For years, the “Holy Grail” of identity and access management (IAM) has been single sign-on (SSO). After all, what’s not to like about users only having to remember one password to get to all their stuff? It’s a win-win for all parties. IT doesn’t waste its valuable cycles helping users get connected after they forgot one of their 15 passwords, and users don’t have to live in fear of upsetting the all-powerful IT team because they forgot. And they don’t have to feel guilty for writing all the passwords down and hiding them where no one would ever look (under the keyboard). As cool as SSO is, it’s an elusive goal that’s often difficult to obtain. The IAM landscape is littered with failed or incomplete SSO projects and users who still write down passwords, IT still resetting passwords, and all the pitfalls of non-unified IAM – only now they only have four passwords to forget instead of 15. And, the landscape is constantly changing – it’s evolved from password synchronization, to the Kerberos-based SSO of Microsoft Active Directory, to the password replay technologies of the past decade, and even the more modern federation technologies and standards of today (SAML, WS Fed, etc.). Then, we have the emerging technologies of OAuth and its sister, OpenID Connect. It’s unavoidable that an SSO approach adopted five years ago will not provide optimum access control and streamlined authentication for newer standards that the “cutting edge” SSO solutions nail completely. What’s more, the new solutions typically ignore the “legacy” needs of years gone by. But SSO is still a noble aspiration, and one that, if approached pragmatically, can deliver real business value. The key is picking your battles and focusing on those you not only can win, but win decisively. Rather than settle for the lowest common denominator in an effort to cover the widest range of applications, the right SSO strategy should focus on the most important applications and user populations, and expand from there into as many adjacent people and systems as possible. Here are a few pointers from my years of SSO experience (believe me I’ve seen it all): Don’t settle for the lowest common denominator — if you have an application that supports SAML, doing an old-school password synchronization is missing out on the many advantages of federation Don’t ignore the old stuff — does your federation solution also provide SSO for non-federated applications in the way that is best for them? If it doesn’t, you should look for one that does. Don’t be afraid to use a blended approach — If you are like 99 percent of the world, you already enjoy incredible SSO for one important aspect of your world (Microsoft and all that AD brings). Extend that as far as you can, and then augment it with solutions to fill the gaps — most likely a federation solution (preferably one that also addresses legacy web applications), and possibly a password replay solution for critical thick-client apps. So go on that quest, it’s worth it. Your users will thank you. Your IT department will thank you. Your auditor may get out of your hair quicker. And, you will be able to adapt to new and emerging needs (can you say BYOD, Mobile, and Social login?) quicker without disrupting what you already have going. Related content brandpost History Repeats Itself as POS Breaches Continue in 2015 By Patrick Sweeney Apr 15, 2015 4 mins Data Breach brandpost What Surprises Lurk in Your Encrypted Traffic? By Patrick Sweeney Apr 13, 2015 4 mins Encryption brandpost The Verdict is In: Continuous Compliance is More Important than Ever By Steve Dickson Mar 30, 2015 3 mins Compliance brandpost Cyber Security of Industrial Systems: The Risks that Lie in Client Machines By Patrick Sweeney Mar 09, 2015 3 mins Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe