Skip Links

Single sign-on moves to the cloud

Okta and OneLogin score high in test of eight SSO solutions that cut help desk calls and boost password security

By David Strom, Network World
December 17, 2012 12:00 AM ET

Page 9 of 10

Symplified supports the following multifactor authentication products: Symantec VIP, Symantec VIP SSP, Cryptocard and GrIDsure.

Pricing has two components, a one-time setup fee ranging from $1,500 to $5,000, and a user fee. This works out for 500 users to be $21,000 for the first year and $18,000 for subsequent years, which is on the low end of the price scale. These prices include 24x7 live support.

What to look for in a single sign-on product

Each SSO service has four basic features:

1. There's the single sign-on activity itself, the ability to automatically login to a particular SaaS-based website or on-premises server. There are several methods for accomplishing this: one is using a secure Web authentication script that sends a user name and password to the Web server to accomplish the login. This requires the SSO product to manually manage the login string: if you decide to change your password for your online banking site for example, you have to remember to change it in the SSO tool as well. A second, and more elegant method is to use one of the identity standards such as OpenID, Web Services Federation (WS-FED) or SAML. Not every SaaS site supports these standards, but more are getting on board every day as a result of the popularity of the SSO products.

Automating sign-ons is just one half of the equation. If you want all of your users at once to have enterprise Google Apps accounts, you also need to be able to initiate provisioning from the SSO product, otherwise you are going to be in for some tedious times. Not every SaaS vendor supports automated provisioning from every SSO product.

This is where a third authentication method comes into play, exchanging site certificates between the SaaS provider and the SSO vendor. While this is initially cumbersome, it can make the process go faster when you want to automate user creation and provisioning to the SSO process. Radiant Logic uses certificates exclusively as their authentication method. The others offer some combination of SAML, secure Web forms, and custom applications connectors.

Some of the products also make use of browser-based plug-in extensions to handle the login tasks.

2. Second is the ability to work with Active Directory or some other directory service or identity provider to handle user logins to local desktops and other on-premises servers. This means that you can automatically recognize the groups of user accounts, such as network administrators. Some products can do two-way synchronization of user accounts with Active Directory so that as you add or delete users from one, your actions are matched on the other side. Other products support federated identity synchronization with outside networks, such as setting up a partner portal so that individual logins from your partner organizations don't need to be manually created on your SSO system.

Each product typically installs one or more pieces of Windows server software to handle the Active Directory synchronization tasks. We describe the details on how this is accomplished in each review. Some also limit the amount of Active Directory information that is stored or transmitted in the cloud for security reasons too.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News