Single sign-on (SSO) centralizes session and user authentication services, requiring just one set of login credentials for multiple applications. This improves the user experience, but it has IT administration and security benefits, too. SSO reduces the risk of lost or weak passwords as well as overhead associated with managing account access.If you have yet to implement any SSO or identity management tool, or are looking to upgrade, this roundup of SSO tools will serve as a primer on where you want to take things. Given today\u2019s threat landscape, you need to up your password game by trying to rid your users of the nasty habit of reusing their old standby passwords.If cost and IT support are both issues, you could start with an enterprise password manager such as 1Password or Lastpass (now owned by LogMeIn). These products are great for keeping a central \u201cvault\u201d of all your passwords and inserting them into the login process. They all work well under various conditions, such as browser and smartphone logins. They typically don\u2019t support multi-factor authentication (MFA) logins, other than for accessing your overall vault. Figure on paying about $8 per user per month.\u00a0If you have more than 100 staffers and have a reasonable level of IT support, you will eventually realize the limitations of password management tools and need a full-blown SSO solution (the focus of this roundup) that can offer more flexible authentication policies, access rules, MFA and mobile authenticator apps. Interestingly, most SSO products also cost about $8 per user per month but will require more IT manpower to implement. (Ping\u2019s solution offers a lot of bang for the $3 per month price point, however.)Let\u2019s talk a bit about using MFA, because it is an important motivation behind going the SSO route. The idea of using MFA used to be mostly for the ultra-paranoid; now it is the minimum for enterprise security, especially considering the number and increasing sophistication of spear-phishing attacks. Sadly, the deployment of MFA is far from universal: a recent survey from Symantec (Adapting to the New Realities of Cloud Threats) found that two-thirds of the respondents still don\u2019t deploy any MFA tools to protect their cloud infrastructures. Certainly, having SSO can help ease the pain and move toward broader MFA acceptance.Besides MFA, there is another reason to up your authentication game: the need for adaptive or risk-based authentication. This means changing your perspective from issuing your users an \u201call-day access pass\u201d when they begin work by logging into their laptops. This idea is now outdated and replaced by finer-grained authentication strategies that account for numerous factors put into play more or less continuously. These strategies use techniques to detect phishing, account takeovers and other threats that try to impersonate or steal a user\u2019s identity.While most SSO vendors have comprehensive MFA support, their support for adaptive authentication is spotty and far from mature. I look at the following vendors here: Cisco\/Duo, Idaptive, ManageEngine, MicroFocus\/NetIQ, Okta, OneLogin, PerfectCloud, Ping Identity and RSA.Another strategy, if you have the skills and staff but no funds, is to go the open-source route and add MFA to your logins. The Authy.com MFA tool seems to be the market leader today. \u00a0Authy\u2019s app is available on a wide range of devices, including desktops.Or you could take whatever SSO features come with your principle cloud provider and try to extend it into other SaaS apps that they support. Salesforce and Microsoft Azure are examples of this route. Each has an SSO service add-on that is more or less capable at delivering basic authentication features. However, they aren\u2019t as useful as a true SSO tool that is vendor-neutral. I recommend that you stick with either the specialized SSO vendors or move to an identity governance solution.Identity governance solutions include OneSpan, Saviynt, HID, CA and Sailpoint, among more than a dozen other providers. They also have loads of features so you can insert more control over on- and off-boarding management, managing federation of identity and application orchestration, and have closer integration with cloud apps. Of course, you will pay more for these additional features, but these are the tools you\u2019ll eventually want to use if you want the complete identity package. I didn\u2019t review these products here.Many of the SSO vendors that I cover here have moved into the identity governance space, either by acquiring other companies (RSA, Duo and Ping Identity are notable examples) or by adding new products to their SSO line (Okta, OneLogin and Idaptive).Top SSO solutionsDuo\/Cisco SSOIdaptive Single Sign-OnManageEngine\/Zoho Identity Manager PlusMicroFocus\/NetIQ Access ManagerOkta Single Sign-OnOneLogin Single Sign-OnPerfectCloud SmartSignInPing Identity PingOneRSA SecurID Access SuiteDuo\/Cisco SSODuo is a relative newcomer to the SSO space but has quickly taken a leadership position, as evidenced by being acquired last year by Cisco. It has is fully featured and Is based on a capable mobile authenticator smartphone app that is equivalent to many competitors\u2019 mobile management apps. It supports a rich collection of adaptive authentication methods and even works with its competitors\u2019 SSO tools (including Okta, Ping and OneLogin). Duo\u2019s smartphone authenticator app is also one of the more popular MFA mechanisms for a wide variety of SaaS products.It has transparent pricing with full feature breakdown and four tiers: free for up to 10 users and then plans start at $3 per user per month and go to $9 per user per month. The top two tiers include adaptive authentication and policy enforcement tools. The top tier secures internal apps as well as SaaS ones.\u00a0Idaptive Single Sign-OnI\u2019m impressed with this product. Early this year, Centrify spun out its identity business unit as Idaptive. Centrify continues to sell its privileged access management tools. Idaptive has two versions: the standard and Adaptive SSO, which adds contextual authentications at an additional cost. MFA support also comes in two packages, at $2 per user per month for the standard and $4 per user per month for the adaptive version that adds device and user context and real-time reporting features. MFA methods include a wide range such as email, FIDO U2F keys, Google Authenticator and its own authenticator apps, and SMS.The SSO products support thousands of apps and have a feature called Infinite Apps that discovers their SAML configuration. They support a wide array of protocols including SAML, WS-Fed and OAuth. The Idaptive web dashboard has been completely rearranged but mostly offers the same functionality as the old Centrify one. Idaptive also has a full line of identity management and provisioning tools, along with a strong mobile device management offering. The company has a transparent pricing page here and offers a free trial.ManageEngine\/Zoho Identity Manager PlusManageEngine has more than a dozen different cloud applications, and its SSO tool is called Identity Manager Plus. If you are a big consumer of their services (including the Zoho suite), then this is a good starting place for your SSO needs. If not, then I would look elsewhere. The tool complements other ManageEngine AD-related tools. It has 400 apps in its catalog and supports custom SAML configurations as well.If you want MFA or mobile device support, you must use the ADSelfService Plus tool, which includes numerous methods such as authenticator apps from Google, Duo and Microsoft along with support for RSA SecurID tokens. (That will cost another $100 per month for 500-user blocks.) The Identity Manager Plus software supports a wide variety of identity providers, including AD, Okta, OneLogin, Ping Identity and other SAML-based providers. There is an online demo and it has a free trial like many of their other products.MicroFocus\/NetIQ Access ManagerMicroFocus is now the keeper of the NetIQ flame. Its solution covers three separate products: Access Manager, its principle SSO tool; an MFA product; and a mobile device management product called Zenworks Configuration Management. Each has a separate pricing plan, which starts at $.49 per user per month (at the 500-user level) plus a $47 one-time setup charge. MFA starts at $.92 per user per month (also at the 500-user level). Its app catalog contains more than 500 entries, but like Idaptive it also offers a simple integration app on-boarding routine. NetIQ supports a wide variety of connection protocols, including FIDO, SAML, OAuth, Open ID Connect and WS-Fed.Okta Single Sign-OnOkta has long been a leader in SSO and sells two different versions of their flagship tool: a basic and an adaptive version that can be used to sense location, device and network parameters to prevent spoofing attacks. It now has a full collection of complementary products besides the SSO offerings that move into more of the integration and identity governance space. These include their Lifecycle Management service (which handles Active Directory [AD] sync for Office 365, directory integration with AD or LDAP, and auto provisioning), a cloud directory (which goes for $2 per user per month), a service that supports hybrid cloud\/on-premises deployments, and inbound federation (which starts at $8,000 per year). OktaOkta\u2019s main system status dashboard, where you can see details about overall services uptime and history from the past month.Okta has two versions of its MFA app to match its two SSO versions. The first is the basic MFA and the second is the adaptive version. Each product has two separate component fees. The first is the access charge, which is either $8000 per year (or $16,000 per year for the adaptive product). Then there are per user charges of $3 to $5 per month. There is a free 30-day trial of the adaptive MFA software. It has a transparent pricing page for all its products.OneLogin Single Sign-OnOneLogin has been a long-time SSO provider and now offers a complete identity management suite of products. Their SSO service comes in three different tiers: Starter ($2 per user per month) supports a single AD instance, enterprise ($4 per user per month) adds MFA, multiple identity providers, and integrations with SIEMs and VPNs, and the unlimited version ($8 per user per month), which adds user provisioning and additional integrations. All its products are available for a free 30-day trial. As an example of the product\u2019s depth, OneLogin\u2019s app catalog contains 2,700 apps for simple password completion and over 1,500 SAML apps. OneLoginOneLogin\u2019s SAML configuration parameters, where you specify an app the authentication protocol used and URL paths to connect to resources.\u00a0\u00a0OneLogin also offers an adaptive authentication product that builds on its own Protect mobile software authentication tool and supports a variety of other authenticator apps such as Google Authenticator and Duo. A unified access tool bridges on-premises and cloud apps and a real-time user provisioning tool for both faster on- and off-boarding.PerfectCloud SmartSignInThis continues to be a very basic SSO solution. There is a free single-user version for managing up to four apps. PerfectCloud was one of the first to add a second factor passphrase to its logins, but it has fallen behind in not supporting any of the mobile authenticator apps. This passphrase is encrypted on the device and they don\u2019t store it, so that is a distinguishing feature. The product starts at $6 per user per month for the SMB version. That doesn\u2019t include additional features such as AD integration, access and group management and policy rules. \u00a0Ping Identity PingOnePing is another long-time SSO player and one of the first to offer federated identity provisioning with its Ping Federate product. You\u2019ll need this to implement other MFA apps besides its own smartphone app.Ping prices its basic SSO app differently depending on whether it is sold directly or through one of its many channel partners. The basic pricing includes both MFA and SSO for $3 per user per month, which is very competitive considering what features are included. There is a free 30-day trial, too.Its catalog has 1,650 apps that come pre-configured. PingOne supports a wide variety of MFA apps (from itself and its competitors such as RSA, Symantec, Duo and Gemalto) and methods, including Apple\u2019s FaceID, fingerprint and voice authentication, along with various FIDO authentication methods and other hardware tokens. Ping also works with a number of mobile management tools, including MobileIron, Airwatch and InTune and a number of other identity providers, including AD, Azure AD, Google and Open ID Connect and SAML.RSA SecurID Access SuiteRSA has been a market leader in authentication since it first minted its SecurID key fob token, and it now offers a variety of tools in the full identity governance market thanks to a combination of acquisitions and integrations over the years. It has a solid SSO offering, but obviously wants you to implement its full-blown identity governance solution. (Note: I do consult for RSA.) RSARSA\u2019s access details, where you set up risk profiles that determine how often to authenticate to particular behaviors.RSA also has two different mobile MFA apps: RSA SecurID Access Authenticate, which supports push to approve, biometric face and voice authentications. This app will also provide MFA logins for a variety of SaaS apps.\u00a0 It also has RSA SecurID Mobile OTP, which is its software token solution. RSA SecurID Access supports a wide variety of identity providers. In addition to SAML, Open ID Connect, RADIUS AD and Azure AD, it also integrates with Ping, Okta, OneLogin and others too.The SecureID Access product is sold both through resellers and directly; pricing varies. RSA quoted me $1,830 a month for a 500-user package that includes user licenses, MFA authentication, biometric and FIDO support. The product has three different overall pricing tiers: basic is the SSO-only version, enterprise adds bulk provisioning and self-enrollment, and premium adds advanced risk analytics. Each plan starts at $1 per user per month and the premium plan can cost up to $5 per user per month. CSO \/ IDGSSO trends\u00a0It\u2019s all about the apps. What makes SSO work is the ability to automatically sign into as many apps as possible. While this seems obvious, the SSO vendors have drastically increased their app support in the past several years. Okta and OneLogin now support thousands in their catalog. Idaptive and NetIQ have a feature to make configuring apps that aren\u2019t in their catalogs a lot easier, too.Smartphone authentication apps have proliferated. Thanks to weaknesses in SMS MFA, a more secure authentication method is to use one of these apps that generate a one-time password on your phone. The number of these apps continues to grow, with Google Authenticator and Duo having the largest support among cloud and SaaS providers. There are also apps from Authy, OneSpan, HID Approve, Microsoft, SafeNetMobilePass and Sophos, along with the apps from the password manager and SSO vendors themselves.The table below shows a few typical SaaS and IaaS providers and which MFA methods and smartphone apps they support. If you are planning on supporting more than a single app, you might want to check out this review of the most popular MFA apps on Google Play.\u00a0 CSO \/ IDGAdaptive MFA is implemented in different ways. Most SSO tools support MFA. The question is how good this support is, especially for using specific MFA smartphone apps. Most tools start with an authentication app on your smartphone that you need to configure with the main SSO web portal management pages.\u00a0 All the SSO vendors support this with the exceptions of ManageEngine and PerfectCloud.\u00a0FIDO is still a maturing market. With Google and Microsoft now supporting FIDO authentication hardware keys for their G Suite and Windows logins, you would think FIDO would be more prevalent than it actually is. A few vendors support some version of these keys for authentication and are noted in the reviews, but it far from universal.Mobile device management tools are in remission. A few years ago, it seemed as if SSO vendors were moving toward mobile device management features, with Centrify (now Idaptive) leading the way. Now it seems as if fewer customers care about this issue, and instead are using the mobile smartphone authenticator apps as their main bulwark against account compromises. Idaptive and Duo are the two leaders here.More on SSO:What is single sign-on? How SSO improves security and the user experienceBest tools for single sign-on (SSO)5 best practices to secure single sign-on systemsWhat is SAML? How it works and how it enables single sign onThe perils of single sign-onTurbo-charging your single sign-on solution4 authentication use cases: Which protocol to use?