For years, the \u201cHoly Grail\u201d of identity and access management (IAM) has been single sign-on (SSO). After all, what\u2019s not to like about users only having to remember one password to get to all their stuff? It\u2019s a win-win for all parties. IT doesn\u2019t waste its valuable cycles helping users get connected after they forgot one of their 15 passwords, and users don\u2019t have to live in fear of upsetting the all-powerful IT team because they forgot. And they don\u2019t have to feel guilty for writing all the passwords down and hiding them where no one would ever look (under the keyboard).\nAs cool as SSO is, it\u2019s an elusive goal that\u2019s often difficult to obtain. The IAM landscape is littered with failed or incomplete SSO projects and users who still write down passwords, IT still resetting passwords, and all the pitfalls of non-unified IAM \u2013 only now they only have four passwords to forget instead of 15. And, the landscape is constantly changing \u2013 it\u2019s evolved from password synchronization, to the Kerberos-based SSO of Microsoft Active Directory, to the password replay technologies of the past decade, and even the more modern federation technologies and standards of today (SAML, WS Fed, etc.). Then, we have the emerging technologies of OAuth and its sister, OpenID Connect.\nIt\u2019s unavoidable that an SSO approach adopted five years ago will not provide optimum access control and streamlined authentication for newer standards that the \u201ccutting edge\u201d SSO solutions nail completely. What\u2019s more, the new solutions typically ignore the \u201clegacy\u201d needs of years gone by.\nBut SSO is still a noble aspiration, and one that, if approached pragmatically, can deliver real business value. The key is picking your battles and focusing on those you not only can win, but win decisively. Rather than settle for the lowest common denominator in an effort to cover the widest range of applications, the right SSO strategy should focus on the most important applications and user populations, and expand from there into as many adjacent people and systems as possible.\nHere are a few pointers from my years of SSO experience (believe me I\u2019ve seen it all):\n\nDon\u2019t settle for the lowest common denominator \u2014 if you have an application that supports SAML, doing an old-school password synchronization is missing out on the many advantages of federation\nDon\u2019t ignore the old stuff \u2014 does your federation solution also provide SSO for non-federated applications in the way that is best for them? If it doesn\u2019t,\u00a0you should look for one that does.\nDon\u2019t be afraid to use a blended approach \u2014 If you are like 99 percent of the world, you already enjoy incredible SSO for one important aspect of your world (Microsoft and all that AD brings). Extend that as far as you can, and then augment it with solutions to fill the gaps \u2014 most likely a federation solution (preferably one that also addresses legacy web applications), and possibly a password replay solution for critical thick-client apps.\n\nSo go on that quest, it\u2019s worth it. Your users will thank you. Your IT department will thank you. Your auditor may get out of your hair quicker. And, you will be able to adapt to new and emerging needs (can you say BYOD, Mobile, and Social login?) quicker without disrupting what you already have going.