How to Choose the Best Single Sign-on (SSO) Solution for your Enterprise

When it comes to selecting a single sign-on solution for your organization, not all solutions are created equal. Choosing the best workforce SSO solution depends on your IT environment and user base.

Some SSO solutions control authentication for users accessing resources from desktops in a single security domain. Others provide universal SSO across complex hybrid environments that include legacy on-premises, cloud-based and software-as-a-service (SaaS) applications. SSO solutions can act as an authentication authority. They can be used for many identity types and use cases, from cloud to on-premises.

IBM’s Cost of a Data Breach Report 2021 found that data breach costs rose from $3.86 million to $4.24 million, an increase of 10% from the prior year. Compromised credentials were the most common initial attack vector and responsible for 20% of breaches, at an average breach cost of $4.37 million.

According to Accenture’s 2021 Cyber Threat Intelligence Report, data migration to the cloud and the advance of internet-connected devices, such as Internet of Things (IoT) objects, switches and routers control data flowing in and out of the organization, increase the risk of cyberattacks. The report also highlights that in multiple ransomware attacks in 2020, data was destroyed rather than encrypted.

We'll explain the fundamentals of single sign-on (SSO) and provide criteria to help you choose the best SSO solution for your business.

Single sign-on (SSO) is an authentication solution that allows users to login to their applications and services with a single set of credentials. Without SSO, employees have to create sign-on credentials for every app, sign in multiple times, and remember numerous passwords. SSO streamlines the process by giving employees secure, one-click access from any device. By reducing the number of usernames and passwords users need to remember, the overall user experience is improved. This also increases data security.

With users signing on from a variety of devices to access on-premises, cloud and/or SaaS applications, enterprises need to provide secure single sign-on to trusted service providers, even when those apps and services are outside their firewalls or owned by third parties.

The foundation of single sign-on is the trust relationship between user, identity provider (IdP) and service provider (SP). The user has an account with an Identity Provider (IdP). Examples of IdPs include employers and telecommunications providers. These IdPs maintain a directory of users and an authentication mechanism. The SP can be a website, application or service.

The first time the user signs on, the username and password are sent to the IdP for authentication. The authentication server checks the user's credentials with the directory data. Once verified, an SSO session is initiated on the user's browser. When the user requests access to websites, apps and other SPs, the user’s identity is verified behind the scenes. Using identity standards, such as Security Assertion Markup Language (SAML), OAuth and OpenID Connect (OIDC), encrypted tokens are transmitted securely between the IdP and SP to indicate the user has already been authenticated and has permission to access their services.

Many enterprises have trust relationships with numerous service providers that employees need to access. They may also have multiple identity providers that business units or partners use to sign on. For large enterprises, a flexible federation hub to provide SSO between IdPs and SPs, no matter how they’re configured or what standards they use, can be appropriate.

SSO solutions go beyond workforce applications. SSO can also be used for customers and partners.

Workforce

An employee can access their corporate email account by logging in with their email address and password. They can then access other applications without needing to provide any additional credentials. Access to internal and external applications needed for work is streamlined, such as instant messaging, sales data, and the intranet. This simplifies the process and increases productivity while reducing frustration. 

Partner

A retailer can grant secure access to data for its partners. They must log into an application dock once. After that, they can access all the apps and services enabled by the retailer without needing to log in again.

Customer

A credit card customer can log into their account to check a variety of things. They can view their balance, review prior statements, pay their bill and check their credit score. Additionally, they can use their accumulated points for travel, even if these services are on separate applications By not forcing customers to log into each application separately, customer satisfaction is increased.

An organization’s needs and budget can be used to determine the best single sign-on vendor and solution. A holistic approach balances user expectations, IT objectives and business objectives. A sample of evaluation criteria by group includes:

Employee Requirements

• What is the overall user experience? Is the login experience consistent? 

• Can users access the portal via an application on their phone or tablet? 

• Does the solution offer a strong/multi-factor authentication (MFA) solution that is easy to use?

• Does the single sign-on vendor offer self-service registration and account management mechanisms?

   

IT Requirements

• Can the SSO solution support hybrid deployments (on-premises and cloud-based)?

• Is it a cloud services (IDaaS offering) or on-premises SSO offering? 

• Does the solution support all of the relevant standards including SAML, OAuth and OpenID® Connect?

• Does the vendor support multiple second-factor and MFA solutions?

   

Business Requirements

• How do the vendor and solution rank with analysts such as Gartner, Forrester and KuppingerCole?

• Does the vendor's technology platform and pricing make it easy to upgrade from workforce SSO? Will this upgrade support additional enterprise IAM use cases? Would these use cases be applicable for employees, partners, and customers?

• Is the vendor considered a thought leader that is driving the identity market toward open standards?

• What is the vendor’s customer satisfaction rating (independently verified)?