Review: Single sign-on tools offer impressive new capabilities

Since we last looked at single sign-on products in 2012, the field has gotten more crowded and more capable. A number of new vendors have come to ply their wares, and a number of old vendors have been acquired or altered their products.

For this round of evaluations, we looked at seven SSO services: Centrify’s Identity Service, Microsoft’s Azure AD Premium, Okta’s Identity and Mobility Management, OneLogin, Ping Identity’s Ping One, Secure Auth’s IdP and SmartSignin. In addition to these products, we also looked briefly at AVG’s Business SSO.

+ ALSO ON NETWORK WORLD: Anti-virus shootout: Old-school vendors learn new security tricks +

Several vendors declined to participate, including NetIQ, WSO2, Covisint, CA, Janrain, RSA, Radiant Logic, SalesForce and Sailpoint. We also did not focus on open-source identity management tools or consumer-grade products, like LogMeIn.

Here are our overall conclusions:

-- First, products have expanded their support for additional authentication factors. Three years ago, one additional factor was about what you could expect beyond user name/password. Now all of the products have solid multifactor authentication (MFA) protection. Okta and Centrify have even created their own one-time password mobile apps. SecureAuth, Okta, Ping and Centrify can specify MFA for particular applications as part of a risk-based authentication approach. This makes using SSO a powerful protective tool and can make logins much more secure than relying on individual users to choose passwords individually.

-- Second, as Gartner analysts recently pointed out, the vendors are moving towards integrating mobile device management (MDM) as part of their identity service offerings. Gartner sees a bright future when the two types of products are better integrated, and we agree. While not yet as capable as a true MDM tool, SSO tools such as Okta, Ping and Centrify have a better mobile focus and could be a good choice if you want to protect your mobile endpoints with more than just their login passwords, but don’t want to purchase a separate MDM solution.

-- Third, when we looked at these products in 2012, most were just moving into the cloud. Now, all but SecureAuth are focused on their cloud-based solutions. Vendors typically supply two URLs: one for users for a common login to their apps, and another one for IT administrators for management tasks. This means these products have only a small footprint for their on-premises software, mostly for handling Active Directory synchronization and browser extensions.

-- Next, these products have deepened their support for multiple identity management providers. Vendors have also gotten more serious about publishing their own identity APIs and SDKs. That, along with the ability to reach into the Active Directory schema, means it is now easier to automatically provision hundreds of users at once with very little operator intervention. This makes SSO tools especially useful if you have to onboard a lot of staff quickly.

-- Finally, almost all of the products now support thousands of applications for their automated sign-on routines and some come with catalogs that you can browse to find your particular apps. Overall the products are getting easier to install and integrate into your existing collection of apps and servers.

Our Clear Choice test winner is Centrify, but not by much. It slightly outperforms the others in terms of features and reports. Both Okta and OneLogin (our winners from 2012) aren’t far behind. The others fall somewhat below these in terms of features, documentation or usability. (Watch a slideshow of the products.)

Here are the individual reviews:

Centrify Identity Service

Centrify has put together a solid SSO tool that also has some terrific mobile device management (MDM) features. If you are in the market for both kinds of products, this should be on your short list. It outscored the other tools, although not by much in some cases.

As a side note, Centrify sells a version of its SSO software to several vendors, including Samsung and AVG. (See sidebar on AVG.)

The admin user interface is well thought-out with tabs clearly labeled for apps, policies, and devices, among others. Set up was quickly accomplished within a few minutes. The hardest parts were getting the MFA features and Active Directory integration, neither of which was difficult once we understood what the product wanted from us.

Centrify has been around the Active Directory space for several years and its integration is fairly seamless. Once you download the connector and install it on your Windows Server, there isn’t much to do. You can set up active/active redundant support for a second Active Directory server by just installing a second or third connector: these take care of doing the load balancing of Active Directory authentication requests and automatically failover if there is some connection issue. It supports Windows Servers since the 64-bit 2003 vintage. It also supports Integrated Windows Authentications so you can sign into your local Windows desktops and apps.

In addition to Active Directory, Centrify also supports LDAP, SAML, and other identity providers. Adding a new one is very straightforward, once you find the menu options to set everything up. Browser extensions are available from a drop-down menu on the top right, and you just click on the appropriate one for your browser to download.

MFA settings are set in the policy tab for users and in the apps tab for individual apps. Both share the same set of screens: they have different features depending on the OS type. This means that there is one set for OS X, another for iOS, and so forth. This is somewhat inconvenient and means you have to enter some of the same information multiple times. The MFA choices are numerous: you can specify whether it should be deployed if a login is coming from outside the normal corporate IP address space or from a machine that has never used Centrify’s SSO before (through the absence of a browser cookie). It adds factors such as email, SMS texts and phone calls, and security questions. More importantly, you can turn off MFA for a few minutes to enable a forgetful user to login and reset their accounts, a nice touch.

Centrify will prompt new users to add one (and only one) security question. There is also support for Centrify’s OTP feature that is built into its smartphone app. Missing is support for third-party OTP tokens that some of the other tools have.

Speaking of the mobile app, it is a full MDM solution and not just an OTP generator like some of its competitors. You can remotely wipe the device, put policies in place for requiring a device PIN, and set up other things that you would expect on a traditional MDM product.

Centrify comes with dozens of canned reports that cover the waterfront, along with the ability to create your own using custom SQL queries. Its documentation is available online and presents the basics for getting started.

Centrify has a large collection of apps and admins can add new ones into its password vault by logging into the app from a browser. There are 17 different entries for various Google-related apps, including UK and Japanese versions, only one of which is SAML provisioned. Its Web app gateway can handle internal Web server links very cleverly, without the need to connect up via VPN or poke holes in your firewall.

Centrify’s pricing is very transparent (see this webpage). There are two versions of the service: App for $4 per user per month and App+ for $8. If you want support for Apple-based devices, add another $2 a month.

Microsoft Azure Active Directory Access Control

Earlier this year Microsoft added Azure Active Directory to its collection of cloud-based offerings. It is difficult to setup because you tend to get lost in the hall of mirrors that is the Azure setup process: the Active Directory services haven’t yet been integrated into the main Azure management portal, and different bits of the Azure functionality come with different menu collections that aren’t easily navigated from one place to another.

+ ALSO: Microsoft goes all-in on hybrid cloud with Azure-in-a-box +

But once you have it working you can see that it is designed mostly for supporting cloud-based apps that you have created using federated identity by exchanging various certificates. It is still very much a work in progress and mainly a developer’s toolkit rather than a polished service. But clearly Microsoft has big plans for Azure AD, as its new Windows App Store is going to rely on it for authentication.

Azure AD supports several identity providers, including Windows Live ID, Facebook, Google, Yahoo, JSON Web Tokens, OpenID, SAML, and WS-Fed. Getting this setup will require careful study of a series of documents on MSDN. It also comes with a downloadable AD Connector that installs various pieces of software, including a local SQL Server on a local Windows AD Forest.

Like some of the other products, Azure AD has a SaaS app catalog that you can browse to add SSO, and a search for Google brings up more than a dozen references. You then add it to your portal page with a simple three-step process to enable the sign-on relationship, enable automatic provisioning and assign particular users to that app.

Administrators have three choices on how the sign-on happens: either by establishing a federation between Azure and the app service provider, by having Azure store the user’s account credentials, or by using some other existing SSO relationship. There are more than a dozen different reports, including account provision activity, irregular sign-ons, and sign-ons from multiple locations.  

An additional piece to Azure AD is the Cloud App Discovery. This downloads an agent to Windows 7 and 8 PCs and allows you to inspect network traffic to determine which SaaS apps they are accessing.

Azure AD Premium has MFA and relies on the former PhoneFactor MFA server, which is a separate Windows application but has now been integrated with the overall Azure service. It is far more limited than the other vendors’ MFA tools, although it does offer a one-time bypass feature if a user is locked out of their account. The MFA feature is available for $1.40 per month per user with unlimited authentications, if you don’t have the Premium subscription. It can be deployed as an on-premises server or in the Azure cloud and it works with numerous non-Microsoft SaaS apps.

If you already are using Azure for other purposes, then it makes sense to take a closer look at what Azure AD will buy you and whether your developers can incorporate its SSO tools into your homegrown apps. If you are looking for a general purpose SSO portal that you can deploy for a wide variety of SaaS-based applications, then you should probably look elsewhere.

Azure AD has three pricing options. The free version is included with an Azure or Office 365 subscription and can provide SSO for up to 10 apps per user. There are also basic and premium subscription levels (the latter for unlimited apps that also includes the SSO for no extra charge, which is probably the preference for most enterprises) that are covered by various Microsoft corporate purchase agreements or online for $6 per user per month.