Review: Single sign-on tools offer impressive new capabilities
Centrify edges Okta and OneLogin in seven-vendor shootout.

Since we last looked at single sign-on products in 2012, the field has gotten more crowded and more capable. A number of new vendors have come to ply their wares, and a number of old vendors have been acquired or altered their products.
For this round of evaluations, we looked at seven SSO services: Centrify’s Identity Service, Microsoft’s Azure AD Premium, Okta’s Identity and Mobility Management, OneLogin, Ping Identity’s Ping One, Secure Auth’s IdP, and SmartSignin. In addition to these products, we also looked briefly at AVG’s Business SSO.
Several vendors declined to participate, including NetIQ, WSO2, Covisint, CA, Janrain, RSA, Radiant Logic, SalesForce and Sailpoint. We also did not focus on open-source identity management tools or consumer-grade products, like LogMeIn.
Here are our overall conclusions:
-- First, products have expanded their support for additional authentication factors. Three years ago, one additional factor was about what you could expect beyond user name/password. Now, all of the products have solid multifactor authentication (MFA) protection. Okta and Centrify have even created their own one-time password mobile apps. SecureAuth, Okta, Ping and Centrify can specify MFA for particular applications as part of a risk-based authentication approach. This makes using SSO a powerful protective tool and can make logins much more secure than relying on individual users to choose passwords individually.
-- Second, as Gartner analysts recently pointed out, the vendors are moving towards integrating mobile device management (MDM) as part of their identity service offerings. Gartner sees a bright future when the two types of products are better integrated, and we agree. While not yet as capable as a true MDM tool, SSO tools such as Okta, Ping and Centrify have a better mobile focus and could be a good choice if you want to protect your mobile endpoints with more than just their login passwords, but don’t want to purchase a separate MDM solution.
-- Third, when we looked at these products in 2012, most were just moving into the cloud. Now, all but SecureAuth are focused on their cloud-based solutions. Vendors typically supply two URLs: one for users for a common login to their apps, and another one for IT administrators for management tasks. This means these products have only a small footprint for their on-premises software, mostly for handling Active Directory synchronization and browser extensions.
-- Next, these products have deepened their support for multiple identity management providers. Vendors have also gotten more serious about publishing their own identity APIs and SDKs. That along with the ability to reach into the Active Directory schema means that it is now easier to automatically provision hundreds of users at once with very little operator intervention. This makes SSO tools especially useful if you have to onboard a lot of staff quickly.
-- Finally, almost all of the products now support thousands of applications for their automated sign-on routines and some come with catalogs that you can browse to find your particular apps. Overall the products are getting easier to install and integrate into your existing collection of apps and servers.
Our Clear Choice test winner is Centrify, but not by much. It slightly outperforms the others in terms of features and reports. Both Okta and OneLogin (our winners from 2012) aren’t far behind. The others fall somewhat below these in terms of features, documentation, or usability.
Here are the individual reviews:
Centrify Identity Service
Centrify has put together a solid SSO tool that also has some terrific mobile device management (MDM) features. If you are in the market for both kinds of products, this should be on your short list. It outscored the other tools, although not by much in some cases.
As a side note, Centrify sells a version of its SSO software to several vendors, including Samsung and AVG. (See sidebar on AVG.)
The admin user interface is well thought-out with tabs clearly labeled for apps, policies, and devices, among others. Set up was quickly accomplished within a few minutes. The hardest parts were getting the MFA features and Active Directory integration, neither of which was difficult once we understood what the product wanted from us.
Centrify has been around the Active Directory space for several years and its integration is fairly seamless. Once you download the connector and install it on your Windows Server, there isn’t much to do. You can set up active/active redundant support for a second Active Directory server by just installing a second or third connector: these take care of doing the load balancing of Active Directory authentication requests and automatically failover if there is some connection issue. It supports Windows Servers since the 64-bit 2003 vintage. It also supports Integrated Windows Authentications so you can sign into your local Windows desktops and apps.
In addition to Active Directory, Centrify also supports LDAP, SAML, and other identity providers. Adding a new one is very straightforward, once you find the menu options to set everything up. Browser extensions are available from a drop-down menu on the top right, and you just click on the appropriate one for your browser to download.
MFA settings are set in the policy tab for users and in the apps tab for individual apps. Both share the same set of screens: they have different features depending on the OS type. This means that there is one set for OS X, another for iOS, and so forth. This is somewhat inconvenient and means you have to enter some of the same information multiple times. The MFA choices are numerous: you can specify whether it should be deployed if a login is coming from outside the normal corporate IP address space or from a machine that has never used Centrify’s SSO before (through the absence of a browser cookie). It adds factors such as email, SMS texts and phone calls, and security questions. More importantly, you can turn off MFA for a few minutes to enable a forgetful user to login and reset their accounts, a nice touch.
Centrify will prompt new users to add one (and only one) security question. There is also support for Centrify’s OTP feature that is built into its smartphone app. Missing is support for third-party OTP tokens that some of the other tools have.
Speaking of the mobile app, it is a full MDM solution and not just an OTP generator like some of its competitors. You can remotely wipe the device, put policies in place for requiring a device PIN, and set up other things that you would expect on a traditional MDM product.
Centrify comes with dozens of canned reports that cover the waterfront, along with the ability to create your own using custom SQL queries. Its documentation is available online and presents the basics for getting started.
Centrify has a large collection of apps and admins can add new ones into its password vault by logging into the app from a browser. There are 17 different entries for various Google-related apps, including UK and Japanese versions, only one of which is SAML provisioned. Its Web app gateway can handle internal Web server links very cleverly, without the need to connect up via VPN or poke holes in your firewall.
Centrify’s pricing is very transparent (see this webpage). There are two versions of the service: App for $4 per user per month and App+ for $8. If you want support for Apple-based devices, add another $2 a month.