Single sign-on continues to be a growing technology in a world of diverse identity solutions. This particular authentication solution is well known by many IT professionals as a way to achieve the right balance of security and usability for its users. Based on my experiences, I often find many IT decision-makers blinded by the novelty of single sign-on. As with any change in access to a business system, it is imperative to make sure that your company thinks carefully about your requirements and have a game plan in place.
The first step to thinking carefully about your requirements is to identify the need. It is important to be very clear about the need prior to delving deep into the checklist. The need here – a single sign-on solution to provide easier, more secure access for end users.
From that starting point, the single sign-on checklist will look something very similar to what follows:
What is driving this need? (Is it time for a Single Sign-on solution)?
Many factors can and will come into play when analyzing what really determines the need for a single sign-on solution. Part of understanding what is driving that need is coming to terms with what a single sign-on solution can provide your particular environment. To truly get at the meat of this understanding, you must look for the problem areas inherent in your environment. Some of these problems may include:
- Multiple password prompts are impeding access.
- Loss in productivity for the end user – time wasted on logging in and/or re-logging in due to sessions being timed-out.
- Applications used infrequently – such as open enrollment apps – are highly prone to forgotten passwords.
- End user password fatigue – most individuals average 19 passwords that need to be managed.
- End user convenience – juggling multiple pw can be extremely frustrating.
- Reduces password security – same pw for multiple apps and/or written down passwords (post-it notes).
- Help Desk handles forgotten password calls for multiple applications.
- Loss in productivity of the HD employees – average of 30% of all HD call are pw related.
- Cost on average $25.00 per pw related HD call.
- Average length of 1st level support calls are 5 min 12 sec.
- Help desk hours and staffing issues for global companies.
Inventory Your Involved Resources
Okay, so you’ve figured out why you need single sign-on. Now the real question becomes this: what do you have that can be integrated into any given single sign-on solution? There can be a lot of moving parts in the corporate or educational worlds, especially when the environment is on the larger side. By determining specifically what resources are going to be assimilated into the new single sign-on solution, the benefits and potential success of the project can become much easier to envision and handle as a whole. Some typical resources involved in adopting a single sign-on solution are:
- Web Apps – Identify and prioritize the web-based applications that need to be included.
- Apps used more frequently should be top priority as they are more likely to lead to forgotten password calls
- Apps that store sensitive data should be high on the priority list (increase security).
- Single sign-on will assist you with providing stronger authentication barriers to sensitive data by limiting the access point to one, which can be more readily and easily monitored for threats and suspicious activity.
- Directory – Do you have a central directory, or are user profiles in your web apps.
- Most solution providers require access to a directory for authentication.
- IdP – The Identity Provider
- Do you already have the capability for federated services? If so, what are the strengths and limitations of the existing capabilities?
Research the Initial Scope of Your Project
Before committing to a purchase, be certain you are aware of which aspects of the project have the most weight. Understanding your current capabilities as well as what the prospective single sign-on solution can offer will allow you to get the most out of your dollar. Some questions that should be asked are:
- What are you user access scenarios?
- SP initiated vs. IdP initiated
- Windows login
- Identify the challenges of integration.
- Will your targeted web applications support Identity Federation?
- What protocols are supported? (SAML, WS-Federation, CAS, Shibboleth, O-Auth)
- If not, consider the alternatives: Cookie-based SSO, Kerberos-based SSO, Claims-based SSO, Form-filling SSO, NTLM-based SSO, SPNEGO-based SSO, Reduced SSO, and Enrollment-based SSO
On premises vs. cloud solution
Gone are the days when your only option for data and authentication was to host any solution locally in your environment. The modern age has gradually moved into the cloud, and authentication solutions have easily followed-suit. Be sure to understand both the advantages and disadvantages of each solution before committing to a final decision.
- Do you have the resources to maintain your own solution, or the money to pay for a cloud-based solution?
By following these steps when considering a single sign-on solution you are more capable of producing a decision that will have the greatest impact on your environment. There is never a good outcome when searching for a solution provider without having a strong game plan in place. Single sign-on technology has a solid position in the future of the cyber age because of its balance between security and usability. Prepare carefully and determine if Single Sign-on is the right solution for you.