Single sign-on moves to the cloud

This is where a third authentication method comes into play, exchanging site certificates between the SaaS provider and the SSO vendor. While this is initially cumbersome, it can make the process go faster when you want to automate user creation and provisioning to the SSO process. Radiant Logic uses certificates exclusively as their authentication method. The others offer some combination of SAML, secure Web forms, and custom applications connectors.

Some of the products also make use of browser-based plug-in extensions to handle the login tasks.

2. Second is the ability to work with Active Directory or some other directory service or identity provider to handle user logins to local desktops and other on-premises servers. This means that you can automatically recognize the groups of user accounts, such as network administrators. Some products can do two-way synchronization of user accounts with Active Directory so that as you add or delete users from one, your actions are matched on the other side. Other products support federated identity synchronization with outside networks, such as setting up a partner portal so that individual logins from your partner organizations don't need to be manually created on your SSO system.

Each product typically installs one or more pieces of Windows server software to handle the Active Directory synchronization tasks. We describe the details on how this is accomplished in each review. Some also limit the amount of Active Directory information that is stored or transmitted in the cloud for security reasons too.

3. Third is the ability to manage roles of each user and their respective access permissions to various apps. Each product has varying ways of accomplishing this, typically through particulars in their Web-based management consoles. Some also use the Active Directory group identities as the basis of how they configure their SSO roles and policies. McAfee has the most flexible configuration rules, and can setup individual apps with a particular identity provider and choose whether each app needs to have two-factor authentication.

4. Finally there is how each product handles reports and compliance actions. Some products have more graphical or summary reports than others. These products offer the opportunity for you to track exactly how many users are using particular applications, so if you are paying for site licenses, they could save you money if you can reduce your license counts.

How we tested single sign-on products

We set up each product with two sample user accounts and tried to automate logins to a series of hosted services and on-premises servers, including Google Mail and Apps, Box.net, Paypal, Microsoft Active Directory, SharePoint and Office 365 (for testing WS-FED), Salesforce.com, LinkedIn, Twitter, Windows login and an online banking site. Each product supported a different collection of applications for SSO activities. We also connected to a variety of cloud-based services along with a test Windows Server from Cloudshare.com. We connected via different desktops, browsers, and mobile clients (if supported) to see how each would handle the various site logins. We also looked at what it would take to automatically provision new users on a number of SaaS vendors, and how they interacted with other identity providers.

We used two desktops: a MacBook running OS 10.6.8 and a Dell running Windows 7 Professional 32-bit. In addition, we also used both an iPad and an iPhone 4 running iOS v5.1 for testing the mobile features. The tests were conducted during November 2012.

Strom is a veteran technology journalist, speaker and former IT manager. He has written two books on computing and thousands of articles. His blog can be found at Strominator.com.