Single sign-on moves to the cloud
Okta and OneLogin score high in test of eight SSO solutions that cut help desk calls and boost password security
By David Strom
Network World |
Reports show you the last month's worth of app usage and suspicious activities and how many users have never signed into the system.
The Okta dashboard gives a range of application reports that can show unused apps for particular users. It also has a nice task list showing what you still need to do to on their service, alerts to any apps that weren't setup properly, and other items.
Okta's biggest downfall is how poorly it can recover from errors in the configuration process. Once you select an app you can't actually delete it, just deactivate it. If you haven't set it up properly this can give you fits. Okta claims this is a feature, to aid with its logging capabilities. We disagree.
Okta has several pricing plans, starting at $1 per user per month for basic SSO and moving up to $10 per user per month for enterprise-level features such as user provisioning and more detailed reports. Pricing for 500 users would be $60,000 for the first and subsequent years. Live 12x5 support is included, and there are three additional support plans if you want to go to 24x7 support.
OneLogin is a cloud-based service with several on-premises pieces including browser extensions, a special IIS-based authentication script that is used for Windows logins, and an Active Directory connector for Windows servers to establish the two-way directory synchronization.
It has one of the largest app catalogs, supporting more than 2,600 apps, and also has the ability to be easily customized for forms-based secure Web authentication by creating custom app connectors. That is a nice touch, because with some of its competitors, you either can't create new app connectors or else you have to wait for the vendor to create them and add to the product.
One unique feature to OneLogin is a new addition called Federated Cloud Search. This makes it easier to find particular content across your entire apps portfolio without having to index each specific site. If you ever tried to look for a document in one of your SaaS-based providers, you will understand how effective this feature can be. Not all of OneLogin's apps support this feature yet. Like some of its competitors, it also supports just-in-time app provisioning.
Another is the ability for an SSO administrator to login as a particular end user to do troubleshooting, called "assumed sign in." You have to enable this individually by application, though. You don't need to know the end user's credentials but you can test out the access to a particular app.
The directory synchronization is very easy to setup, and OneLogin supports Active Directory, OpenLDAP, Google Apps and Workday. You can set up rules to map users to particular roles and groups.
Its documentation is awesome with loads of help files on a Zendesk server that has copious screen shots and illustrations on how to set up various services. There's a large selection of reports including all provisioning activities, various ones on user status (suspended, active or whatnot), and a nice report on weak passwords. You can customize each report and download each as a CSV. There are also custom notification rules, so you can email users when they have been locked out of OneLogin, for example.
A wide variety of multifactor authentication methods is supported, including Yubikey, Verisign VIP, FireID, SecurID and OneLogin's own mobile-based soft tokens. It can be required for every login or for unknown browsers, which is not as flexible as some of its competitors. Browser PKI certificates can be required as an additional factor. You can also prevent the browser from caching passwords for applications where OneLogin uses form-based authentication, a nice feature. Finally, it integrates with various SSL VPNs (we didn't test this) and you can specify which apps can be accessed through the VPN gateway.
OneLogin offers several pricing plans, including a free plan for unlimited users with three company apps and limited online support. The $5 per user per month enterprise plan widens this to support unlimited roles and directories but only includes daytime live support: if you want 24x7 that bumps you up to $7 per user. That works out for 500 users to be $35,000 for the first year and subsequent years.
Radiant started in the directory management space and is slowly moving into SSO. Its solution is for on-premises, and has two main pieces: a Virtual Directory Server (VDS) that handles identity federation and a Cloud Federation Service (CFS) that handles applications.
CFS requires VDS to work: think of VDS as handling the authentication of the user's identity, then CFS contains a bunch of secure tokens that can access your various apps. It isn't as elegant as the other vendors, but it can be flexible if you understand which piece of software does what. There are a few other tools to set up the integration and deployment, such as the Radiant Trust Connector that handles the Windows desktop logins and the CFS Deployment Manager that does what its name says. Everything runs on Windows 2008 R2 Servers with at least IIS v7.5 and .Net Framework v4 and goes under the name of RadiantOne.
That is a lot of different pieces to keep track of. Each piece has its own printed documentation, so there is a lot to review and understand the various relationships before you can get started. If you are still running earlier Windows Server versions, this isn't the product to upgrade them.
RadiantOne handles its trusted relationships with its apps via certificates that have to be downloaded and installed separately using the Deployment Manager. This means that users are authenticating once with CFS and then gain access to the various trusted apps. Using certificates is cumbersome but avoids the browser plug-ins that many of the other vendors use for encrypting the login credentials.
But as a result it offers a paltry set of apps that it can automate logins with, including Google, Salesforce, Webex, and a few others. There is no mechanism for secure Web access or automatically adding a new app, as there is with some of its competitors. You can also protect your user login with SecurID tokens too.
Reports are poor. There is a log export to Excel feature in CFS but that is more for events than anything a manager would understand. The dashboard is bare-bones and just indicates which services and connectors are running.
Pricing is based on a per-server basis: for 500 users it would be $25,000 for the first year and $6,250 for subsequent years, which includes 24x7 live support.
SecureAuth has a collection of on-premises pieces for its SSO product. You need to setup its own server on your network, and you can use one that comes as a virtual machine or run their software on physical hardware. Because of this you will need to review the documentation on how their SSO product interacts with the built-in Windows Server firewall and make sure both are configured properly. There are also browser extensions to download.
Its admin console is Web-based and perhaps the least attractive of all the products we tested, but beyond cosmetics it has lots of parameters and configuration options to make it a very powerful SSO product. The trick is in finding the right menu and place on the appropriate form to fill out properly. For example, to enable two-way Active Directory synchronization you set the "read only account" to false on the membership connection settings.
There are numerous multi-factor authentication methods that are supported, including Yubikeys, SMS text messaging, telephone, question and answer sessions, and email dialogs. Like some of its competitors, you can block or allow specific IP address ranges, and setup workflows depending on whether you are using a trusted computer or accessing your apps from a public network. It supports a wide range of identity providers including AD, Lotus Notes, OpenLDAP, Novell eDirectory and others.
SecureAuth has the most complex pricing plan of any of the vendors we tested. There is a per user fee, which starts out at $19.50 per user per year and can drop quickly to a few dollars a year for the largest installations. There are one-time per server and per-app fees, both of which start at $2,600. So for a 500-seat installation, the damage would be $20,000 for the first year and $10,000 for subsequent years. They need to simplify this scheme with far fewer options to make it more competitive, and understandable.
Like McAfee, SmartSignin has two separate offerings: one cloud-based and one for on-premises. The latter is only available at the higher Enterprise price. The product is still in beta and features are being added rapidly. They integrate with three identity providers at the moment: Google Apps, AD, and Salesforce.com. The company is small but seems to be on the right track.
For example, SmartSignin seems to be paying a lot of attention to various security exploits, which is a good thing. It is the only one of the SSO products we tested that not only requires a password but a separate passphrase that you and you alone have knowledge of, and that you have to enter when you sign-on to their SSO portal. All security information is stored on your desktop. Their Active Directory connector doesn't transmit information in the clear in order to protect against man-in-the-middle attacks of your directory content.
They are weak in terms of browser support and are just getting started on their multifactor integration. The Enterprise package has a single option for out of band authentication using text SMS messages. They claim more than 400 applications are supported and pre-configured.
Their dashboard is well-designed and easy to navigate. There is a single report that is just a listing of events, which is less than satisfying.
Pricing for the Enterprise plan for 500 users would be $43,200 for the first and subsequent years. If you can do without the Enterprise features (multiple roles and on-premises server), then the Pro plan will bring this down to less than half that amount.
Symplified has two offerings: one that is cloud-based using an Amazon AMI and one that can be installed on-premises as a VM. Unlike the other vendors with separate offerings, Symplified has the same feature set. There are no browser extensions but the product has its own Active Directory connector called SimpleLink, which also supports LDAP connections and is a piece of software that has to be downloaded to any on-premises directory server. This creates a secure tunnel that encrypts the authentication requests.
Symplified calls its product an identity router and the term is apt, as there are lots of access rules and policies like you would see in your network firewall, but of course concerning identities. It supports a large collection of identity providers, which Symplified calls User Stores, including LDAP, Oracle, Salesforce, Netsuite, Google and various SQL databases.
Their app support isn't as plentiful as it could be, but you can set up your own custom connector using the procedures and scripting features in the product. Apps have a rather convoluted workflow that isn't as appealing as the other products and will take more time to debug and find configuration errors. This is because they separate the authentication from the authorization process. We needed some help with our configuration, but imagine that once you get the hang of it you can create what you need in a few minutes once you know how it all works. After you set up your SSO, you hit the publish button to deploy them explicitly. This adds an extra step in the debug cycle but we can understand why they have it included.
Their documentation is all online and hyperlinked to make it easy to navigate among the various pieces. Reports are more log files although some summary information can be found on the main dashboard page.
Symplified supports the following multifactor authentication products: Symantec VIP, Symantec VIP SSP, Cryptocard and GrIDsure.
Pricing has two components, a one-time setup fee ranging from $1,500 to $5,000, and a user fee. This works out for 500 users to be $21,000 for the first year and $18,000 for subsequent years, which is on the low end of the price scale. These prices include 24x7 live support.
What to look for in a single sign-on product
Each SSO service has four basic features:
1. There's the single sign-on activity itself, the ability to automatically login to a particular SaaS-based website or on-premises server. There are several methods for accomplishing this: one is using a secure Web authentication script that sends a user name and password to the Web server to accomplish the login. This requires the SSO product to manually manage the login string: if you decide to change your password for your online banking site for example, you have to remember to change it in the SSO tool as well. A second, and more elegant method is to use one of the identity standards such as OpenID, Web Services Federation (WS-FED) or SAML. Not every SaaS site supports these standards, but more are getting on board every day as a result of the popularity of the SSO products.
Automating sign-ons is just one half of the equation. If you want all of your users at once to have enterprise Google Apps accounts, you also need to be able to initiate provisioning from the SSO product, otherwise you are going to be in for some tedious times. Not every SaaS vendor supports automated provisioning from every SSO product.