Single Sign On Providers

Forums › IT Pro and developers › Single Sign On Providers

goonernz

24 posts

Geek
Inactive user

#258719 17-Oct-2019 09:25

Hi Everyone,

With more and more appliactions living in the cloud, users now have to authenticate to lots of diffrent apps with different credentials rather than using domain authentication. I've been looking at some SSO providers to try and streamline the sign in process as well as allow users to have one robust password rather than have lots of terrible passwords across different apps.

I've been talking with Okta and Onelogin and I'm looking at Azure AD also. Has anyone had any experience with any of these providers or any other useful input that could help me move in the best direction? The ability to enfornce MFA is pretty attractive from my point of view.

Thanks in advance

1 | 2

3812 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2338632 17-Oct-2019 09:45

+1 for okta (except its freaken expensive)

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

MurrayM

2455 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2339613 17-Oct-2019 10:04

Personally I avoid SSO. I'd rather use my password manager and give each website a unique password.

nztim

3812 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2339617 17-Oct-2019 10:07

MurrayM:
Personally I avoid SSO. I'd rather use my password manager and give each website a unique password.

Okta has a 2FA plugin that deals with that who doesn’t have a smartphone with google authenticator these days..

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

mrdrifter

576 posts

Ultimate Geek

ID Verified

Trusted

#2339625 17-Oct-2019 10:19

I'm assuming based on the wording of your question that this is for your corporate users connecting out into the world, I'm assuming you're starting from an Active Directory basis? it can be quick and easy (although as you've seen - expensive both upfront and on-going) to just integrate with Okta or OneLogin etc... it's not actually that difficult to build out the native Azure AD capabilities and extend this into your 3rd party applications. It's normally something I would recommend talking to an Identity partner about.

Keep in mind that your user identities really are the new perimeter to your network, data and information, you really don't want to compromise on security at this layer. Most of the data breaches we have seen recently are due to poor practices around identity and security, be it admin or user level.

I say this working for a vendor and having personally designed a number of these solutions (and far larger) and managing a team that does this day-to-day, but there are a number of vendors (large and small) that can help.

goonernz

24 posts

Geek
Inactive user

#2339626 17-Oct-2019 10:20

MurrayM:

Personally I avoid SSO. I'd rather use my password manager and give each website a unique password.

I agree, for myself or other users that are up to this. Unfortunatly most users are up to this so I see SSO as a compromise.

zyo

513 posts

Ultimate Geek

#2339627 17-Oct-2019 10:21

We deploy our own SSO based on identityserver. I find this is the most flexible method as you can integrate with other ID providers (azure ad being one of them but we also integrate with on-prem adfs)

openmedia

3324 posts

Uber Geek

Trusted

#2339630 17-Oct-2019 10:25

goonernz:

Hi Everyone,

With more and more appliactions living in the cloud, users now have to authenticate to lots of diffrent apps with different credentials rather than using domain authentication. I've been looking at some SSO providers to try and streamline the sign in process as well as allow users to have one robust password rather than have lots of terrible passwords across different apps.

I've been talking with Okta and Onelogin and I'm looking at Azure AD also. Has anyone had any experience with any of these providers or any other useful input that could help me move in the best direction? The ability to enfornce MFA is pretty attractive from my point of view.

Thanks in advance

Are you after an external service, a SaaS offering, or something you can run as part of your business?

Keyclock (we sell as Red Hat Single Sign On) allows you to leverage a broad range of identity sources including Google, Facebook, Oauth, LDAP, AD etc and provide an SSO service.

Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

gehenna

8497 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2339631 17-Oct-2019 10:25

Azure AD + MS Authenticator covers most things for us. Works really well.

fearandloathing

503 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2339653 17-Oct-2019 10:35

SAML utilizing Azure AD, synced with On Prem AD accounts for the most part is reliable. This would be a good starting point.

duckDecoy

896 posts

Ultimate Geek

Subscriber

#2339654 17-Oct-2019 10:35

goonernz:

Hi Everyone,

With more and more appliactions living in the cloud, users now have to authenticate to lots of diffrent apps with different credentials rather than using domain authentication. I've been looking at some SSO providers to try and streamline the sign in process as well as allow users to have one robust password rather than have lots of terrible passwords across different apps.

I've been talking with Okta and Onelogin and I'm looking at Azure AD also. Has anyone had any experience with any of these providers or any other useful input that could help me move in the best direction? The ability to enfornce MFA is pretty attractive from my point of view.

Thanks in advance

Maybe this could be of some interest? https://www.grc.com/sqrl/sqrl.htm

Removes usernames and passwords (seriously)

Jogre

182 posts

Master Geek

#2341373 21-Oct-2019 14:01

MurrayM:

Personally I avoid SSO. I'd rather use my password manager and give each website a unique password.

I've always used or viewed SSO as a mechanism of protecting access to multiple accounts particularly in terms of admin overhead for hires/fires where you either have to disable all the accounts or disable one.

fearandloathing

503 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2341384 21-Oct-2019 14:26

Jogre:

I've always used or viewed SSO as a mechanism of protecting access to multiple accounts particularly in terms of admin overhead for hires/fires where you either have to disable all the accounts or disable one.

This!

goonernz

24 posts

Geek
Inactive user

#2341390 21-Oct-2019 14:36

That is what I am thinking.

Currently my org does not really have a solid ofboarding policy. We have mulitiple locations and not everything is fed back to HR, let alone IT, at a desirable rate. SSO would give me a bit more control over the applications users access.

ANglEAUT

2320 posts

Uber Geek

Trusted

Lifetime subscriber

#2341479 21-Oct-2019 18:30

goonernz: With more and more applications living in the cloud, users now have to authenticate to lots of different apps with different credentials ...

🤪 Why not give everybody a corporate Facebook account? 😜 or Google. <ducks>

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

insane

3239 posts

Uber Geek

ID Verified

Trusted

#2341536 21-Oct-2019 23:34

ANglEAUT:
goonernz: With more and more applications living in the cloud, users now have to authenticate to lots of different apps with different credentials ...

🤪 Why not give everybody a corporate Facebook account? 😜 or Google. <ducks>

Nothing wrong with using G Suite enterprise for SAML SSO. Works just as you'd expect.

My pick for a generic fits all solution would be Okta, however a solution should never be chosen without fully understanding the problem/requirements.

goonernz:
That is what I am thinking.

Currently my org does not really have a solid ofboarding policy. We have mulitiple locations and not everything is fed back to HR, let alone IT, at a desirable rate. SSO would give me a bit more control over the applications users access.

Also have a look at JumpCloud, has some really easy workflows which you can build / trigger to handle user lifecycle management.

1 | 2