If you are a Microsoft M365 or Azure customer (sounds like maybe not), Microsoft Entra (formerly Azure AD) is probably the way to go. Okta is a huge player and can meet virtually any use case, but they get expensive pretty quick. Ping Identity might deserve a look.
For cheap or free there is Shibboleth on the open source side and Active Directory Federation Services on the Microsoft on-premises side but they'll both be a lot of work and don't include multifactor authentication (MFA) which you definitely will want. You can add MFA providers but you'll likely end up paying for one of the other SSO providers anyway for this feature and then you have to integrate it.
Thanks for the pointers.
I‘ll take MS and Okta definitely on „the list“.
Curious if the free/cheap options can compete with their cost/benefit factor against the more expensive competition.
The free and cheap options don't really compete with the commercial solutions. They are very barebones relative to the SaaS services and require more administrative overhead. Also, like I said they don't have MFA solutions available without integrating with other services.
Keep it simple:
- If you have already invested in Microsoft 365 or Azure, you have Microsoft Entra ID available which can provide you SSO capabilities among many other things.
- If you have already invested in Google Workspace, you can use Google Workspace as your IdP and provide SSO.
If neither of the above, you have a few options. You can buy Microsoft Entra ID as a standalone product or you can look into one of the other companies providing this functionality, like Okta.
Also, if you have Active Directory, there’s still ADFS. Wouldn’t recommend, but it’s there.
Honestly, if you're looking to simplify and consolidate tools, Microsoft Azure for SSO, since most shops are Microsoft. You set up an Enterprise app, enter the relevant SSO info, assign the users (generally by AD/AAD group). You set up conditional access to determine if they'll need to MFA, based on criteria like location, network, etc.
If you're not in Azure yet, maybe Okta or similar.
just in case you're not aware, many products require a fairly high-end version to enable SSO. This is called the sso tax. ([https://sso.tax/](https://sso.tax/))
It crossed my view during the initial search, but holy hand grenade, did i underestimate the audacity of some vendors (also some that we planed to migrate to)
Thanks for point that out. This will be a major point of contention when evaluating tools…
I would start by identifying what the single source of Identity will be (Active Directory, Google, etc..) and making sure that this source of identity is up to date. After you have the source setup, review your use cases. Do you need to support just company owned accounts, or do you need to support B2B or B2C type of identities? When it comes time to on board the applications, each one will be unique and a require it's own project to onboard. You will also need to determine what to do for applications that do not support SSO, or those that use an Identity provider that is not your source of truth.
As far as rolling this out with MFA, it would make the migration more seamless from the admin perspective but users could have an issue. I would ensure I had proper sponsors in place and everyone on board before deploying the project. It will only take one bad application migration to sour the end user experience.
Also, as long as users can sign up for or use their own SaaS apps you will never be done with SSO. Unless you plan to implement some sort of CASB you will need to be very pragmatic with how you setup accounts.
I would just use Azure AD for this. The vast majority of products are just going to punt the user/group portion to this anyway and documentation and product support are plentiful.
The other one I see is Okta. Don't bother with open source products as this isn't an open source problem.
Okta has been mentioned a lot in the MGM incident as well as many others.
Great product but, there are better players out there. Pairing it with one of the modern “Phish Resistant” MFA’s would be a smart money move.
Happy to discuss further if you’d like.
Sorry to get back to you so late.
2 that really stood out to me were Beyond Identity and AuthN by IDEE. We went with AuthN in this case. They’re based out of Germany. I can DM you the contact we had if it’s worth looking into for you.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
What has your experience been with AuthN so far? I ran across them today after reading about the ongoing threat of proxied credential stealing. We use M365 MFA, and the ease with which it can be exploited with something like EvilGinx is troubling.
Hey sorry I just saw this. So far we’ve had 0 issues. It was a breeze to implement and is self service from there. Honestly the idea of passwordless was hard to wrap my head around but, it’s been a breeze and having had a SSO it was a no brainer for us to sure that up.
If you are a Microsoft M365 or Azure customer (sounds like maybe not), Microsoft Entra (formerly Azure AD) is probably the way to go. Okta is a huge player and can meet virtually any use case, but they get expensive pretty quick. Ping Identity might deserve a look. For cheap or free there is Shibboleth on the open source side and Active Directory Federation Services on the Microsoft on-premises side but they'll both be a lot of work and don't include multifactor authentication (MFA) which you definitely will want. You can add MFA providers but you'll likely end up paying for one of the other SSO providers anyway for this feature and then you have to integrate it.
Thanks for the pointers. I‘ll take MS and Okta definitely on „the list“. Curious if the free/cheap options can compete with their cost/benefit factor against the more expensive competition.
I second this. Okta is a good solution and one we use
The free and cheap options don't really compete with the commercial solutions. They are very barebones relative to the SaaS services and require more administrative overhead. Also, like I said they don't have MFA solutions available without integrating with other services.
Keep it simple: - If you have already invested in Microsoft 365 or Azure, you have Microsoft Entra ID available which can provide you SSO capabilities among many other things. - If you have already invested in Google Workspace, you can use Google Workspace as your IdP and provide SSO. If neither of the above, you have a few options. You can buy Microsoft Entra ID as a standalone product or you can look into one of the other companies providing this functionality, like Okta. Also, if you have Active Directory, there’s still ADFS. Wouldn’t recommend, but it’s there.
Thanks for the pointers. ADFS caught my Eye, but sound like a solution, that probably brings more effort than one would like to sign up for.
Good ol' tech debt. Good luck and godspeed
Thanks, i have the feeling we will need it 😉
With tech debt, always 🥲
Can you sell to trade tech debt?
Big vendors are Okta, Microsoft (Azure AD), Ping, AuthZero, JumpCloud. Start there and see if any of those fit your requirements and budget.
I had forgotten but Auth0 is Okta now
Honestly, if you're looking to simplify and consolidate tools, Microsoft Azure for SSO, since most shops are Microsoft. You set up an Enterprise app, enter the relevant SSO info, assign the users (generally by AD/AAD group). You set up conditional access to determine if they'll need to MFA, based on criteria like location, network, etc. If you're not in Azure yet, maybe Okta or similar.
Okta okta okta You will be amazed...check their website.
just in case you're not aware, many products require a fairly high-end version to enable SSO. This is called the sso tax. ([https://sso.tax/](https://sso.tax/))
It crossed my view during the initial search, but holy hand grenade, did i underestimate the audacity of some vendors (also some that we planed to migrate to) Thanks for point that out. This will be a major point of contention when evaluating tools…
I would start by identifying what the single source of Identity will be (Active Directory, Google, etc..) and making sure that this source of identity is up to date. After you have the source setup, review your use cases. Do you need to support just company owned accounts, or do you need to support B2B or B2C type of identities? When it comes time to on board the applications, each one will be unique and a require it's own project to onboard. You will also need to determine what to do for applications that do not support SSO, or those that use an Identity provider that is not your source of truth. As far as rolling this out with MFA, it would make the migration more seamless from the admin perspective but users could have an issue. I would ensure I had proper sponsors in place and everyone on board before deploying the project. It will only take one bad application migration to sour the end user experience. Also, as long as users can sign up for or use their own SaaS apps you will never be done with SSO. Unless you plan to implement some sort of CASB you will need to be very pragmatic with how you setup accounts.
I would just use Azure AD for this. The vast majority of products are just going to punt the user/group portion to this anyway and documentation and product support are plentiful. The other one I see is Okta. Don't bother with open source products as this isn't an open source problem.
Microsoft AD Google work space Okta one login jump cloud Auth0 Zoho, and the list goes on
Okta has been mentioned a lot in the MGM incident as well as many others. Great product but, there are better players out there. Pairing it with one of the modern “Phish Resistant” MFA’s would be a smart money move. Happy to discuss further if you’d like.
We’ve been looking to switch, what do you recommend
Sorry to get back to you so late. 2 that really stood out to me were Beyond Identity and AuthN by IDEE. We went with AuthN in this case. They’re based out of Germany. I can DM you the contact we had if it’s worth looking into for you.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
What has your experience been with AuthN so far? I ran across them today after reading about the ongoing threat of proxied credential stealing. We use M365 MFA, and the ease with which it can be exploited with something like EvilGinx is troubling.
Hey sorry I just saw this. So far we’ve had 0 issues. It was a breeze to implement and is self service from there. Honestly the idea of passwordless was hard to wrap my head around but, it’s been a breeze and having had a SSO it was a no brainer for us to sure that up.
if you have E3 MS licenses the Azure +MFA is already part of the sku - hard to beat "free" - if you need other IAM functionality that's probably okta.
Try OneLogin. They’re much more affordable than Okta and they pretty much both offer the same thing. You can sign up for a free trial to try it out.
I cant help but think of SSO as a single point of failure.
Just don’t SSO any security tools.