Single sign on (SSO) software saves time while making security easier to manage. Like many technologies, achieving those benefits depends on the details. Choose the wrong single sign on software and you will have expensive implementation and customization projects. To guide you in making a good choice, consider some of the different software options on the market.
Note: These are flexible categories and a given product may fit into more than one category. In addition, as you develop key selection criteria, avoid making a selection mainly on the basis of software category. The first two categorizations were developed by Randall Gamby in his article Types of SSO.
End User Vs Organizational Focus for SSO
End-user identity and access management
As the name implies, this software category focuses on the end user experience. The single sign on interface is connected to multiple applications across your organization. This category may be a good solution if you have relatively few applications. If you have a highly complex organization, consider the next category of single sign on software instead.
Organizational Single Sign On
This category of SSO software focuses on the organization’s perspective rather than end users. When users seek access to a given resource, the single sign on resource gets to work. This approach is a good choice if you have a strong corporate identity and common user experience. For example, if you buy software from other companies and “white label” it with your branding, this approach may be good for you.
Standards Focused SSO Software
Focusing on authentication standards is a different way to look at the SSO software market. Why do standards matter? In some industries, such as financial services, auditors regularly audit you against standards. Therefore, demonstrating consistent compliance with the standards chosen by the organization is helpful. Zach Dennis’s perspective on SAML vs OAuth2 informed our approach to this section.
SAML 2.0 (Security Assertion Markup Language 2.0)
This is an open standard somewhat similar to HTML, but focused specifically on authentication and authorization issues. SAML 2.0 came into use in 2005 following input from more than twenty companies. As a relatively established standard, SAML is integrated into a variety of single sign on software products. If you are required to use the SAML 2.0 standard, choose accordingly. Unfortunately, SAML 2.0 is limited to web-based applications. If you have native mobile apps in your organization, relying on SAML 2.0 based SSO software will leave you with a gap.
Tip: Technical considerations matter, but they are not the entire story. For example, take your time in assessing a vendor’s industry experience, because that makes a difference in a successful implementation.
OAuth2 Single Sign On Software
In contrast to SAML 2.0, OAuth2 is the new standard. Unlike SAML 2.0, OAuth2 directly supports native mobile applications. However, the relative youth of this standard makes it harder to use in single sign on software. Why? There is less industry knowledge and experience with spelling out the details of how the standard should be implemented in practice. That said, several major firms, including Google, Facebook and Twitter, rely on the standard each day, so it is a major standard.
Note: If technical standards ARE critical to you, add them to your evaluation process along with these 8 technical compatibility factors.
Custom-Built SSO Software
This last category is a broad category that covers everything else in the market. For example, if your organization has built an internal solution, it would be best described as a custom built. The major disadvantage of custom solutions lies in maintenance. You have to maintain internal capabilities, including employees who understand how to maintain the application. If you choose this path, think through how your organization would sustain the solution.
Tip: Are you considering asking information security to build custom single sign on software for your organization? While that is an option, remember the opportunity cost. There will be fewer resources available for IT security training, cybersecurity incident response, and other priorities.
Which Single Sign On Software Should You Choose?
While there is value in considering technical standards, that is not the most important factor in choosing single sign on software. Instead, focus on the business goals you can achieve. For example, if users are complaining about productivity-killing administrative tasks, emphasize automation. If you’ve had audit findings recently, emphasize reporting capabilities.