Skip Links

Single sign-on moves to the cloud

Okta and OneLogin score high in test of eight SSO solutions that cut help desk calls and boost password security

By David Strom, Network World
December 17, 2012 12:00 AM ET

Page 2 of 10

Vendors have somewhat different plans for their products. Some charge per user per month, others have more standard per-server site licensing fees. Some include live support for at least the regular workday, others only have online support and charge extra for live help past normal working hours. Some have different levels of pricing plans that cover a limited number of directory linkages, apps, or policy roles, and charge extra when you exceed these limits. Almost every vendor had incomplete pricing information published on their website, although SmartSignin's pricing page was superior. SecureAuth has the most complex pricing scheme.

All this makes comparing and calculating the cost of a total SSO rollout difficult. Also know that these products aren't cheap: plan on spending multiple tens of thousands of dollars annually for them, even for a relatively small installation. We have put together our best guess at what it would cost for a 500-seat installation for the first and subsequent years: some vendor's fees drop significantly in the outlying years. The reason why we call it a guess is because given the way prices aren't published online, it is clear that vendors often give discounts to get your business.

Cloud and on-premises winners

Two vendors rose to the top in our testing: Okta and OneLogin. Both were flexible, had great app and browser support, and handled sign ons for the widest variety of situations. These are mostly cloud-based products. The two best on-premises products were SecureAuth and McAfee.

Numina and SmartSignin are both from very small companies that are trying to break into the SSO space, and generally speaking need more work and polish. But Numina has superior reports and the nicest SAML settings sheets of any of the products, making it easier to set up websites that support that protocol. And SmartSignin has the most serious approach to keeping user data private of the products tested.

RadiantOne has very limited app support and its documentation could be better. On the other hand, RadiantOne and Symplified have impressive identity architectures that can handle a wide variety of situations, useful in cases where companies want to merge and still keep separate Active Directory forests, for example.

The subtleties with these SSO products can be daunting. For example, McAfee's SSO product supports Adobe's Echosign document signing service, but accounts must have their own subdomains for the SAML magic to work properly. The same is true for Box.net and Verisign's VIP token service for Okta: you need the full enterprise account with subdomains enabled. So if you are trying to support users who already have their own individual accounts on these services, you might run up against problems.

Logins can be further protected with multiple-factor tools: these take the form of various hardware or software-based tokens. OneLogin and Okta have the widest multi-factor authentication support, including their own iPhone soft token apps, RSA's SecurID, SMS text messages, Vasco tokens, Yubico YubiKey and browser certificates. This important because by using one of these tokens, you strengthen all of your associated logins through the SSO process, without having to constantly find a different multifactor token for each individual login circumstance.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News