Single sign-on solutions: How 9 top tools compare

Single sign-on (SSO) centralizes session and user authentication services, requiring just one set of login credentials for multiple applications. This improves the user experience, but it has IT administration and security benefits, too. SSO reduces the risk of lost or weak passwords as well as overhead associated with managing account access.

If you have yet to implement any SSO or identity management tool, or are looking to upgrade, this roundup of SSO tools will serve as a primer on where you want to take things. Given today’s threat landscape, you need to up your password game by trying to rid your users of the nasty habit of reusing their old standby passwords.

If cost and IT support are both issues, you could start with an enterprise password manager such as 1Password or Lastpass (now owned by LogMeIn). These products are great for keeping a central “vault” of all your passwords and inserting them into the login process. They all work well under various conditions, such as browser and smartphone logins. They typically don’t support multi-factor authentication (MFA) logins, other than for accessing your overall vault. Figure on paying about $8 per user per month. 

If you have more than 100 staffers and have a reasonable level of IT support, you will eventually realize the limitations of password management tools and need a full-blown SSO solution (the focus of this roundup) that can offer more flexible authentication policies, access rules, MFA and mobile authenticator apps. Interestingly, most SSO products also cost about $8 per user per month but will require more IT manpower to implement. (Ping’s solution offers a lot of bang for the $3 per month price point, however.)

Let’s talk a bit about using MFA, because it is an important motivation behind going the SSO route. The idea of using MFA used to be mostly for the ultra-paranoid; now it is the minimum for enterprise security, especially considering the number and increasing sophistication of spear-phishing attacks. Sadly, the deployment of MFA is far from universal: a recent survey from Symantec (Adapting to the New Realities of Cloud Threats) found that two-thirds of the respondents still don’t deploy any MFA tools to protect their cloud infrastructures. Certainly, having SSO can help ease the pain and move toward broader MFA acceptance.

Besides MFA, there is another reason to up your authentication game: the need for adaptive or risk-based authentication. This means changing your perspective from issuing your users an “all-day access pass” when they begin work by logging into their laptops. This idea is now outdated and replaced by finer-grained authentication strategies that account for numerous factors put into play more or less continuously. These strategies use techniques to detect phishing, account takeovers and other threats that try to impersonate or steal a user’s identity.

While most SSO vendors have comprehensive MFA support, their support for adaptive authentication is spotty and far from mature. I look at the following vendors here: Cisco/Duo, Idaptive, ManageEngine, MicroFocus/NetIQ, Okta, OneLogin, PerfectCloud, Ping Identity and RSA.

Another strategy, if you have the skills and staff but no funds, is to go the open-source route and add MFA to your logins. The Authy.com MFA tool seems to be the market leader today.  Authy’s app is available on a wide range of devices, including desktops.

Or you could take whatever SSO features come with your principle cloud provider and try to extend it into other SaaS apps that they support. Salesforce and Microsoft Azure are examples of this route. Each has an SSO service add-on that is more or less capable at delivering basic authentication features. However, they aren’t as useful as a true SSO tool that is vendor-neutral. I recommend that you stick with either the specialized SSO vendors or move to an identity governance solution.

Identity governance solutions include OneSpan, Saviynt, HID, CA and Sailpoint, among more than a dozen other providers. They also have loads of features so you can insert more control over on- and off-boarding management, managing federation of identity and application orchestration, and have closer integration with cloud apps. Of course, you will pay more for these additional features, but these are the tools you’ll eventually want to use if you want the complete identity package. I didn’t review these products here.

Many of the SSO vendors that I cover here have moved into the identity governance space, either by acquiring other companies (RSA, Duo and Ping Identity are notable examples) or by adding new products to their SSO line (Okta, OneLogin and Idaptive).

Top SSO solutions

1. Duo/Cisco SSO
2. Idaptive Single Sign-On
3. ManageEngine/Zoho Identity Manager Plus
4. MicroFocus/NetIQ Access Manager
5. Okta Single Sign-On
6. OneLogin Single Sign-On
7. PerfectCloud SmartSignIn
8. Ping Identity PingOne
9. RSA SecurID Access Suite

Duo/Cisco SSO

Duo is a relative newcomer to the SSO space but has quickly taken a leadership position, as evidenced by being acquired last year by Cisco. It has is fully featured and Is based on a capable mobile authenticator smartphone app that is equivalent to many competitors’ mobile management apps. It supports a rich collection of adaptive authentication methods and even works with its competitors’ SSO tools (including Okta, Ping and OneLogin). Duo’s smartphone authenticator app is also one of the more popular MFA mechanisms for a wide variety of SaaS products.

It has transparent pricing with full feature breakdown and four tiers: free for up to 10 users and then plans start at $3 per user per month and go to $9 per user per month. The top two tiers include adaptive authentication and policy enforcement tools. The top tier secures internal apps as well as SaaS ones. 

Idaptive Single Sign-On

I’m impressed with this product. Early this year, Centrify spun out its identity business unit as Idaptive. Centrify continues to sell its privileged access management tools. Idaptive has two versions: the standard and Adaptive SSO, which adds contextual authentications at an additional cost. MFA support also comes in two packages, at $2 per user per month for the standard and $4 per user per month for the adaptive version that adds device and user context and real-time reporting features. MFA methods include a wide range such as email, FIDO U2F keys, Google Authenticator and its own authenticator apps, and SMS.

The SSO products support thousands of apps and have a feature called Infinite Apps that discovers their SAML configuration. They support a wide array of protocols including SAML, WS-Fed and OAuth. The Idaptive web dashboard has been completely rearranged but mostly offers the same functionality as the old Centrify one. Idaptive also has a full line of identity management and provisioning tools, along with a strong mobile device management offering. The company has a transparent pricing page here and offers a free trial.

ManageEngine/Zoho Identity Manager Plus

ManageEngine has more than a dozen different cloud applications, and its SSO tool is called Identity Manager Plus. If you are a big consumer of their services (including the Zoho suite), then this is a good starting place for your SSO needs. If not, then I would look elsewhere. The tool complements other ManageEngine AD-related tools. It has 400 apps in its catalog and supports custom SAML configurations as well.

If you want MFA or mobile device support, you must use the ADSelfService Plus tool, which includes numerous methods such as authenticator apps from Google, Duo and Microsoft along with support for RSA SecurID tokens. (That will cost another $100 per month for 500-user blocks.) The Identity Manager Plus software supports a wide variety of identity providers, including AD, Okta, OneLogin, Ping Identity and other SAML-based providers. There is an online demo and it has a free trial like many of their other products.

MicroFocus/NetIQ Access Manager

MicroFocus is now the keeper of the NetIQ flame. Its solution covers three separate products: Access Manager, its principle SSO tool; an MFA product; and a mobile device management product called Zenworks Configuration Management. Each has a separate pricing plan, which starts at $.49 per user per month (at the 500-user level) plus a $47 one-time setup charge. MFA starts at $.92 per user per month (also at the 500-user level). Its app catalog contains more than 500 entries, but like Idaptive it also offers a simple integration app on-boarding routine. NetIQ supports a wide variety of connection protocols, including FIDO, SAML, OAuth, Open ID Connect and WS-Fed.

Okta Single Sign-On

Okta has long been a leader in SSO and sells two different versions of their flagship tool: a basic and an adaptive version that can be used to sense location, device and network parameters to prevent spoofing attacks. It now has a full collection of complementary products besides the SSO offerings that move into more of the integration and identity governance space. These include their Lifecycle Management service (which handles Active Directory [AD] sync for Office 365, directory integration with AD or LDAP, and auto provisioning), a cloud directory (which goes for $2 per user per month), a service that supports hybrid cloud/on-premises deployments, and inbound federation (which starts at $8,000 per year).

Okta

Okta has two versions of its MFA app to match its two SSO versions. The first is the basic MFA and the second is the adaptive version. Each product has two separate component fees. The first is the access charge, which is either $8000 per year (or $16,000 per year for the adaptive product). Then there are per user charges of $3 to $5 per month. There is a free 30-day trial of the adaptive MFA software. It has a transparent pricing page for all its products.

OneLogin Single Sign-On

OneLogin has been a long-time SSO provider and now offers a complete identity management suite of products. Their SSO service comes in three different tiers: Starter ($2 per user per month) supports a single AD instance, enterprise ($4 per user per month) adds MFA, multiple identity providers, and integrations with SIEMs and VPNs, and the unlimited version ($8 per user per month), which adds user provisioning and additional integrations. All its products are available for a free 30-day trial. As an example of the product’s depth, OneLogin’s app catalog contains 2,700 apps for simple password completion and over 1,500 SAML apps.

OneLogin

OneLogin also offers an adaptive authentication product that builds on its own Protect mobile software authentication tool and supports a variety of other authenticator apps such as Google Authenticator and Duo. A unified access tool bridges on-premises and cloud apps and a real-time user provisioning tool for both faster on- and off-boarding.

PerfectCloud SmartSignIn

This continues to be a very basic SSO solution. There is a free single-user version for managing up to four apps. PerfectCloud was one of the first to add a second factor passphrase to its logins, but it has fallen behind in not supporting any of the mobile authenticator apps. This passphrase is encrypted on the device and they don’t store it, so that is a distinguishing feature. The product starts at $6 per user per month for the SMB version. That doesn’t include additional features such as AD integration, access and group management and policy rules.  

Ping Identity PingOne

Ping is another long-time SSO player and one of the first to offer federated identity provisioning with its Ping Federate product. You’ll need this to implement other MFA apps besides its own smartphone app.

Ping prices its basic SSO app differently depending on whether it is sold directly or through one of its many channel partners. The basic pricing includes both MFA and SSO for $3 per user per month, which is very competitive considering what features are included. There is a free 30-day trial, too.

Its catalog has 1,650 apps that come pre-configured. PingOne supports a wide variety of MFA apps (from itself and its competitors such as RSA, Symantec, Duo and Gemalto) and methods, including Apple’s FaceID, fingerprint and voice authentication, along with various FIDO authentication methods and other hardware tokens. Ping also works with a number of mobile management tools, including MobileIron, Airwatch and InTune and a number of other identity providers, including AD, Azure AD, Google and Open ID Connect and SAML.

RSA SecurID Access Suite

RSA has been a market leader in authentication since it first minted its SecurID key fob token, and it now offers a variety of tools in the full identity governance market thanks to a combination of acquisitions and integrations over the years. It has a solid SSO offering, but obviously wants you to implement its full-blown identity governance solution. (Note: I do consult for RSA.)

RSA