For years, the “Holy Grail” of identity and access management (IAM) has been single sign-on (SSO). After all, what’s not to like about users only having to remember one password to get to all their stuff? It’s a win-win for all parties. IT doesn’t waste its valuable cycles helping users get connected after they forgot one of their 15 passwords, and users don’t have to live in fear of upsetting the all-powerful IT team because they forgot. And they don’t have to feel guilty for writing all the passwords down and hiding them where no one would ever look (under the keyboard).
As cool as SSO is, it’s an elusive goal that’s often difficult to obtain. The IAM landscape is littered with failed or incomplete SSO projects and users who still write down passwords, IT still resetting passwords, and all the pitfalls of non-unified IAM – only now they only have four passwords to forget instead of 15. And, the landscape is constantly changing – it’s evolved from password synchronization, to the Kerberos-based SSO of Microsoft Active Directory, to the password replay technologies of the past decade, and even the more modern federation technologies and standards of today (SAML, WS Fed, etc.). Then, we have the emerging technologies of OAuth and its sister, OpenID Connect.
It’s unavoidable that an SSO approach adopted five years ago will not provide optimum access control and streamlined authentication for newer standards that the “cutting edge” SSO solutions nail completely. What’s more, the new solutions typically ignore the “legacy” needs of years gone by.
But SSO is still a noble aspiration, and one that, if approached pragmatically, can deliver real business value. The key is picking your battles and focusing on those you not only can win, but win decisively. Rather than settle for the lowest common denominator in an effort to cover the widest range of applications, the right SSO strategy should focus on the most important applications and user populations, and expand from there into as many adjacent people and systems as possible.
Here are a few pointers from my years of SSO experience (believe me I’ve seen it all):
- Don’t settle for the lowest common denominator — if you have an application that supports SAML, doing an old-school password synchronization is missing out on the many advantages of federation
- Don’t ignore the old stuff — does your federation solution also provide SSO for non-federated applications in the way that is best for them? If it doesn’t, you should look for one that does.
- Don’t be afraid to use a blended approach — If you are like 99 percent of the world, you already enjoy incredible SSO for one important aspect of your world (Microsoft and all that AD brings). Extend that as far as you can, and then augment it with solutions to fill the gaps — most likely a federation solution (preferably one that also addresses legacy web applications), and possibly a password replay solution for critical thick-client apps.
So go on that quest, it’s worth it. Your users will thank you. Your IT department will thank you. Your auditor may get out of your hair quicker. And, you will be able to adapt to new and emerging needs (can you say BYOD, Mobile, and Social login?) quicker without disrupting what you already have going.