Why mobile devices need single-sign-on technologies

1. Summary

As the iPad’s popularity continues to grow and security concerns increase, providers of cloud-based single-sign-on (SSO) solutions face a prime business opportunity: to make their tools the weapons of choice for next-generation mobile identity management and authentication.

By replacing multiple user names and passwords with one-click access to cloud-based apps like Google Apps and Microsoft’s Active Directory, cloud-based SSO solutions have earned a reputation for enhancing end-user convenience, easing the pressure on IT administration, and cutting help-desk costs.Even Salesforce.com is getting in on the action, having announced plans to roll out an identity-management system that will provide a single sign-on for cloud applications.

Not all cloud SSO technologies, however, come with the same platforms, standards, and feature sets. To provide companies with an idea of what’s available, the following is a breakdown of some of the key players and what each is doing to raise the bar on authentication, mobile, and otherwise.

OneLogin: an app of its own

In mid-July, this San Francisco–based startup unveiled an iPad app that grants mobile employees one-click access to a whole slew of web applications. Users simply type in a four-digit PIN and tap an icon to sign into any number of Software-as-a-Service (SaaS) applications. Because OneLogin was designed with native iPad browser functionality, users can toggle back and forth among mobile apps. This is ideal for sales reps, who to need to switch quickly among programs while on the go.

Users also have the option of increased mobile security with OneLogin’s free mobile onetime password app and its partnerships with RSA SecurID, Symantec VIP Access, and Yubico, which provide a second layer of authentication.

Although relatively new to the identity-management market, OneLogin includes customers such as Steelcase, KnowledgeTree, and Netflix. Netflix’s IT department, for example, is currently beta testing the startup’s new iPad app to manage mobile user access. In addition to quickly onboarding Netflix’s growing legion of iPad users, the tool acts as a central kill switch so that IT execs can immediately cut off an employee’s access to SaaS applications.

Here is another draw for OneLogin: open-source security assertion markup language (SAML) toolkits that help customers extend the same degree of authentication and authorization to their private-cloud applications. Clients include Zendesk, KnowledgeTree, and SugarCRM. Users may choose from a selection of developer platforms ranging from Ruby on Rails to Python in order to deploy SAML-enabled apps in record time.

OneLogin also features a freemium model that lets users add up to three single-sign-on SAML apps. Subscribers to the no-cost service include Canadian airline carrier WestJet, which recently rolled out the talent management app SuccessFactors to 9,000 users in just a couple of weeks.

Okta: sequencing on demand

Like key competitor OneLogin, Okta provides SSO capabilities for the cloud. Although monthly fees for its SSO service run as low as $10 per user, Okta clearly has its eye on the enterprise market and relies on separate data centers, a dedicated CSO, and third-party testing as proof of its commitment to delivering enterprise-grade services.

Where the San Francisco–based company differs from traditional vendors serving the enterprise space is that the product can roll out in days instead of weeks. It also comes pre-integrated with 1,500 apps (OneLogin claims its iPad app is pre-integrated with over 2,200 apps). What’s more, iPad users access Okta from a web browser — Internet Explorer, Firefox, Chrome, and Safari are options — without having to install an iPad cloud SSO app.

Okta takes a two-pronged approach to supporting applications with its SSO capabilities: For apps that support SAML, Okta acts as a SAML identity provider that immediately responds to and facilitates user authentication. For SaaS apps that do not support SAML, however, Okta’s Secure Web Authentication (SWA) technology stores and encrypts an app’s web credentials and then plays them back as part of a secure log-in sequence. The thinking is that end users achieve a higher level of SSO integration across SaaS applications, thereby eliminating the need for multiple passwords and tightening IT’s control over app authentication.

Ping Identity: plenty of options

Unlike Okta, Ping Identity’s PingFederate is a unique on-premise appliance that, when coupled with PingOne, offers secure authentication to all users without having to capture, store, or replay a user’s password. Instead, data travels from a company’s enterprise identity store, such as Microsoft’s Active Directory, to Ping’s cloud identity service without plug-ins or the need to store passwords in the cloud or in a directory.

In turn, users rely on a password to log into a portal or Ping’s CloudDesktop application, and they are presented with a set of secure apps to choose from. By eliminating the need to replay, screen scrape, and store passwords, Denver-based Ping Identity takes a step toward democratizing cloud SSO, granting all apps the same level of security, regardless of type or function.

One key driver of growth for Ping Identity is the sheer number of options it provides for end users. Those with an iPad can access mobile applications via a mobile browser or through a single point of access via Ping’s CloudDesktop. In the case of enterprise apps that have been designed for a particular platform or device and converted to mobile apps, Ping Identity relies on OAuth, a protocol for securing authorization to mobile and desktop apps. With OAuth, users are provided with a token to gain authorized access to cloud resources. Other standards Ping Identity supports include SAML and OpenID for secure access to third-party mobile apps.

By providing federation support for a variety of native and web applications from both obscure and well-known vendors, Ping Identity is positioning itself to keep pace with today’s steady stream of new SaaS providers, as well as the continued iPad usage growth.

Symplified: a new breed of hybrid

Another hybrid provider of cloud SSO is Symplified. Able to be deployed both on-premise and in the cloud, Symplified’s hybrid architecture accommodates enterprises large and small with varying levels of comfort regarding cloud security.

At the core of the Boulder, Colo.–based company’s architecture is Symplified’s Identity Router, an identity portal and proxy server that establishes and enforces the policies around how employees can access and interact with particular cloud applications. With this technology, provisioning and deprovisioning by IT administrators can be performed and delivered to the cloud through existing tools such as Active Directory for swift, hassle-free modifications.

There is another boon for IT administrators as well: Symplified can easily be extended to mobile users through a single URL without the need for hardware or software installation. And in February, the company partnered with Symantec Validation and ID Protection (VIP) Service to support apps that demand a stronger type of identity verification, especially when accessed through mobile devices like an iPad.

Key trends for the future

Technology once known for alleviating IT headaches and enhancing end-user convenience is now finding new life in today’s demand for mobile security. But SSO technology has been around for some time, and many vendors have well-established competitive approaches to providing identity management and authentication. These differences are slowly surfacing in vendors’ disparate strategies for delivering enterprise single-sign-on capabilities for mobile devices like the iPad. What tactic will win out, or prove to be the most secure, remains to be seen.

There are, however, key trends that promise to raise the bar on mobile single-sign-on technology. These include:

• An increased demand for the hybrid cloud SSO model, which lets end users integrate their on-premise systems with cloud services for greater flexibility

• Cloud SSO solutions that come pre-integrated with thousands of apps, including mission-critical business applications, for fast deployment

• Until there’s standardization among SSO platforms, expect a premium to be placed on solutions capable of integrating SaaS apps that do not support SAML

• Forget about apps. OpenID Connect is fast becoming the new standard for federated SSO: a full-of-promise protocol that lets everything from desktops to iPads send and receive identity information directly to APIs for easy communication across multiple cloud providers