Single sign-on moves to the cloud

We are awash in passwords, and as the number of Web services increases, things are only going to get worse. Trying to manage all these individual passwords is a major problem for enterprise security. Many end users cope by re-using their passwords, which exposes all sorts of security holes.

One solution is a single sign-on (SSO) tool to automate the logins of enterprise applications and also beef up password complexity, without taxing end users to try to remember dozens of different logins.

SSO isn't new: we have had various products for more than a decade. What is new is that several products now combine both cloud-based SaaS logins with local desktop Windows logins, and add improved two-factor authentication and smoother federated identity integration.

Also helping is a wider adoption of the open standard Security Assertion Markup Language (SAML), which allows for automated sign-ons via exchanging XML information between websites.

Cloud-based single sign-on: A business perk for customers?

The SSO market includes more than a dozen products from boutique shops to large software vendors. We tested eight products: SecureAuth, OneLogin, Okta, Symplified, Intel's McAfee Cloud Identity Manager, Numina Application Framework, SmartSignin and Radiant Logic. Several other SSO vendors were contacted but decided not to participate, including IBM, CA, Oracle and Ping Identity. (Watch a slideshow version of this story.)

The products all work in a similar fashion. First, they connect to one or more directory services, such as Active Directory, or an identity provider with an existing collection of users, such as Google Apps. They grab the user lists from these sources and then apply various rules in terms of what applications each user can access and whether they make use of advanced passwords, such as multifactor or one-time tokens to login to each app.

Users typically sign in to a Web-based portal, or the products grab their Windows desktop login credentials and use that as the basis for the authentication of the SSO app portfolio. This means that users don't have to remember or even in some cases need to know what their Google or Box passwords are to gain access to these apps.

It sounds simple but there is a great deal of behind-the-scenes software magic to make all the logins operate seamlessly and to connect the dots among the different pieces. And all of the user data "grabbing" should happen over encrypted connections to prevent man-in-the-middle and other attacks.

Trials and Pricing

Most of the vendors we tested offer free trial accounts with certain limitations beyond the two weeks' time frame, so you can get a feel for how they operate. And vendors are very willing to work with your own collection of apps to ensure that their products cover the ones you want to automate the sign-ons for. Some offer enticements such as unlimited number of users for a single app to deploy across your organization and get your end users used to the SSO apparatus, and then they start charging when you add new apps to the portal.

Vendors have somewhat different plans for their products. Some charge per user per month, others have more standard per-server site licensing fees. Some include live support for at least the regular workday, others only have online support and charge extra for live help past normal working hours. Some have different levels of pricing plans that cover a limited number of directory linkages, apps, or policy roles, and charge extra when you exceed these limits. Almost every vendor had incomplete pricing information published on their website, although SmartSignin's pricing page was superior. SecureAuth has the most complex pricing scheme.

All this makes comparing and calculating the cost of a total SSO rollout difficult. Also know that these products aren't cheap: plan on spending multiple tens of thousands of dollars annually for them, even for a relatively small installation. We have put together our best guess at what it would cost for a 500-seat installation for the first and subsequent years: some vendor's fees drop significantly in the outlying years. The reason why we call it a guess is because given the way prices aren't published online, it is clear that vendors often give discounts to get your business.

Cloud and on-premises winners

Two vendors rose to the top in our testing: Okta and OneLogin. Both were flexible, had great app and browser support, and handled sign ons for the widest variety of situations. These are mostly cloud-based products. The two best on-premises products were SecureAuth and McAfee.

Numina and SmartSignin are both from very small companies that are trying to break into the SSO space, and generally speaking need more work and polish. But Numina has superior reports and the nicest SAML settings sheets of any of the products, making it easier to set up websites that support that protocol. And SmartSignin has the most serious approach to keeping user data private of the products tested.

RadiantOne has very limited app support and its documentation could be better. On the other hand, RadiantOne and Symplified have impressive identity architectures that can handle a wide variety of situations, useful in cases where companies want to merge and still keep separate Active Directory forests, for example.

The subtleties with these SSO products can be daunting. For example, McAfee's SSO product supports Adobe's Echosign document signing service, but accounts must have their own subdomains for the SAML magic to work properly. The same is true for Box.net and Verisign's VIP token service for Okta: you need the full enterprise account with subdomains enabled. So if you are trying to support users who already have their own individual accounts on these services, you might run up against problems.

Logins can be further protected with multiple-factor tools: these take the form of various hardware or software-based tokens. OneLogin and Okta have the widest multi-factor authentication support, including their own iPhone soft token apps, RSA's SecurID, SMS text messages, Vasco tokens, Yubico YubiKey and browser certificates. This important because by using one of these tokens, you strengthen all of your associated logins through the SSO process, without having to constantly find a different multifactor token for each individual login circumstance.

However, each product employs multifactor tokens somewhat differently. Okta, Radiant Logic and OneLogin use it to protect the entire user's account while McAfee, Symplified and SecureAuth can protect individual apps.

Speaking of multifactor tokens, there are additional issues. One of our test accounts was with Paypal using their supplied SecurID token. In order for any of the SSO products to login automatically to our account, we would first have to remove this token requirement. Some of the other SaaS services that use multifactor authentication, such as Google Apps and Facebook, might also need similar treatment to work with some of the SSO services.

One thing to also look at is how each product recovers from mistakes that you make in specifying the various login parameters. Given the amount of information that each product requires to enable SSO, it is easy to make small mistakes that can take time to find and correct. You will need to iterate back through the login process of the SSO in your own testing, to ensure that actual users can access their apps, and then make changes with the configuration screens in the management interfaces. Some, such as Okta, are particularly a problem here. This means if you test any of these SSO products on your live network, be careful. If you have set up your Active Directory failed login policy to lockout users after a small number of attempts, you might run into trouble while you are testing these products.

Individual reviews

McAfee Cloud Identity Manager

Intel has rebranded its Cloud SSO offerings as part of its McAfee division, and it sells two versions: one cloud-based, which is newer and has fewer features, and one that installs on-premises.

The cloud version has fewer applications connectors: for example, it doesn't support Office 365 yet. And the cloud version's Active Directory integration is in beta at the moment. The cloud offering is based on the Force.com platform and there are no browser plug-ins needed.

The older on-premises version from McAfee has probably one of the largest collection of identity providers of any product we've seen, including AD, LDAP, Google, OpenID, Salesforce, various SQL databases and others.

One of the interesting things is how flexible and complex the product can be: you can set up separate policies for particular apps that connect to particular identity providers, and add two-factor authentication for just specific apps. If you are in need of its sophisticated policies, you probably want to only look at the on-premises version because it can do a lot more than what is offered in the cloud product.

As an example, you can restrict logins per app by IP address range, to specific mobile devices, and by day of the week and time of day. All of these settings are collected together into one place for easy configuration.

Both McAfee products allow for just-in-time user provisioning provided you have set things up correctly and exchanged the necessary digital certificates between McAfee and the intended SaaS app.

The online cloud documentation is rather sparse but the printed manuals go into more detail on how to setup both Google and Salesforce accounts on their service.

For both products, McAfee has one of the simplest pricing models around, albeit one that isn't published on their website. They include everything in the per-user subscription fee, which starts at $5 per user per month and drops to $1 in quantity and over multiple years.

And by everything we mean live 24x7 support, as many application connectors or identity providers as you desire, and unlimited roles and policies. So pricing for 500 users would be $18,000 for one year. A three-year contract would drop the cost to $13,300 per year.

Numina Application Framework

Numina had the smallest feature set of the products we tested. It is more of a developer's toolkit than a fully complete product. It comes with both on-premises pieces, mainly a Web service that runs on an IIS server, and a cloud piece. Unlike most of the other products in this review, it doesn't offer two-way synchronization with Active Directory or LDAP directories: it can only update its own user accounts. It also supports OpenID authentication methods.

Setting up an app that supports SAML, such as Google Apps, is very straightforward and the information to share with the corresponding fields on Google's Web form is clearly displayed.

One limitation with SAML is that the user ID that Numina uses must match the ID that the app provider requires. This could be a big issue if you are going to use it to login to a lot of different SAML apps. The other products allow for more flexible configuration.

Numina supports a single multifactor authentication, SMS text message, although there are plans for more. However, it excels in the number of reporting choices, something the far more feature-rich products should take a closer look at.

Numina has a very simple pricing scheme, based on a single server license, so our sample 500 seats would cost $25,000 for the first year and a $5,000 maintenance fee for subsequent years.

Okta

Okta has been in the identity management business a long time, and it shows. They have mostly a cloud-based service with several pieces that are installed on your network, including browser plug-ins. There are clear workflow diagrams showing what you need to finish your tasks, and separate tabs for setting up apps and users and running reports. This is one of the best features of the product.

Okta has the ability to support two Active Directory connectors to the same directory store for redundancy. When you set these up they are read-only, but you can quickly turn on two-way synchronization. The Active Directory connector has its own user interface and monitoring application, and can be run from any Windows server. There is also a separate piece of software to handle the desktop Windows login integration that needs to be installed on an IIS server.

The product also has wide multifactor authentication support, including its own mobile soft tokens, a security question, and Google Authenticator. You can enforce the multiple factors when users are outside the corporate network, or for specific groups, but not for specific applications. And you can ask for the multiple factors on a specific time schedule (say once a day) too.

They have a unique feature called Just in Time provisioning. This means you can import all your Active Directory accounts and set things up so that when users are ready to start using their SSO solution, it will try to authenticate them with their Active Directory logins and create their accounts on the fly. This can be useful if you are turning on SSO for a large population at once.

Okta has excellent documentation, with plenty of screencast videos showing you how to set things up. They have a catalog of more than 1,000 apps that have already been pre-configured. There is also a table showing browser support that can be reached from the help screens inside the Okta app itself, a nice touch.