Best tools for single sign-on (SSO)
- 15 July, 2019 20:00
Single sign-on (SSO) centralizes session and user authentication services, requiring just one set of login credentials for multiple applications. This improves the user experience, but it has IT administration and security benefits, too. SSO reduces the risk of lost or weak passwords as well as overhead associated with managing account access.
If you have yet to implement any SSO or identity management tool, or are looking to upgrade, this roundup of SSO tools will serve as a primer on where you want to take things. Given today’s threat landscape, you need to up your password game by trying to rid your users of the nasty habit of reusing their old standby passwords.
Five basic SSO strategies
1. Enterprise password manager
If cost and IT support are both issues, you could start with an enterprise password manager such as 1Password or Lastpass (now owned by LogMeIn). These products are great for keeping a central “vault” of all your passwords and inserting them into the login process. They all work well under various conditions, such as browser and smartphone logins. They typically don’t support multi-factor authentication (MFA) logins, other than for accessing your overall vault. Figure on paying about US$8 per user per month.
2. Full SSO solution
This is a slightly better take on using static passwords. If you have more than 100 staffers and have a reasonable level of IT support, you will eventually realize the limitations of these password management tools and need a full-blown SSO solution (the focus of this roundup) that can offer more flexible authentication policies, access rules, MFA and mobile authenticator apps. Interestingly, most SSO products also cost about $8 per user per month but will require more IT manpower to implement. (Ping’s solution offers a lot of bang for the $3 per month price point, however.)
Let’s talk a bit about using MFA, because it is an important motivation behind going the SSO route. The idea of using MFA used to be mostly for the ultra-paranoid. Now MFA is the minimum for enterprise security, especially considering the number and increasing sophistication of spear-phishing attacks. Sadly, the deployment of MFA is far from universal: a recent survey from Symantec (Adapting to the New Realities of Cloud Threats) found that two-thirds of the respondents still don’t deploy any MFA tools to protect their cloud infrastructures. Certainly, having SSO can help ease the pain and move toward broader MFA acceptance.
Besides MFA, there is another reason to up your authentication game: the need for adaptive or risk-based authentication. This means changing your perspective from issuing your users an “all-day access pass” when they begin work by logging into their laptops. This idea is now outdated and replaced by finer-grained authentication strategies that account for numerous factors put into play more or less continuously. These strategies use techniques to detect phishing, account takeovers and other threats that try to impersonate or steal a user’s identity.
While most SSO vendors have comprehensive MFA support, their support for adaptive authentication is spotty and far from mature. I look at the following vendors here: Cisco/Duo, Idaptive, ManageEngine, MicroFocus/NetIQ, Okta, OneLogin, PerfectCloud, Ping Identity and RSA.
3. Open-source SSO
Another strategy, if you have the skills and staff but no funds, is to go the open-source route and add MFA to your logins. The Authy.com MFA tool seems to be the market leader today. Authy’s app is available on a wide range of devices, including desktops.
4. SSO from your cloud provider
The fourth strategy is to take whatever SSO features come with your principle cloud provider and try to extend it into other SaaS apps that they support. Salesforce and Microsoft Azure are examples of this route. Each has an SSO service add-on that is more or less capable at delivering basic authentication features. However, they aren’t as useful as a true SSO tool that is vendor-neutral. I recommend that you stick with either the specialized SSO vendors or move to an identity governance solution.
5. Identity governance solution
These products include OneSpan, Saviynt, HID, CA and Sailpoint, among more than a dozen other providers. They also have loads of features so you can insert more control over on- and off-boarding management, managing federation of identity and application orchestration, and have closer integration with cloud apps. Of course, you will pay more for these additional features, but these are the tools you’ll eventually want to use if you want the complete identity package. I didn’t review these products here.
Many of the SSO vendors that I cover here have moved into the identity governance space, either by acquiring other companies (RSA, Duo and Ping Identity are notable examples) or by adding new products to their SSO line (Okta, OneLogin and Idaptive).
It’s all about the apps. What makes SSO work is the ability to automatically sign into as many apps as possible. While this seems obvious, the SSO vendors have drastically increased their app support in the past several years. Okta and OneLogin now support thousands in their catalog. Idaptive and NetIQ have a feature to make configuring apps that aren’t in their catalogs a lot easier, too.
Smartphone authentication apps have proliferated. Thanks to weaknesses in SMS MFA, a more secure authentication method is to use one of these apps that generate a one-time password on your phone. The number of these apps continues to grow, with Google Authenticator and Duo having the largest support among cloud and SaaS providers. There are also apps from Authy, OneSpan, HID Approve, Microsoft, SafeNetMobilePass and Sophos, along with the apps from the password manager and SSO vendors themselves.
The table below shows a few typical SaaS and IaaS providers and which MFA methods and smartphone apps they support. If you are planning on supporting more than a single app, you might want to check out this review of the most popular MFA apps on Google Play.
Adaptive MFA is implemented in different ways. Most SSO tools support MFA. The question is how good this support is, especially for using specific MFA smartphone apps. Most tools start with an authentication app on your smartphone that you need to configure with the main SSO web portal management pages. All the SSO vendors support this with the exceptions of ManageEngine and PerfectCloud.
FIDO is still a maturing market. With Google and Microsoft now supporting FIDO authentication hardware keys for their G Suite and Windows logins, you would think FIDO would be more prevalent than it actually is. A few vendors support some version of these keys for authentication and are noted in the reviews, but it far from universal.
Mobile device management tools are in remission. A few years ago, it seemed as if SSO vendors were moving toward mobile device management features, with Centrify (now Idaptive) leading the way. Now it seems as if fewer customers care about this issue, and instead are using the mobile smartphone authenticator apps as their main bulwark against account compromises. Idaptive and Duo are the two leaders here.
Top SSO tools
Duo is a relative newcomer to the SSO space but has quickly taken a leadership position, as evidenced by being acquired last year by Cisco. It has is fully featured and Is based on a capable mobile authenticator smartphone app that is equivalent to many competitors’ mobile management apps. It supports a rich collection of adaptive authentication methods and even works with its competitors’ SSO tools (including Okta, Ping and OneLogin). Duo’s smartphone authenticator app is also one of the more popular MFA mechanisms for a wide variety of SaaS products.
It has transparent pricing with full feature breakdown and four tiers: free for up to 10 users and then plans start at $3 per user per month and go to $9 per user per month. The top two tiers include adaptive authentication and policy enforcement tools. The top tier secures internal apps as well as SaaS ones.
Idaptive Single Sign-On
I’m impressed with this product. Early this year, Centrify spun out its identity business unit as Idaptive. Centrify continues to sell its privileged access management tools. Idaptive has two versions: the standard and Adaptive SSO, which adds contextual authentications at an additional cost. MFA support also comes in two packages, at $2 per user per month for the standard and $4 per user per month for the adaptive version that adds device and user context and real-time reporting features. MFA methods include a wide range such as email, FIDO U2F keys, Google Authenticator and its own authenticator apps, and SMS.
The SSO products support thousands of apps and have a feature called Infinite Apps that discovers their SAML configuration. They support a wide array of protocols including SAML, WS-Fed and OAuth. The Idaptive web dashboard has been completely rearranged but mostly offers the same functionality as the old Centrify one. Idaptive also has a full line of identity management and provisioning tools, along with a strong mobile device management offering. The company has a transparent pricing page here and offers a free trial.
ManageEngine/Zoho Identity Manager Plus
ManageEngine has more than a dozen different cloud applications, and its SSO tool is called Identity Manager Plus. If you are a big consumer of their services (including the Zoho suite), then this is a good starting place for your SSO needs. If not, then I would look elsewhere. The tool complements other ManageEngine AD-related tools. It has 400 apps in its catalog and supports custom SAML configurations as well.
If you want MFA or mobile device support, you must use the ADSelfService Plus tool, which includes numerous methods such as authenticator apps from Google, Duo and Microsoft along with support for RSA SecurID tokens. (That will cost another $100 per month for 500-user blocks.) The Identity Manager Plus software supports a wide variety of identity providers, including AD, Okta, OneLogin, Ping Identity and other SAML-based providers. There is an online demo and it has a free trial like many of their other products.
MicroFocus/NetIQ Access Manager
MicroFocus is now the keeper of the NetIQ flame. Its solution covers three separate products: F Access Manager, its principle SSO tool; an MFA product; and a mobile device management product called Zenworks Configuration Management. Each has a separate pricing plan, which starts at $.49 per user per month (at the 500-user level) plus a $47 one-time setup charge. MFA starts at $.92 per user per month (also at the 500-user level). Its app catalog contains more than 500 entries, but like Idaptive it also offers a simple integration app on-boarding routine. NetIQ supports a wide variety of connection protocols, including FIDO, SAML, OAuth, Open ID Connect and WS-Fed.
Okta Single Sign-On
Okta has long been a leader in SSO and sells two different versions of their flagship tool: a basic and an adaptive version that can be used to sense location, device and network parameters to prevent spoofing attacks. It now has a full collection of complementary products besides the SSO offerings that move into more of the integration and identity governance space. These include their Lifecycle Management service (which handles Active Directory [AD] sync for Office 365, directory integration with AD or LDAP, and auto provisioning), a cloud directory (which goes for $2 per user per month), a service that supports hybrid cloud/on-premises deployments, and inbound federation (which starts at $8,000 per year).
Okta has two versions of its MFA app to match its two SSO versions. The first is the basic MFA and the second is the adaptive version. Each product has two separate component fees. The first is the access charge, which is either $8000 per year (or $16,000 per year for the adaptive product). Then there are per user charges of $3 to $5 per month. There is a free 30-day trial of the adaptive MFA software. It has a transparent pricing page for all its products.
OneLogin Single Sign-On
OneLogin has been a long-time SSO provider and now offers a complete identity management suite of products. Their SSO service comes in three different tiers: Starter ($2 per user per month) supports a single AD instance, enterprise ($4 per user per month) adds MFA, multiple identity providers, and integrations with SIEMs and VPNs, and the unlimited version ($8 per user per month), which adds user provisioning and additional integrations. All its products are available for a free 30-day trial. As an example of the product’s depth, OneLogin’s app catalog contains 2,700 apps for simple password completion and over 1,500 SAML apps.
OneLogin also offers an adaptive authentication product that builds on its own Protect mobile software authentication tool and supports a variety of other authenticator apps such as Google Authenticator and Duo. A unified access tool bridges on-premises and cloud apps and a real-time user provisioning tool for both faster on- and off-boarding.
This continues to be a very basic SSO solution. There is a free single-user version for managing up to four apps. PerfectCloud was one of the first to add a second factor passphrase to its logins, but it has fallen behind in not supporting any of the mobile authenticator apps. This passphrase is encrypted on the device and they don’t store it, so that is a distinguishing feature. The product starts at $6 per user per month for the SMB version. That doesn’t include additional features such as AD integration, access and group management and policy rules.
Ping Identity PingOne
Ping is another long-time SSO player and one of the first to offer federated identity provisioning with its Ping Federate product. You’ll need this to implement other MFA apps besides its own smartphone app.
Ping prices its basic SSO app differently depending on whether it is sold directly or through one of its many channel partners. The basic pricing includes both MFA and SSO for $3 per user per month, which is very competitive considering what features are included. There is a free 30-day trial, too.
Its catalog has 1,650 apps that come pre-configured. PingOne supports a wide variety of MFA apps (from itself and its competitors such as RSA, Symantec, Duo and Gemalto) and methods, including Apple’s FaceID, fingerprint and voice authentication, along with various FIDO authentication methods and other hardware tokens. Ping also works with a number of mobile management tools, including MobileIron, Airwatch and InTune and a number of other identity providers, including AD, Azure AD, Google and Open ID Connect and SAML.
RSA SecurID Access Suite
RSA has been a market leader in authentication since it first minted its SecurID key fob token, and it now offers a variety of tools in the full identity governance market thanks to a combination of acquisitions and integrations over the years. It has a solid SSO offering, but obviously wants you to implement its full-blown identity governance solution. (Note: I do consult for RSA.) The SecureID Access product is sold through resellers and pricing varies.
RSA quoted me $1,830 a month for a 500-user package that includes user licenses, MFA authentication, biometric and FIDO support. The product has three different overall pricing tiers: basic is the SSO-only version. You’ll find additional identity features in both the enterprise and premium versions.