Skip Links

Single sign-on moves to the cloud

Okta and OneLogin score high in test of eight SSO solutions that cut help desk calls and boost password security

By David Strom, Network World
December 17, 2012 12:00 AM ET

Page 3 of 10

However, each product employs multifactor tokens somewhat differently. Okta, Radiant Logic and OneLogin use it to protect the entire user's account while McAfee, Symplified and SecureAuth can protect individual apps.

Speaking of multifactor tokens, there are additional issues. One of our test accounts was with Paypal using their supplied SecurID token. In order for any of the SSO products to login automatically to our account, we would first have to remove this token requirement. Some of the other SaaS services that use multifactor authentication, such as Google Apps and Facebook, might also need similar treatment to work with some of the SSO services.

One thing to also look at is how each product recovers from mistakes that you make in specifying the various login parameters. Given the amount of information that each product requires to enable SSO, it is easy to make small mistakes that can take time to find and correct. You will need to iterate back through the login process of the SSO in your own testing, to ensure that actual users can access their apps, and then make changes with the configuration screens in the management interfaces. Some, such as Okta, are particularly a problem here. This means if you test any of these SSO products on your live network, be careful. If you have set up your Active Directory failed login policy to lockout users after a small number of attempts, you might run into trouble while you are testing these products.

Individual reviews

McAfee Cloud Identity Manager

Intel has rebranded its Cloud SSO offerings as part of its McAfee division, and it sells two versions: one cloud-based, which is newer and has fewer features, and one that installs on-premises.

The cloud version has fewer applications connectors: for example, it doesn't support Office 365 yet. And the cloud version's Active Directory integration is in beta at the moment. The cloud offering is based on the Force.com platform and there are no browser plug-ins needed.

The older on-premises version from McAfee has probably one of the largest collection of identity providers of any product we've seen, including AD, LDAP, Google, OpenID, Salesforce, various SQL databases and others.

One of the interesting things is how flexible and complex the product can be: you can set up separate policies for particular apps that connect to particular identity providers, and add two-factor authentication for just specific apps. If you are in need of its sophisticated policies, you probably want to only look at the on-premises version because it can do a lot more than what is offered in the cloud product.

As an example, you can restrict logins per app by IP address range, to specific mobile devices, and by day of the week and time of day. All of these settings are collected together into one place for easy configuration.

Both McAfee products allow for just-in-time user provisioning provided you have set things up correctly and exchanged the necessary digital certificates between McAfee and the intended SaaS app.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News