Selecting the Right SSO Product
I got to see the AccessIQ single sign-on (SSO) product this week at SailPoint’s Navigate conference. When I did my review for Network World last fall, it wasn’t available yet. Too bad, because it would have scored highly given the criteria that I used for the review.
The notion of SSO is a good one: As the number of Web-based applications and SaaS services proliferates, keeping track of your collection of logins and passwords is painful and one of the biggest problems for enterprise security. Many users cope by re-using their passwords, which tends to expose all sorts of security loopholes. The answer is to use a SSO product that automates the sign-on, and allows the enterprise to ensure that users are practicing good password account hygiene.
The SSO market is a crowded one with more than a dozen vendors, including products from most of the major enterprise software companies. Let’s look at the features and issues when you are shopping around for one of these products.
First is the user experience and how it plays out across the various desktop, mobile and tablet versions. With some of the other SSO products, there are different user interfaces that when they use the native app on the mobile, it doesn’t look anything like the desktop app. SailPoint’s AccessIQ looks exactly the same no matter where it runs.
Next is their two-factor support. Some SSO products aren’t very flexible when it comes to using things such as software tokens or one-time passwords that are transmitted to your cell phone via text or voice messages. A better way is to have the ability to add a second factor to particular apps that either need the extra protection or because corporate policies dictate that. SailPoint has this kind of flexibility, what they call “step-up authentication,” that can be deployed for specific apps. And, importantly, this capability is part of the governance model for added security.
Next is how the SSO product sets up relationships with various cloud-based apps. Many products make use of the open standard Security Assertion Markup Language (SAML), which allows for automated sign-ons via exchanging XML information between websites. There are other methods for establishing the automated magic behind the scenes of an SSO tool, such as using scripted Web forms, but having the SAML connection is the best way to deploy a large number of authenticated users into a cloud-based app. Plus, if you want to automate the provisioning of an entire collection of users so they don’t even need to know their passwords for their corporate Google accounts, SAML is the way to go. Not every SSO vendor supports automated provisioning, but SailPoint does.
Finally, you want to be able to make use of roles and policies to make your governance life easier as you deploy your SSO product across your user collection. One of the more unique things that I saw with AccessIQ is that it can present a user with a customized usage agreement prior to the first sign-on for particular services. Why is this important? Say you are using Salesforce or some financial system that you want to remind your users that sensitive data is used on these systems. SailPoint can present users of these apps with a specific dialog box to remind them of this fact, and to make sure that they store the right kind of data in these cloud-based apps.
If you haven’t had an opportunity to take a look at AccessIQ, you might want to do so. I think you will be as impressed with it as I was.