalog or have them check a near field communications tag, launch a mobile app or take them directly inside IBM’s Websphere. There are dozens more choices, and this is all under another tab with that name.
SecureAuth charges for its server and then separately for its users. A sample 100-user configuration would cost $5940 the first year.
Secure Auth has this really nice risk based authentication
SmartSignIn now support seven different identity providers (including Amazon, Netsuite and AD) with several more on the horizon and more than 7,000 app integrations.
Their user management screen shows you how easy it is to add users and apps to the SSO routine.
When it comes to MFA support SmartSignin is the weakest of the set of products we reviewed, which is ironic because they pioneered having a second passphrase back in 2012 and still make use of it to login to their SSO portal.
They have three pricing plans that you can get details online: free for individuals, a $6 per user per month business plan and an $8 per user per month for enterprise. You can sign up for any of these for free for 15 days.
SmartSign app provisioning screen
Pricing assumes an annual contract, and some of the tools charge extra for MDM or for MFA access
Ran in Network World 6/15
Thanks everyone for listening to me and good luck with your own Big Data explorations.