Search This Blog

Saturday, 13 April 2013

Comparing Cloud Enterprise SSO

There are a few very strong players currently in the Enterprise Single Sign On practice:  And there are some Up and Comers...

If you want a maintenance free - Five-9s solution, where the Identity Service Provider has a strong relationship with an array of the Current Cloud  Service Providers, and you need to empower your end users from ANY device anywhere in the world, and you still have legacy applications that you want to leverage, then I highly recommend that you stay with The Strong Players:

If you are a small to medium sized shop, geographically localized, have a handful of cloud services on your roadmap, have a relatively homogenous platform requirements (ie: you are a Windows only shop),  then the Up and Comers category may suit the bill:

Finally, if you have a strong development team, you run all of your own infrastructure, you have not made a commitment to Cloud Server Providers, but do have a few services that you need access to, then you might want to look at the Build Your Own Federation Toolsets. 

Microsoft has gone to great lengths to make ADFS look like a Single Sign On strategy, but again, unless you want to build everything yourself, and base it on an existing Active Directory, this is simply a toolset.  For any useful integration with Non-Microsoft infrastructure such as simple LDAP (any ldap provider but Microsoft), you need to provide 3rd party connectors.

As far as a holistic view of Cloud based Authentication and Security, only Okta and Symantec O3 seem to have thought through the endpoint connectivity issues.  Both provide the ability to proxy authenticated traffic  to your corporate backend without the requirement for traditional VPN clients. Regardless of the endpoint device (corporate or personal, laptop or tablet...) they still conduct granular NAC validation to provide an application view, specific to your credentials and the device/location you are coming from.

The Strong Players: (in their own words)

Okta is an enterprise grade identity management service, built from the ground up in the cloud and delivered with an unwavering focus on customer success.
With Okta IT can manage access across any application, person or device. Whether the people are employees, partners or customers or the applications are in the cloud, on premises or on a mobile device, Okta helps IT become more secure, make people more productive, and maintain compliance.
The Okta service provides directory services, single sign-on, strong authentication, provisioning, workflow, and built in reporting. It runs in the cloud on a secure, reliable, extensively audited platform and integrates deeply with on premises applications, directories, and identity management systems.

Taking a business-driven, rather than an IT-driven approach to identity and access management (IAM) fundamentally changes how organizations approach their IAM challenges, and dramatically improves the value they can obtain.

Specifically, with business-driven identity and access management solutions, companies can empower the business owners to take ownership of identity and access control, provide consistent, full business context across Identity and Access Management systems, connect to the full set of key applications and data resources, and significantly lower the total cost of ownership while scaling to modern enterprise environments.

Symantec O3
Symantec O3 is a unique cloud security platform that provides single sign-on and enforces access control policies across web applications. Symantec O3 helps enterprises migrate to Software as a Service (SaaS) applications while ensuring that proper risk management and compliance measures are in place to protect enterprise data and follow regulations.

Symantec O3 improves security without getting in the way of usability. With Symantec O3, end users only have to login once, across all of their web applications. It works equally well for both cloud-based and internal web application use cases.

In short, O3 enables enterprise IT to embrace the cloud while retaining visibility and control – simplifying the use of cloud applications for both enterprise IT staff and for users.
Ping Identity
Multiservice, Standalone Identity Bridge Accommodating the most diverse and advanced enterprise use cases, PingFederate enables outbound and inbound solutions for single sign-on, federated identity management, mobile identity security, API security and social identity integration. Tier 1 SSO extends employee, customer and partner identities across domains without passwords, using only standard identity protocols (SAML, WS-Fed, OpenID).
Extending PingFederate
PingOne Identity as a Service PingFederate can be deployed standalone or in conjunction with PingOne Cloud Access Services for faster and more flexible employee access to SaaS applications. Eliminate passwords in the Cloud by recommending PingOne Application Provider Services for SAML-enabled applications in minutes.
Integrations Easily integrates with over 80 existing enterprise and cloud technologies including portals, web access management systems, strong authentication systems, Web application environments, custom applications, cloud identity providers and SaaS applications, eliminating lengthy integration projects and meeting tight deadlines.

  Symplified is a comprehensive cloud identity solution that enables IT and security organizations to simplify user access to applications, regain visibility and control over usage and meet security and compliance requirements.
Single Sign-OnSymplified’s Single Sign-On seamlessly and securely connects your users to applications, whether the apps are in the cloud or behind the firewall.
Employees, partners, and customers expect easy and secure access to the business applications they use on a daily basis. Symplified significantly enhances security and control for your business while providing a better user experience for your employees, thereby improving productivity and reducing help desk requests associated with multiple user accounts.
And because of Symplified’s unique architecture, you can seamlessly bridge your on premise infrastructure and applications to the cloud without the need to manage multiple systems or risk replicating sensitive user information outside your control.
The Up and Comers: (in their own words)

Centrify SSO for SaaS
Centrify's industry-standard solution delivers a single, unified architecture for sign-on.
  • For SaaS apps, Centrify addresses these challenges with true single sign-on directly to Active Directory. A cloud service facilitates secure single sign-on and controls access through a security token service, which authenticates users to the portal with Kerberos, SAML, or an Active Directory username/password; then automates logins through a one-click interface when users select from their list of authorized SaaS applications.
  • For on-premise apps, native authentication modules plug seamlessly into the underlying Centrify Agent on the managed application host systems, eliminating the need for separate authentication servers, providing single sign-on for SAP NetWeaver, Java and web applications and databases such as DB2.

Sailpoint AccessIQ

SailPoint AccessIQ delivers the convenient access to cloud, web and mobile applications that business users want, along with the controls that IT needs to minimize risk. It empowers users with an intuitive App Launchpad for one-click, single sign-on (SSO) to cloud and web applications from any device – at work, home or on the go with mobile devices. And it provides IT with the visibility and controls required to apply security policy, detect violations and ensure regulatory compliance. Application visibility also helps business units control monthly subscription expenses by promptly deprovisioning unused or unauthorized cloud application accounts.
Corporate to Cloud Single Sign-on
EmpowerID SSO Manager is a Cloud Single Sign-On and Identity Federation platform that supports all of the standard identity protocols - SAML, OpenID, WS-Trust, WS-Federation, and OAuth.
SSO Manager enables employees, consumers, customers, and partners to access cloud and corporate applications using a single username and password. Federated SSO allows users who are authenticated against one directory to access additional applications and services without re-authenticating when a trust relationship has been established.

 Intel Cloud SSO
 Intel Cloud SSO is an identity as a service (IDaaS) outsourced solution that removes the complexity and burden of maintaining your own identity infrastructure for user to cloud access.
By leveraging a solution backed by three trusted providers-Intel, McAfee, and Salesforce, you gain assurance that your user's cloud identity is enterprise class secure. Gone are the days of insecure password based log-ins, expense help desk password resets, and IT managed cloud provider integrations for SSO.
Intel Cloud SSO is designed for fast, simple deployment by Salesforce or IT administrators that are not security or identity experts. By partnering with Salesforce to deploy on, we take advantage of native platform capabilities that make configuration a breeze and deliver ready connectivity to hundreds of popular cloud applications.

The Build Your Own Federation Toolsets: (in their own words)

Microsoft ADFS  ( a tool in the Windows Identity Foundation)
Microsoft Active Directory Federation Services 2.0 (AD FS) helps IT professionals efficiently deploy and manage new applications by
  • Reducing custom implementation work
  • Helping establish a consistent security model
  • Facilitating seamless collaboration between organizations with automated federation tools
AD FS 2.0 includes built-in interoperability via open industry standards and claims, and implements the industry Identity Metasystem vision for open and interoperable identity.

 Quest ESSO 
 Enterprise Single Sign-on is the industry’s leading enterprise single sign-on (SSO) solution, basing application and system user logins on existing Active Directory identities. It requires no hard-to-manage infrastructure and streamlines both end-user management and enterprise-wide administration of single sign-on.

Set Up Unified Single Sign-On (SSO) for Web, Cloud and VPN Resources with SecureAuth Identity Provider™ (IdP)
Now you can minimize the number of passwords your users have to remember by providing a single logon to all on-premise web and cloud-based applications without APIs or application modifications. SecureAuth IdP abstracts user data from your native directory so multiple applications can be securely accessed simultaneously using the same credentials.
When two-factor authentication is required, you can easily add this feature to the SSO experience and the same credentials will be used to support web, cloud and VPN resources. With SSO from SecureAuth IdP, your users don’t have to juggle multiple credential sets and administrators aren’t flooded with calls to reset forgotten passwords.

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

  • FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.
  • Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC.
  • Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.
  • Security aspects related to access control, delegation of administration tasks and other network administration tasks can be fully centralized and managed via the Web UI or the ipa Command Line tool.
  • Authentication Protocols (Claims Providers) available "Out-of-the-Box"
    SAML 1.1 SAML 2.0 LDAP RDBMS Oauth OTP/CERT OpenID WS-Fed PAM Kerberos Custom
    Okta Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
    Aveksa Yes Yes Yes Yes Yes Yes Yes
    Symantec O3 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
    Ping Identity Yes Yes Yes Yes Yes Yes Yes
    Simplified Yes Yes Yes Yes Yes Yes Yes
    Centrify SSO Yes Yes Yes Yes Yes Yes Yes Yes Yes
    Sailpoint AccessIQ Yes Yes Yes Yes Yes Yes Yes
    EmpowerID Yes Yes Yes Yes Yes Yes Yes
    IntelCloud SSO Yes Yes Yes Yes Yes Yes Yes
    MS ADFS Yes Yes Yes Yes
    Quest ESSO Yes Yes Yes Yes Yes Yes Yes Yes
    SecureAuth Yes Yes Yes Yes Yes Yes Yes
    FreeIPA Yes Yes Yes Yes Yes Yes Yes Yes

    Usability Features available "Out-of-the-Box"
    User Import Self Service Pwd Mgmt Logical Views Attestation Workflow Audit Trail Compliance Rpts
    Okta Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
    Aveksa Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
    Symantec O3 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
    Ping Identity Yes Yes Yes Yes Yes Yes Yes
    Simplified Yes Yes Yes Yes Yes Yes
    Centrify SSO Yes Yes Yes Yes Yes Yes
    Sailpoint AccessIQ Yes Yes Yes Yes Yes Yes Yes Yes
    EmpowerID Yes Yes Yes Yes Yes Yes Yes
    IntelCloud SSO Yes Yes Yes Yes Yes Yes
    MS ADFS Yes Yes
    Quest ESSO Yes Yes Yes Yes Yes Yes Yes
    SecureAuth Yes Yes Yes Yes Yes Yes
    FreeIPA Yes Yes Yes Yes Yes

    Security Functionality "Out-of-the-Box"
    Provides Secure Gateway Leverages existing IDM Infrastructure Can use separate Data Store per Application Device Aware for Mobile Access Control Provides "Sandbox" for iOS devices Cloud Apps
    Okta Yes Yes Yes Yes "hundreds" Yes
    Aveksa Yes Yes "dozens" Yes
    Symantec O3 Yes Yes Yes Yes Yes "hundreds" Yes
    Ping Identity Yes 10-12 Yes
    Simplified Yes 4-5 Yes
    Centrify SSO Yes 4-5 Yes
    Sailpoint AccessIQ Yes 4-5 Yes
    EmpowerID Yes 4-5 Yes
    IntelCloud SSO Yes 4-5 Yes
    MS ADFS Yes 0 Yes
    Quest ESSO Yes 0 Yes
    SecureAuth Yes 0 Yes
    FreeIPA Yes 0 Yes

    Reference Material:
    SAML 101 (Ping Identity)
    Comparing Centrify for SaaS with Centrify Express for SaaS
    Cloud single sign-on adds convenience, but does it sacrifice security?
    ADFS: A Four-Letter Word to Avoid in the Enterprise.
    How to add AD CLAIMS Provider Trust to an ADFS Service (requires free registration)
    Microsoft Technet: Setting Up Reverse Proxy Servers
    Symantec O3™ A New Control Point for the Cloud
    Symantec O3: Mobile Data Container App for iOS devices
    Symantec O3: How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications
    Okta: Thousands of Apps 100% Pre-Integrated
    Okta: Building a Well Managed Cloud Application
    Aveksa: Darkreading: Aveksa Adds Authentication And Single Sign-On To Cloud-Based Identity And Access Management Platform
    Ping Identity: SSO Solutions for Cloud Applications
    Centrify: Single Sign-On for SaaS and Apps
    Centrify: Single Sign-On for Mobile Apps
    Centrify: Secure, Centralized Active Directory-Based Single Sign-On for Web Applications
    Quest: Ideal Single Sign-on for Your Entire Enterprise
    Quest: Enterprise Single Sign-On The Holy Grail of Computing
    EmpowerID: Group Self-Service, Admin, and Dynamic Membership
    EmpowerID: Corporate to Cloud Single Sign-on
    IntelCloud: SSO
    IntelCloud: How Intel Cloud SSO Works
    SecureAuth: SecureAuth Enables a Single Sign-On Solution for Enterprises