TOP TEN CONSIDERATIONS When Choosing a …...4 TOP TEN CONSIDERATIONS WEN COOSING A MODERN SINGE...

I D A P T I V E . C O M

W h I T E P A P E r

TOP TEN CONSIDERATIONS When Choosing a Modern Single Sign-On Solution

Table of Contents

©2020 Idaptive. All Rights Reserved. idaptive.com

3 Introduction

4 VersatileDirectoryIntegrationServices

6 Self-ServiceCapabilities 6 Self-ServicePasswordResetandSelf-ServiceAccountUnlock 7 Self-ServiceAccessRequests 7 Self-ServiceApplicationOnboarding

7 VPN-lessAccessandSSOtoOn-premiseApplications

8 ComprehensiveProtocol,APIandWidgetSupport

9 ApplicationCatalogandWizard-drivenApplicationOnboarding

10 PartnerFederationandIdentityProxying(Chaining)

12 ApplicationAccessGovernance

13 AdaptiveSingleSign-On

13 MobileExperience

14 Availability,Scalability,andPerformance

Informationinthisdocument,includingURLandotherInternetWebsitereferences,issubjecttochangewithoutnotice.Unlessotherwisenoted,theexamplecompanies,organizations,products,domainnames,emailaddresses,logos,people,placesandeventsdepictedhereinarefictitious,andnoassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,placeoreventisintendedorshouldbeinferred.Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofIDaptive,LLC.

Idaptivemayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromIdaptive,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.

3

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.com

Theadoptionofcloudandhybridinfrastructure,theincreasingnumberandvarietyofapps,andtheproliferationofremoteworkforceareforcingcompaniestoabandontraditional,perimeter-basedsecurityapproaches.Instead,companiesnowembracethe“ZeroTrust”basedsecuritystrategywithidentityatitscore.

TheconceptofZeroTrustisbasedontheprincipleofmaintainingstrictaccesscontrolsforeverypersonorsystem,regardlessofwhethertheyarewithinoroutsideofthenetworkperimeter.TheZeroTrustapproachtoaccessensuresthateveryuserisverified,theirdevicevalidated,andtheiraccessisintelligentlylimitedusingtheprincipleofleastprivilege.Consequently,SingleSign-On(SSO)andAccessManagementarefoundationaltoZeroTrustandidentitymanagement.

Sinceidentityistheonlytrueperimeter,usercredentialsarenowoneofthemaintargetsforcybercriminals.Accordingtothe2019VerizonDataBreachInvestigationsReport1,80%ofhacking-relatedbreachesstillinvolvingcompromisedandweakcredentials,with29%ofallbreaches,regardlessofattacktype,involvedtheuseofstolencredentials.Despitethesefiguresandtheever-increasingcostofsecuritybreaches,companiescontinuetoleveragepasswordstosecureusercredentials.AccordingtoestimatesfromMicrosoft2,thereareover300,000,000fraudulentdailysign-inattemptstoMicrosoftServices,and53%ofallusershavenotchangedtheirpasswordsinthepast12months3.Pooridentitymanagementpracticesandcompromisedpasswordsrapidlyerodetrustintheorganizations’digitaltransformationinitiativesandexposecompaniestounnecessaryrisk.

Introduction

12019DataBreachInvestigationsReportbyVerizon.

2“Onesimpleactionyoucantaketoprevent99.9percentofattacksonyouraccounts”blogbyMelanieMaynes;Microsoft.

3PsychologyofPasswords:NeglectisHelpingHackersWin.2018reportbyLastPassbyLogMeIn.

4

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

Overrelianceonpasswordsnegativelyimpactsend-userproductivityaswell.Thetypicalemployeeuserlosesabout12.6minutesperweek4enteringorresettingpasswords.Foranorganizationwith48workweeksinayear,thiscantranslateinto$284peremployeelostannuallyonpasswords,assuminganaveragewageof$28.44/hourintheUnitedStates5.Inaddition,theaveragenumberofhelpdeskcallsatypicalemployeemakesinanorganizationisabout216.About30%ofthosecallsarerelatedtopasswords7.Attheaveragecostof$70perhelpdeskcall,thiscouldtranslateintoanannualhelpdeskcostof$441peremployee.

Singlesign-onenablesorganizationstoeliminatepasswordsprawl,implementmorerobustcredentialcontrols,anduseasinglesecureidentityforalltheorganizations’applications,endpoints,andresources.ThisnotonlyhelpsincreaseuserproductivityandimproveuserexperiencebutalsohelpsreducehelpdeskcostsandITburden.

However,notallSSOsolutionsarecreatedequal,andchoosingtherightonecanbeachallenging process.ThiswhitepaperdiscussesthetoptenconsiderationsthatwillhelpyoutoselectthebestSSO foryourorganization.

VersatileDirectoryIntegrationServicesOneofthemostimportantconsiderationsforamodernsinglesign-onsolutionisitsversatilityinintegratingwiththeorganizations’existingdirectoryservicethatservesastheauthoritativesourceofalluseridentities.Manyorganizations,especiallylarger,moreestablishedenterprises,oftenrequirecomplexuserdirectorystructures.FororganizationsthatuseMicrosoftActiveDirectory(AD),thesecaninvolvemultipledomainsandforests,witheachdomainhavingdozensof,ifnotmore,organizationalunits(OU)andhundredsofgroups.Insomecases,theseorganizationshavebeenformedthroughmergersandacquisitions,addingfurthercomplexitytotheirenvironment.Insuchcases,consolidatingalltheuseridentitiesacrosstheenterpriseintoanewdirectorycanbeamulti-yearprojectbyitself.

AnySSOsolutionthatrecommendsandnecessitatesthistypeofconsolidationbeforeitsimplementationnotonlyriskstheprojectitselfbutcanalsocauseconsiderablehardshipandoverheadacrosstheentireITdepartment.So,choosinganSSOsolutionthatenablesorganizationstodecidewheretheywanttostoreandmanagetheirauthoritativesourceofidentitiesisadvisable.Inotherwords,agoodSSOsolutionwillseamlesslyintegratewiththeorganization’sActiveDirectorydomainsandforests,LightweightDirectoryAuthenticationProtocol(LDAP)compliantdirectories,aswellasotherconnecteduserdirectories.

42019StateofPasswordandAuthenticationSecurityBehaviorsReport,conductedbythePonemonInstitute.

5USBureauofLaborStatistics,Jan2020.

6METAGroupresearchconductedonbehalfofPricewaterhouseCoopers

7METAGroupresearchconductedonbehalfofPricewaterhouseCoopers

11

5

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

Additionally,arobustSSOsolutionshouldprovideitsownDirectory Servicethathascustomizableschemasforusersandothertypesofidentities,suchascomputersandservers.ItiscrucialthatthisserviceallowsanorganizationtoextenditsexistingADschemawithmoreattributeswithoutneedingtomodifytheschemaintheirAD.Stand-aloneDirectoryServiceisparticularlyimportantfororganizationswithdiversesetsofend-users.Forexample,anorganizationmaywanttoseparatepartner,contractor,andconsumeridentitiesfromtheemployeeidentitiesandstoretheminaseparate,highlyscalabledirectoryindependentfromtheorganization’scoreemployeeauthoritativedirectory.

Lastly,anotherkeyconsiderationofanSSOsolutionistheabilitytopresentaVirtualDirectoryInterfacetoanyapplication.VirtualDirectoriescandynamicallylinktogetherdisparateidentitiesacrossseveralauthoritativedirectoriesandperformUser Disambiguationtoresolveintoasinglemasteridentity.UserDisambiguationreferstotheabilitytosearchthroughmultipleuserdirectoriesthatmayhaveanidenticaluseridentifier(e.g.,username)andchoosetheidentityfromtherightdirectorythatmatchesthecredentialssuppliedbytheend-user.

LDAP

Social Directories

Active Directory

LDAP Directory

Federated Directory

Cloud Directory

Cloud Applications

hr Applications

3rd Party Cloud Directories

6

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

Self-ServiceCapabilitiesSelf-Service Password reset and Self-Service Account Unlock

Helpdeskrequestsforpasswordresetsandaccountunlocksnotonlynegativelyimpactend-userproductivitybutalsoincreasetheoverallhelpdeskcostssubstantially.Consequently,aleadingSSOsolutionmustincludecapabilitiesthatenableend-userstoresettheirpasswordsandunlocktheiraccountswithouttheneedtomakehelpdeskcalls.

Thecriticalthingtobeonalookoutforwhenevaluatingself-servicecapabilitiesistheabilityforend-userstoresetpasswordsorunlockaccountswithouttheneedtofirstlogintoacomputertogetaccesstotheself-servicetools.Inotherwords,itisnotreasonabletoexpectyouruserstologintotheirworkcomputerwiththeirforgottenADpasswordorintoalockedADaccounttouseself-servicetools.Instead,theself-servicetoolsneedtobeavailableattheloginscreenorthroughacloudinterfacethatcanbeaccessedfromanywhere.WhenselectinganSSOsolution,chooseonethatactsasacredentialproviderforWindows(orincludesapluggableauthenticationmoduleforMac)andenablesend-userstoperformself-serviceactionsondesktopsaswellasmobiledevices.

Theotherkeyaspectofself-servicepasswordresetandaccountunlock,isrelatedtoaddinganappropriatelevelofauthenticationassurance.Meaning,theSSOsolutionshouldhavetheabilitytoverifytheuseridentityusingauthenticationfactorsotherthantheuser’spasswordpriortoallowingself-serviceaction.Tothatend,chooseanSSOsolutionthathasbuilt-inMulti-FactorAuthentication(MFA)capabilitiesforself-servicepasswordresetandaccountunlock,oronethatseamlesslyintegrateswithyourexistingMFAvendorforthesame.

22

Help Desk User

LDAP

Active Directory

LDAP Directory

Self Service

Employee User Account UnlockPassword Reset

7

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

Self-Service Access requests

Employeeswithinanorganizationareoftenonthemove,changingdepartments,expandingontheirrolesandresponsibilities,andgettingpromoted.Eventsliketheseoftenresultinemployeesneedingaccesstonewapplicationsandresources.Traditionally,thismeantthatemployeeshadtosubmithelpdeskrequeststogetaccess.ThehelpdeskwouldthenprovisionaccesstonewapplicationsupontheITadministratorortheemployeemanager’sapproval.

LeadingSSOsolutionsshouldincorporatethisaccessrequestworkflowandenableend-userstogainaccesstoappswithouthelpdesksupport.ThereforewhenselectingyourSSOsolution,spendsometimeevaluatingtheapplicationaccessrequestcapability.Thesolutionshouldincludeasearchableapplicationcatalog,theabilityforend-userstoeasilyrequestaccess,andaflexibleback-endapprovalworkflow.Thisworkflowmay,forinstance,notifytheemployee’smanagementchain,anapplicationadministrator,oragroupofuserstoreviewtherequestand,iflegitimate,approveitdirectlyintheSSOportaloramobileapp.

Self-Service Application Onboarding

IntimeswhentheITteamsareoverwhelmed,findingresourcestoenableSSOfornewapplicationscanbechallenging,soappswithsmalleruserbasegetde-prioritized.Tosavetime,powerusersoftheseappsoftenreuseotherapplicationcredentials,therebyexposingcompaniestoadditionalrisk.ThemoreapplicationsarenotimplementedwithSSO,thehighertherisk.ModernSSOsolutionsshould,therefore,providethecapabilitytoauto-capturethepasswordsenteredintoapplicationsandauto-fillthematalatertime.Inthisway,end-userscancreateacomplexanduniquepasswordforeachofthenon-integratedappsandleveragetheSSOsolutionfortheseamlessloginexperience.

VPN-lessAccess andSSOtoOn-premiseApplicationsAsorganizationsmigratetheirworkloadstothecloud,someofthekeyapplicationsremainhostedinlocal,on-premisesdatacenters.Concernsoversecurity,applicationavailability,andcompliancearesomeofthemainreasonswhyCIOschoosetokeepapplicationsin-house.Employeesneedtoaccesstheseon-premisesapplicationsinthesamewaytheyaccesscloud-basedapps–seamlessly,fromanydevice,andatanytime–tostayproductive.Traditionally,ITleveragedVirtualPrivateNetworks(VPNs)toprovideemployeestheremoteaccesstoresourceshostedon-premises.However,providingusersaccesstotheVPN,whenalltheuserneedsistoaccessanapplicationrunningwithintheon-premisedatacenteramountstogivingtheuserkeystothekingdom.OnceusersareauthenticatedandconnectedtoaVPN,

33

8

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

theycantheoreticallyaccessanyresourceontheentirenetwork,limitedonlybypoliciesalreadyinplaceattheauthenticationandauthorizationstep.Inotherwords,VPNenables“all-or-nothing”access.Abetterwaytocontrolaccesstoon-premappsisthroughanapplicationorareverseproxycapability.Withreverseproxies,youcanprovideusersapp-specificaccessbasedontheirrolesandfurthersecureon-premresourceswithmulti-factorauthentication.

Theotheraspectofthisrequirementisrelatedtotheabilitytoproxytheuser’sidentitytotheapplication,whichallowsyoutointegratetheon-premisesappswithSSOsolutions.Manyon-premandlegacyapplicationsdonotsupportmodernSSOprotocolslikeSAML,OpenIDConnect,WS-Trust,andothers.Instead,theysupportbasicauthenticationmethods,suchasform-basedauthentication,HTTPheader-basedauthentication(e.g.,remote_user,X-Forwarded-Forheaders),usernameandpasswordreplay,andthelikes.Consequently,leadingSSOsolutionsshouldbeabletosupportavarietyofauthenticationmethodsmentionedabovetoensurethatyoucansetupSSOwithyouron-premapplications.

ComprehensiveProtocol,APIandWidgetSupportMostenterprisestodayhaveamixofcloudandon-premisesapplications.TheseapplicationsoftenleveragearangeofprotocolsrelatedtoauthenticationandSSO.Forexample,moderncloudandon-premisesapplicationscansupportstandardssuchasSecurityAssertionMarkuplanguage(SAMLv1.0,1.1,2.0),OpenIDConnect(OIDC),OAuthv2.0,andWS-Federation.Legacyapplications,ontheotherhand,mayonlysupportbasicorform-basedauthentication,whichallowsanidentityprovidertosupplytheusernameand(protected)passwordstotheappviaaform.Header-basedauthenticationisyetanotherwayforapplicationstoreceiveinformationaboutauserfromtrustedidentityprovidersandenableSSO.AleadingSSOsolution,therefore,needstosupportalltheprotocolsandmethodsmentionedabove.

Itcouldbethecasethatapplicationsinyourenvironmentsupportnoneofthemodernortraditionalauthenticationmethods.YourSSOsolutionwouldthenneedtohaveasecure,encryptedpasswordvaultandabrowserextensiontosupportSSOforthesetypesofapps.Thebrowserextension,anadd-onthatyouinstallinyourwebbrowser,capturesusercredentials,storestheminthevault,andinjectsthemintotheusernameandpasswordfieldsorformstologusersintoapplicationsautomatically.

44

IdaptiveConnector

Windows Server

Idaptive Next-GenAccess Cloud

Contractors

EmployeesInternal WebApplications

HTTP/HTTPS

9

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

Lastly,custom-builtapplicationscanbedesignedtoauthenticateagainstanidentityproviderbyreceivinganauthenticatedusertoken.ThesetokensfrequentlyadheretospecificationsmentionedintheSAML,OIDC,OAuth,orWS-Truststandards.TheSSOsolutionmustprovideeasilyconsumableAPIstointegratethesecustom-builtapplications.Inaddition,well-documentedAPIsgreatlysimplifyandaccelerateappdevelopment.Therefore,theavailabilityofadedicateddeveloperportalwithpublishedcodesnippetsandwidgetsthatcanbeeasilyembeddedintoapplicationsbydevelopersshouldbeoneoftheconsiderationsinyourvendorselectionprocess.Forexample,avendorcouldprovidecodeforaloginwidget,whichcanbeembeddedintheapplicationandreducethetimedevelopersneedtospendworkingonappauthentication.TheSSOsolutionmustalsoprovidedevelopmenttoolkits(SDKs)forappdevelopmentplatformslikeReact,Swift,Python,PHP,Java,andC#tohelpdeveloperstoincorporatesecuritycontrolstotheirwebandmobileapps.

ApplicationCatalogandWizard-drivenApplicationOnboardingToday,enterprisesleveragehundredsofapplicationstosupportavarietyofuserpopulationsandusecases.ThevaluederivedfromtheSSOsolutionis,therefore,directlyproportionaltothenumberofapplicationsthatcanbeintegratedwiththesolution,andtheeasewithwhichnewappscanbeadded.TheprocessofonboardingapplicationsintoanSSOsolutioncanbeachallengingtaskthatmaytakesubstantialeffort,time,andknowledgeoftheSSOprotocolsandstandardsthatapplicationssupport.

55

1 0

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

AleadingSSOsolutionaddressesthischallengebyprovidingacatalogofpre-builtapplicationtemplatesandintegrations.ThesetemplatesremovetheneedtounderstandSSOprotocolsandsimplifytheconfigurationdowntoafewkeysettings.Aspartofyourevaluationprocess,ensurethatapplicationsthatarecurrentlyusedinyourorganizationorthatyouplanondeployingarepresentinthecatalog.

Itisimportanttonotethatnocatalogwillcontainallofthepossibleenterpriseapplications.Forapplicationsthatdonothavetemplatesintheappcatalog,theSSOsolutionmustprovideanintuitive,easytouseonboardingwizardtoguideadministratorsthroughtheonboardingprocess.Thesewizardsshouldhavecleardocumentationorembeddedhow-tovideosthatfurtherhelpadministratorstolearnhowtoonboardtheapplicationsrapidlyandreducethetimerequiredtoderivevaluefromtheSSOsolution.

BelowareexamplesanddescriptionsofcapabilitiesacrossthefivekeyareasthathelpanorganizationachievetheBasicLevelofMaturity.

PartnerFederationandIdentityProxying(Chaining)Mergersandacquisitionsareoneofthemostcommonwayscompaniesgrow.Asorganizationscombinesystemsandemployeepopulations,themanagementofuseridentitiesbecomeschallenging.Forexample,eachofthemergingorganizationsmayleveragedifferentuserdirectoriesandSSOsolutions(IdentityProviders)fortheiremployeesandcontractors.Alongsimilarlines,companiesoftenworkcloselywithpartnerorganizationswho,inturn,havetheirownSSOsystems.Regardlessofthecircumstances,employeesofoneorganizationfrequentlyneedtoaccessapplicationsofanotherorganization.Itmaynotbefeasibleordesirableforoneorganizationtoduplicatetheotherorganizations’identitiesacrosssystemstoenableaccess.Thisiswheretheconceptoffederationscomesin.Federationenablesanorganizationtoseamlesslyallowanotherorganization’suserstoaccessitsapplicationswithouttheneedtoauthenticate,duplicate,andmanagethelifecycleoftheotherorganization’susersorsettingupaseparateVPNinfrastructureforpartneraccess.Inessence,federationenablestheoneidentityprovidertotrustanotherorganization’sidentityprovidertoauthenticateandmanageusers.

66

Partner Organization

Partner IDP

IdaptiveConnector

Organization

SAML/OIDCFederationOrg Employee Idaptive IDP

Org Applications

Partner Employee

SAML/OIDC

PartnerActive Directory

OrgActive Directory

1 1

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

AleadingSSOsolutionshouldsupportpartnerfederationsusingbothSAMLandOIDCstandardsandhavetheabilitytoreceivetrustedauthenticationtokens.Thetrustedtokensshouldbeencrypted(FederatedAssuranceLevel38)andprovethattheuserhasindeedauthenticatedwiththeotheridentityprovider.TheSSOsolutionshouldalsobeabletoleverageanyadditionaluser-relatedinformation(SAMLattributes,forinstance)providedinthetokentofurtherauthenticateandauthorizetheuserforaccesstoapplicationsanddata.

Inothercases,organizationsmayhaveanexistinglegacySSOsolution,withhundredsofapplicationsalreadyintegratedwithit.Thelegacysolutionmaycomewithmanychallengesandlimitations.Forexample,legacySSOsystemsmayhaveapoorend-userexperience,requirecomplexscriptingordevelopmentforapplicationintegration,ordemanddedicatedheadcounttomanagetheinfrastructurethattheSSOsolutionrunson.Forsuchorganizations,transitioningtoamodern,cloud-basedSSOsolutioncanbemadeseamlessthroughtheconceptoftheIdentityProvider(IdP)proxyingorchaining.

InachainedIdPmodel,themodernSSOsolutiontruststheSSOtokenprovidedbythelegacyIdPauthenticatingtheusertoanexistingapp.BoththelegacyandthemodernIdPsareinterconnectedandintegratedwithasingleauthoritativeuserdirectory.AlltheexistingapplicationsremainintegratedwiththelegacySSO,whileallofthenewapplicationsareintegrateddirectlywiththemodernSSO.Inotherwords,ifthemodernSSOsolutionsupportsIdPchaining,anorganizationdoesnotneedtoadoptabigbangapproachandmodifyalloftheexistingapplicationintegrationstoworkwiththenewSSO.ThisallowsforagradualmigrationtothemodernSSOsolutionandmakesthetransitionseamlessandeasy,especiallyfortheapplicationownersandITadministrators.

WithchainedIdPs,organizationscanalsodramaticallyimprovetheuserexperience.InthechainedIdPmodel,employeesonlyinteractwiththemodernSSOsolution,whichprovidesamorestreamlinedloginexperienceregardlessoftheapplicationusersneedtoaccess.

1. A user tries to log in to Salesforce.com

2. Salesforce.com redirects the user to Idaptive

3. Idaptive recognizes that the access request is from a federated user and redirects the request to the IDP

4. The IDP prompts the user for login credentials and attempts authentication

6

5

8

7

• 3rd Party IDP is chained to Idaptive IDP• Idaptive IDP acts as an SP to the 3rd Party IDP• 3rd Party IDP does directory credentials authentication• Idaptive performs the second-factor authentication

Relying Party/ServiceData Center

On-Prem IDP

On-Prem Directory Idaptive IDP

9

SIGN-IN

Authentication Profile x

Profile Name*

5. The IDP authenticates the user against the enterprise directory

6. The IDP passes a SAML response to Idaptive with user attributes

7. Idaptive determines that the user requires secondary authentication. MFA prompt is presented to the user

8. Once successfully authenticated, Idaptive passes an assertion to the Service Provider

9. The user accesses Salesforce.com

8NISTstandard800-63c

1 2

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

ApplicationAccessGovernanceAccessGovernanceisoneofthekeycapabilitiesneededbyindividualsresponsibleforapplicationsecurityandcompliance.Thegoalofaccessgovernanceistoreducethecostandeffortinvolvedinoverseeingandenforcingaccesspoliciesanddemonstratingcompliance.Tothiseffect,leadingSSOsolutionsshouldbeabletoprovidereportsthattrackuseraccess,identifynon-compliancewithrole-basedaccesscontrols.Forexample,thesereportsshouldidentifyspecificusersthathaveaccesstosensitiveapplications,whatroleshavepermissionstowhichapplications,andwhatchangeshaveoccurredintheaccesspermissionsofaparticularuser.Thesereportsareessentialtocontinuallyensurethatusersonlyhaveaccesstoapplicationstheyneedtoperformtheirduties.

AnothercapabilityrelatedtoAccessGovernanceistheabilitytoorchestrateanapprovalworkflowforself-serviceapplicationaccessrequests.Self-serviceapplicationaccessrequests,aswementionedearlier,enableemployeestorequestaccesstoapplicationswithoutsubmittinghelpdesksupporttickets.Theseworkflowscanbeconfiguredtoincludemulti-levelapprovalsfromtheemployee’smanagementchain,thesecurityteam,theapplicationadministrator,oreventheITadministrationteam.Theapprovalworkflowisinstrumentalinensuringthatthereisagovernancemodelinplaceforend-usersbeinggrantedaccesstoapplications,andtheorganizationremainscompliantwiththeirregulatoryandsecurityobligations.

Lastly,manyleadingSSOsolutionsarenowstartingtoimplementAccessCertificationcapabilities.AccessCertificationsalloworganizationstooperationalizecontinuousorperiodicaccessreviewstoensurethattheusershaveaccesstoonlywhattheyneed.Duringthesereviews,management,applicationowners,orITadministratorshavetocertifythatonlyapprovedusershaveaccesstotheapplications.IfautomatedAccess

77

Needs access to a new app

Makes an accessrequest in Idaptive

Request approved by manager

Employee changes department

Access granted to the user Request approved by

application admin

Access Request Reports & Periodic Recertifications

1 3

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

idaptive.comidaptive.com

Certificationscapabilitiesarenotavailable,ensurethattheSSOsolutioniscapableofinterfacingwiththeenterprise’sHRsystemtoautomaticallyprovisionaccessaccordingtotheuser’sidentityandroles.Whenauseristerminatedorchangespositions,theHRsystemshouldnotifytheSSOsystemtoperformthedeprovisioningforallthesystemsintheuser’srolethatarenolongerneeded.Thiswillensurethatmanualaccesscertificationsproducerelativelycleanresults,andorganizationsremainincompliancewiththeiraccesspoliciesorgovernmentregulations.

AdaptiveSingleSign-OnOneoftheprinciplesoftheZeroTrustAccessSecurityarchitectureistoleverageasmuchcontextualinformationabouttheuseraspossiblewhilemakingaccessdecisions.MosttraditionalSSOsolutionsrequireausertoauthenticateonce.Afterthat,theSSOsolutiongrantstheuseraccesstoalltheauthorizedapplicationsforapre-definedperiodoftime,typicallythelengthoftheusersession.Inotherwords,oncetheuserhasbeenauthenticatedtotheSSOsolution,alloftheapplicationsexplicitlytrusttheuserandlettheuseraccessthemaslongastheSSOsessionisvalid.ThisexplicittrustviolatestheconceptofZeroTrust.

AmodernSSOsolutionshouldemployacombinationofrulesandmachinelearningtodeterminewhetherausershouldbegrantedaccesstoanapplication,evenaftertheuserhassuccessfullyauthenticatedtotheSSOsolution.Theserulesincorporatecontextualinformationrelatedtotheuser,suchasthedeviceusedforaccess,thenetworkfromwhichtheuserisrequestingaccess,thetimeofaccessrequest,andfinally,theuserlocation.Additionally,aleadingSSOsolutionshouldbeabletoleveragethiscontextualinformationtolearntypicaluserbehaviorusingmachinelearning.Basedonthehistoricalbehaviortrends,thesystemsshouldthenbeabletoidentifyatypicaluserbehaviorandassigneachuserariskscoreduringtheprocessofaccessingapplications.Iftheriskscoreoftheuserexceedsacertainthreshold,theusershouldbepreventedfromgettingSSOintoanapplication,regardlessofwhetherheorshepossessestheauthenticationfactorsrequiredtoaccessit.

WhenlookingforamodernSSOsolution,ensurethatthesolutionyou’reconsideringsupportsbotharules-basedSSOaswellasmachinelearning-drivenrisk-basedadaptiveSSO.

MobileExperienceToday,employeesexpectanytime,anywhereaccesstotheircorporateapplicationsfromalltypesofdevices.ThesedevicesincludenotonlyWindowslaptopsandMacbooksbutalsomobiledevicessuchassmartphonesandtablets.Accessingweb-basedapplicationswithSOOfromlaptopsanddesktopsissimpleandonlyrequiresawebbrowser.SSOaccesstocorporateappsonmobilewebbrowsers,however,isabitmorecumbersome.

AmodernSSOsolutionshouldprovideadedicatedmobileapptomakeaccessingapplicationsfrommobiledevicesasseamlessaspossible.TheappshouldbeavailableforbothiOSandAndroidplatformsandincludealandingportalpagethatdisplaysalltheapplicationsauthorizedtousers.Theappshouldalsoenable

88

99

1 4

TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION

theusertoenrolltheirmobiledevicewiththeSSOsolution.ThedeviceenrollmentprocessallowsSSOsolutionstoverifythatthedevicemeetstheminimumsecurityrequirementsandenablesorganizationstopushspecificdevicemanagementpoliciesandcertificates.Theabilitytodeploycertificatesonmobiledevicesisnecessaryforcertificate-basedauthentication(CBA),whichallowsend-usertoaccessnativeapps,suchasSalesforce,OneDrive,orOutlook,withoutadditionalauthenticationsteps.

Availability,Scalability,andPerformanceSinceSSOsolutionsgateaccesstoallapplicationsunifiedundertheSSO,theymustbehighlyavailableandreliable.WithoutfunctionalSSO,employeeshavenomeansofaccessingeventhemostbasicapplicationssuchasemail,HRsystems,orproductivityapps.Software-as-a-Servicedelivered(SaaS-delivered)SSOsolutionsoftenrunonhighlyreliablecloud-basedplatformsandtendtoperformfarbetterthananon-prem,privatelyhostedSSOsystems.Forexample,cloud-basedSSOsshouldbeabletodynamicallyscalewithdemandandautomaticallyfailoveracrossgeographicregionsintheeventofadisaster.Replicatingthesecapabilitiesinanon-premisesdatacentercanbeaverychallengingandexpensivepropositionformostenterprises.

Whenconsideringacloud-basedSSOsolution,paycloseattentiontotheservicelevelagreement(SLA)commitments,especiallyintermsofRecoveryTimeObjective(RTO)andRecoveryPointObjective(RPO).RTOisthemaximumamountoftimetakenbytheSSOsolutiontorecoveraftertherehasbeenadisasterthatbringstheservicedown.RPOisthemaximumamountoftimepriortothedisasterforwhichtheuserdatamaybelostpermanently.AleadingSSOsolutionwillprovideRPOandRTOofatmost24hourseach,andsincebothRTOandRPOareSLAcommitments,youcanholdtheSSOsolutionvendoraccountablefornotmeetingthem.

Alongsimilarlines,makesurethatyoualsoconsiderSSOsolution’suptimehistoryandcommitments.Typically,youwanttofindasolutionwithanuptimecommitmentofatleast99.9%(threenines),meaningtheservicecanbedownforamaximumof8.77hoursperyear.

Lastly,ensurethatthesolutioncanscaleupinanefficientandcost-optimalmannertoyourgrowingorganizationneeds,whetherthescalingupinvolvesmoreemployees,moreusecases(extendingtheservicetoyourpartnersandconsumers),oraddingmoreapplications.

1010

IdaptivedeliversNext-GenAccess,protectingorganizationsfromdatabreachesthroughaZeroTrustapproach.Idaptivesecuresaccesstoapplicationsandendpointsbyverifyingeveryuser,validatingtheirdevices,andintelligentlylimitingtheiraccess.IdaptiveNext-GenAccessistheonlyindustry-recognizedsolutionthatuniquelyconvergesSingleSign-On(SSO),adaptiveMulti-FactorAuthentication(MFA),EnterpriseMobilityManagement(EMM)andUserBehaviorAnalytics(UBA).WithIdaptive,organizationsexperienceincreasedsecurity,reducedcomplexityandhavenewfoundconfidencetodrivenewbusinessmodelsanddeliverawesomecustomerexperiences.Over2,000organizationsworldwidetrustIdaptivetoproactivelysecuretheirbusinesses.

idaptive.com©2020Idaptive.AllRightsReserved.

3300 Tannery Way

Santa Clara, CA 95054

hello@idaptive.com