Choosing the right web application single sign-on (SSO) solution for your organization can be tricky. You need to understand what options you have available, and then decide which type of SSO solution will be most beneficial for your organization long-term.
Each solution has its pros and cons, and the right choice varies based on your organization’s specific needs. Current SSO solutions are surprisingly multi-faceted — while it may seem like a simple purchasing decision, the choices can become blurred. This is because while most vendors offer SSO for the core group of applications you’re going to work with, some holistic single sign-on solutions include a host of other features to consider.
The single sign-on solutions that exist today are either layered on top of or integrated with an organization’s core directory or identity provider (IdP). These options come in the form of integrated, holistic cloud SSO and directory platforms, web application SSO point solutions, and open-source SSO point solutions.
When vetting an SSO solution, consider asking yourself these questions to make the decision easier:
- Can this scale with my organization?
- Do I already know that this solution will need to be replaced in the future?
- How well does this solution fit in with our current IT environment?
- What about where we want our IT environment to be in 5 years?
- What kinds of IT resources do I want to use SSO for? (Apps, devices, networks, etc.)
- What other capabilities am I looking for in my IT environment that could be solved by implementing a holistic SSO/directory solution? (MDM, MFA, PAM, IGA, etc.)
Like anything else in the tech ecosystem, at first there were only a couple of limited single sign-on options out there — web app SSO and Active Directory Federation Services (AD FS). With fewer choices on the market and the dominance of Windows-based IT environments, picking a solution was fairly simple 10 to 15 years ago. Whereas now, with the rise in popularity of Mac and Linux devices as well as web applications and cloud infrastructure, making a decision is far more complex.
Those original solutions still exist, but web app SSO solutions have migrated to being delivered from the cloud, and comprehensive IdP and SSO solutions exist such as the JumpCloud Directory Platform that function as a core directory, has built-in SSO capabilities, and includes a variety of other useful features (i.e. MFA, MDM, IGA, PAM, etc.).
Where SSO solutions once connected employees solely to web applications, platform solutions like this now connect employees to virtually all the IT resources they need, including devices, web apps, legacy apps, file servers, systems, and networks. Regardless of the single sign-on solution an organization uses, though, SSO improves organizational flexibility, productivity, and security.
In this article, we will discuss the evolution of SSO, the modern options available, rules to follow when choosing an SSO provider, and factors to consider when choosing an SSO solution.
Evolution of SSO
What we think of as the first generation of IDaaS (Identity-as-a-Service) platforms emerged in the late 2000s as cloud-based web application single sign-on solutions. These followed the original solutions which were enterprise-class on-prem web application solutions that integrated with Active Directory. In short, these original web app SSO solutions were created to allow IT admins in Windows-based IT environments to federate AD identities to some web apps that were not Windows-based. The goal was to avoid recreating identities in each application while maintaining the core, authoritative directory — creating less work for IT admins, providing easier access to users, and improving security.
Of course, web applications comprise only one portion of the tools used in an organization each day. Now some modern SSO solutions extend beyond web applications to include other critical resources. Users also need to securely and quickly access files, legacy apps, WiFi networks and VPNs, and a variety of systems (Windows, Mac, or Linux). And, unbeknownst to end-users, they use a variety of protocols and mechanisms, including LDAP, SAML, and RADIUS, to do so. Therefore, the SSO solution you choose needs to support the protocols that your organization uses.
Single Sign-On Options
- A comprehensive cloud SSO/core directory platform with a variety of other features built-in
- A web application SSO point solution used as an add-on to an existing directory
- An open-source web app SSO solution
Guidelines to Follow When Choosing an SSO Provider
1. Know What You Need Going in
With all of the tools available on the market, it’s essential that you understand your SSO options and decide what other capabilities you need in your IT environment that you may be able to leverage out of a single solution. Then prioritize those capabilities based on necessity, the organization’s future roadmap, and the makeup of your IT environment.
Working through it in this way can help you decide if you want a bare bones SSO solution or one with all of the bells and whistles. Focus on exactly what you need (and what can wait) so you don’t get saddled with features you won’t use or overcharged for those you need most.
2. Beware of Hidden Costs, and Seek out Free Trials
Every cloud service has a different way of charging their customers. Most charge on a per-user basis, but others may also include charges by API calls, number of application connectors, or by device. Similarly, you’ll want to check and see whether specific features you need are built-in or considered à la carte as add-ons. Some SSO solutions can seem very affordable at first but quickly snowball to the point where you’re paying a lot more to get every feature you want.
In some solutions, different features (like JIT and SCIM provisioning – often referred to as user lifecycle management) add to the cost, while others take a more holistic approach. This is where knowing what you need ahead of time comes in handy — search for a solution that includes the features that you laid out as priority items. If you decide you want to maintain AD across your organization with an add-on SSO solution, you’ll need to factor in the costs of hardware and client access licenses in addition to the cost of the SSO solution.
A good strategy for finding the right solution is to check out review sites that provide helpful comparisons between SSO providers based not only on price but also on features such as ease of use and more.
Look for SSO solutions that offer free trials, which are beneficial for testing and assessing whether the solution is the right fit. This also helps with executive buy-in when you can show them exactly how the solution works and prove that it’s worth investing in.
3. Think About Your Existing Infrastructure
Will you need to build anything out? It’s important to know just what you have to work with — and ask exactly what more you may need — before committing to a purchase. For example, if you want your SSO solution to apply to your on-prem applications as well, you’ll need to make sure it can work with LDAP. And as always, you should check to see if they charge extra for that service.
On top of that, do you have an existing identity and access management (IAM) solution in place already? If you do, consider what type of SSO solution will integrate best with it. If not, looking into a comprehensive solution that has built-in IAM and SSO capabilities could save you a lot of time later on down the line.
4. Consider Your Security Needs
When considering the right solution for your needs, you also want to think: What security risks am I trying to solve, and what level of security do I need?
Answering these questions can help guide your research when looking at potential providers and solutions before making your final decision. If you’re using only web applications, then a web app SSO solution will work just fine. However, if you have other systems in place in addition to web apps, you’ll want to consider a core directory/SSO platform that can federate identities to virtually all of your IT resources, not just web apps.
Factors to Consider When Selecting an SSO Solution
When dissecting potential SSO solutions, start by looking for these features based on the needs you established:
- Authentication via SAML
- Pre-built and custom connections to SAML apps
- Authentication via LDAP
- Group-based control
- Multi-factor authentication
- JIT and SCIM provisioning
- Conditional access policies
Authentication via SAML
At a fundamental level, any viable SSO solution needs to support SAML authentication to applications because of its ubiquity in web apps.
SAML, or Security Assertion Markup Language, allows for authentication to web applications without the use of passwords. With SAML, service providers (i.e. Salesforce, GitHub, Slack, etc.) communicate with identity providers (i.e. core directory/SSO providers) securely backed by certificate trusts.
This method of authentication is more secure than entering a username and password for each application because end-users don’t enter their credentials across an array of third-party websites — thereby centralizing and simplifying their login process. Admins can also add and remove application access more easily, enhancing their workflow, too.
Pre-Built and Custom Connections to SAML Apps
Another key feature of an ideal SSO solution is the inclusion of pre-built and custom connections to SAML applications.
Pre-built connections reduce the setup work for admins drastically and should include popular apps like Google Workspace, Microsoft 365, Zoom, and much more. These connectors reduce the number of attributes admins have to fill out manually to establish a link, and they make it easier to populate user attributes in each application.
Custom connections require more setup work to connect applications to the core directory. However, they enable flexibility in connecting to most, if not all, SAML-based applications on the market or those that are homegrown. With them, admins ensure efficient and secure connections for their end-users regardless of their application suite.
Authentication via LDAP
LDAP, or Lightweight Directory Access Protocol, allows for authentication to legacy, on-prem applications, as well as more technical applications, including OpenVPN and Jenkins.
An SSO solution that authenticates via both SAML and LDAP covers a wider range of applications and provides a more comprehensive experience for admins and end-users. Solutions that are SAML-only exclude legacy and technical applications to the detriment of both parties.
Plus, if the solution offers Cloud LDAP, admins avoid the work and maintenance of spinning up and maintaining on-prem LDAP servers, which is a huge plus.
Group-Based Control
A worthwhile SSO solution should feature group-based access control by which IT admins can restrict or administer access to both SAML and LDAP applications en masse.
For example, a sales department needs access to a completely different set of applications than the engineering department; however, they may also need access to some of the same resources. As such, IT might want to create an ‘All Employees’ group where access to Slack and Google Workspace are provisioned to everyone, as well as a group for each department with specific resource access provisioned.
In some SSO solutions, admins can upload XML metadata files via PowerShell to populate connector attributes for applications — another way to streamline the process of establishing connections with apps. Examples of attributes that could be passed along include user roles and departments.
Access controls also improve security because they ensure access to each application isn’t universal across an organization. They prevent cross-contamination, so to speak, which also limits the possibility of users linking or modifying information in a damaging way. Using the idea of least privilege access via group control is a great way to protect your resources.
Multi-Factor Authentication
Multi-factor authentication (MFA) is a must-have along with single sign-on. If you’re interested in improving security along with productivity by implementing an SSO solution, it’s in your organization’s best interest to protect each central identity with another layer of security — MFA.
Best practices for adopting an SSO solution across your IT environment include enforcing password complexity requirements and/or password rotation requirements, and pushing out MFA to every device used across the organization. MFA is a tough security layer for bad actors to bypass, and MFA successfully guards against the majority of data breaches. Even if a bad actor steals credentials, MFA serves as an additional and powerful roadblock to protect company resources and data.
MFA is especially essential in this case because SSO enables end-users to access virtually all their resources via a single login and portal, and therefore, that portal should be heavily guarded. And, step-up MFA can be used for sensitive applications where MFA can be added for just that particular authentication. More sophisticated SSO solutions will employ tactics such as conditional access to vary access levels based on a variety of criteria including the user, their location, and device posture.
JIT and SCIM Provisioning
Just-in-Time (JIT) and System for Cross-Domain Identity Management (SCIM) provisioning are other useful features to have in an SSO solution — they allow for additional automation of IT workflows.
With JIT provisioning, the SSO provider automatically creates a user’s account in an app the first time the user attempts to log in to that app. The SSO provider knows which user attributes the app requires and pushes them to it, rather than the user or IT admin filling out the requisite forms manually.
SCIM provisioning goes further, and it automates both provisioning and deprovisioning of user accounts in applications and maintains ongoing synchronization between the core directory and the connected applications.
Some SSO providers supply these types of provisioning for an extra charge, while others include them for free — this is important to keep in mind if you’d like to utilize these features.
JumpCloud Directory Platform + True Single Sign-On™
If you landed on a holistic, core cloud directory/SSO platform as your solution of choice — check out the JumpCloud Directory Platform. JumpCloud offers SSO, among many other capabilities like MFA, MDM, IGA, PAM, and more. We refer to our SSO solution as True Single Sign-On™ — it allows users to securely authenticate to virtually any IT resource they need access to, including systems, web apps, legacy apps, networks, and more, with one set of credentials.
Try our SSO Solution Free
Test out JumpCloud’s modern, simplified IAM solution with True SSO, and see if it’s right for your organization! Create a JumpCloud Free account to access the entirety of the platform for free, up to 10 users and 10 devices. Along with that, enjoy 24×7 in-app support — free for the first 10 days!