Best tools for single sign-on

It has been a few years since we last looked at single sign-on products; the field has gotten more crowded and more capable.

single sign on tools review 1
Single mindedness

Since we last looked at single sign-on products in 2012, the field has gotten more crowded and more capable. For this round of evaluations, we looked at seven SSO services: Centrify’s Identity Service, Microsoft’s Azure AD Premium, Okta’s Identity and Mobility Management, OneLogin, Ping Identity’s Ping One, Secure Auth’s IdP and SmartSignin. Our Clear Choice test winner is Centrify, which slightly outperformed Okta and OneLogin. (Read the full review.)

Centrify Identity Service
Centrify Identity Service

Centrify has put together a solid single sign-on tool that also has some terrific mobile device management features. If you are in the market for both kinds of products, this should be on your short list. The admin user interface is well thought-out. Set up was quickly accomplished. Multi-factor authentication settings are located in the policy tab for users and in the apps tab for individual apps. The MFA choices are numerous, including email, SMS texts and phone calls, and security questions. Centrify comes with dozens of canned reports, plus the ability to create your own using custom SQL queries.

Microsoft Azure Active Directory Access Control
Microsoft Azure Active Directory Access Control

Earlier this year Microsoft added Azure Active Directory to its collection of cloud-based offerings. It is difficult to setup because you tend to get lost in the hall of mirrors that is the Azure setup process. It is still very much a work in progress and mainly a developer’s toolkit rather than a polished service. But clearly Microsoft has big plans for Azure AD, as its new Windows App Store is going to rely on it for authentication. If you already are using Azure, then it makes sense to take a closer look at Azure AD. If you are looking for a general purpose SSO portal, then you should probably look elsewhere.

Okta Identity and Mobility Management
Okta Identity and Mobility Management

Okta tied for first place in our 2012 review and it remains a very capable product. Okta’s user interface is very simple to navigate. Okta has beefed up its multi-factor authentication functionality. It now offers a mobile app, Okta Verify, as a one-time password generator. It also supports other MFA methods. Okta has its own mobile app that can provide a secure browsing session and allow you to sign in to your apps from your phone. It contains some MDM functionality, although it is not a full MDM tool. Reports have been strengthened as well, but reports show only the last 30 days.

OneLogin
OneLogin

OneLogin was the other co-winner of our 2012 review and while it is still strong, its user interface has become a bit unwieldy. OneLogin has numerous SAML toolkits in a variety of languages to make it easier to integrate your apps into its SSO routines. It also has specific configuration screens to set up a VPN login and take you to specific apps. OneLogin’s AD Connector requires all of the various components of Net Framework v3.5 to be installed. Once that was done, it was a simple process to install their agent and synchronize our AD with their service. OneLogin has 11 canned reports and you can easily create additional custom ones.

Ping Identity PingOne
Ping Identity PingOne

Ping began as on-premises solution with PingFederate, but now offers cloud-based PingOne, web access tool PingAccess and OTP soft token generator PingID. Multi-factor authentication support is somewhat limited in PingOne. You can use PingID or SafeNet’s OTP tokens. If you want more factors, you have to purchase the on-premises Ping Federate. Reports are not this product’s strong suit. The dashboard gives you an attractive summary, but there isn’t much else. Ping would be a stronger product if consolidated their various features and focused on the cloud as a primary delivery vehicle. If that isn’t important to you, or if you have complex federation needs, then you should give them more consideration and look at PingFederate.

SecureAuth IdP
SecureAuth IdP

Of the products we tested, SecureAuth has the most flexibility and the worst user interface, a combination that can be vexing at times. SecureAuth is the only product tested that has to run on a Windows Server. The interface is supposed to get a refresh later this year, but the current version makes it easy to get lost in a series of cascading menus. The real strength of SecureAuth always has been its post-authentication workflow activities. SecureAuth’s MFA support is strong, featuring a wide selection of factors and tokens to choose from. This is a testimonial to its flexibility.

PerfectCloud SmartSignin
PerfectCloud SmartSignin

SmartSignin has been acquired by PerfectCloud and integrated into its other cloud-based security offerings. The company now supports seven identity providers (Amazon, Netsuite and AD) with more on the horizon and more than 7,000 app integrations. The identity providers make use of SAML or other federated means, and come with extensive installation instructions. This is a little more complex than some of its competitors. When it comes to MFA support, SmartSignin is the weakest of the products we reviewed. It's are working on other MFA methods, including SMS and voice, but didn’t have them when we tested. Also, MFA is just for protecting your entire user account; there is no mechanism for protecting individual apps.