As web applications proliferate, IT admins seek single sign-on (SSO) solutions to connect their end users to those applications securely and efficiently. This SSO buying guide examines common baseline factors admins should consider before purchasing a solution that will be a central part of their identity management operations.
What to Consider When Buying SSO
SSO solutions exist either layered on top of or integrated with an organization’s core directory, or identity provider (IdP). They introduce efficiencies not only for admins but also for end users. With SSO, end users only have to remember one password to access a web-based portal of their applications.
Although each company’s unique environment ultimately dictates the best SSO solution, a set of factors benefit most companies.
Factors to consider when selecting an SSO solution include:
- Authentication via SAML
- Pre-built and custom connections to SAML apps
- Authentication via LDAP
- Group-based control
- Multi-factor authentication
- JIT and SCIM provisioning
- Pricing and testing
Let’s explore what each of these entails.
Authentication via SAML
At a fundamental level, any viable SSO solution needs to support SAML authentication to applications because of its ubiquity in web applications.
SAML, or Security Assertion Markup Language, was created in the early 2000s and allows for authentication to web applications without the use of passwords. With SAML, service providers (i.e. Salesforce, GitHub, Slack, or other applications) communicate with identity providers (i.e. core directory/SSO providers) securely backed by certificate trusts.
This method of authentication is more secure than entering a username and password for each application because end users don’t enter their credentials across an array of third-party websites — thereby centralizing and simplifying their login process. Admins can also add and remove application access more easily, enhancing their workflow, too.
Pre-Built and Custom Connections to SAML Apps
Another key feature of an ideal SSO solution is the inclusion of pre-built and custom connections to SAML applications.
Pre-built connections reduce the setup work for admins and should include popular applications like G SuiteTM, O 365TM, or Zoom®. These connectors reduce the number of attributes admins have to fill out manually to establish a link, and they make it easier to populate user attributes in each application.
Custom connections require more setup work to connect applications to the core directory. However, they enable flexibility in connecting to most, if not all, SAML-based applications on the market or those that are homegrown. With them, admins ensure efficient and secure connections for their end users regardless of their application suite.
Authentication via LDAP
An SSO solution that authenticates via both SAML and LDAP covers a wider range of applications and provides a more comprehensive experience for admins and end users. Solutions that are SAML-only exclude legacy and technical applications to the detriment of both admins and end users.
Plus, if the solution offers LDAP-as-a-Service, admins avoid the work and maintenance of spinning up and maintaining on-prem LDAP servers and instead reap the benefits of cloud-hosted LDAP.
A worthwhile SSO solution should feature group-based access control by which IT admins can restrict or administer access to both SAML and LDAP applications by group. For example, the sales department will need a largely different set of applications than the engineering department. As such, that department would be made its own group with access permissions exclusive to it, while other departments would be managed the same way.
In some SSO solutions, admins can upload XML metadata files via PowerShell to populate connector attributes for applications — another way to streamline the process of establishing connections with applications. Examples of attributes that could be passed along include user roles and departments.
Access controls also increase security because they ensure access to each application isn’t universal across a company. They prevent cross-contamination, so to speak, which also limits the possibility of users linking or modifying information in a damaging way.
In selecting an SSO solution, IT admins should seek one that enables multi-factor authentication.
Even more than password complexity or rotation requirements, MFA guards against the majority of data breaches. Even if a bad actor steals credentials, MFA serves as an additional and powerful roadblock to protect company resources and data.
MFA is especially essential in this case because SSO enables end users to access all their applications via a single portal, and that portal should be guarded closely to balance the ease of access to applications for end users with the need for security.
JIT and SCIM Provisioning
Just-in-Time (JIT) and System for Cross-domain Identity Management (SCIM) provisioning allow for additional automation of IT workflows.
With JIT provisioning, the SSO provider automatically creates a user’s account in an app the first time the user attempts to log in to that app. The SSO provider knows which user attributes the app requires and pushes them to it, rather than the user or IT admin filling out the requisite forms manually.
SCIM provisioning goes further, and it automates both provisioning and deprovisioning of user accounts in applications and maintains ongoing synchronization between the core directory and the applications.
Some SSO providers supply these types of provisioning for an extra charge, while others include them for free. We’ll explore pricing further in the following section.
Pricing and Testing
Another factor in determining the best SSO solution for an organization is cost. In some solutions, different features (like JIT and SCIM provisioning) add to the cost, while others take a more holistic approach. Admins should use their organization’s unique needs to guide whether an à la carte or more complete solution is the most optimal.
Additionally, admins should consider whether the solution will be layered on top of their existing on-prem directory — like Microsoft® Active Directory® (AD) — or integrated with a cloud directory service. In the case of maintaining AD, they’ll need to factor in the costs of hardware and client access licenses in addition to the cost of the SSO solution.
Some SSO solutions offer free trials, which are beneficial for testing and assessing whether the solution is the right fit.
Various analysts and review sites provide helpful comparisons between SSO solutions based not only on price but also on features such as ease of use and others.
True Single Sign-On
Another option to consider, beyond web application SSO solutions, is an identity provider that enables SSO not only for applications but also for systems, files, and networks. True Single Sign-OnTM creates a single, secure identity for access to virtually all IT resources.
Through a cloud identity provider, it’s possible for an end user to leverage one set of secure credentials to access their resources — including applications, as well as systems, networks, and more.
If you’re interested in learning more or fine-tuning your decision, check out the “Business Case for Single Sign-On” to discover the benefits that various SSO solutions provide. Feel free to give our team of experts a shout, too, if you’d like to learn more.