FACT OR FICTION: SSO is Difficult to Deploy
At Okta, we are highly invested in sharing the latest ideas and practices around authentication and security—and that requires some myth busting. This blog is the fourth in a series of posts meant to tackle common misunderstandings and myths around single sign-on (SSO). See below for our full list of the myths we've seen (and busted!) around SSO.
SSO has a reputation for being difficult and time consuming to deploy. This might have been true with legacy solutions such as ADFS, but modern, cloud-based SSO is different.
It’s 11:15 a.m. on a Tuesday and Laura has an important presentation at 11:30 a.m. But she’s having trouble signing into her Box account to get an important file! Which username and password was it? She got into her Gmail account without a problem. She finally got into Salesforce, but it took a few password guesses to get in. No such luck with Box, however, and she’s just sent a ticket to IT support. Can she download that slide deck in time for her meeting?
Laura’s story is, unfortunately, all too common. As the number of apps your employees use grows, so does their frustration in trying to manage all their credentials. IT teams know how SSO helps to avoid these login challenges, but they often have other reservations, particularly around spending intensive time and effort supporting a difficult deployment.
What’s difficult about deploying legacy SSO?
Legacy SSO solutions such as ADFS have traditionally been complex to deploy. A large part of the difficulty is due to the various existing components that need to be integrated with new modern apps and configuration changes. At Okta, we’ve talked with customers who have spent upwards of $5,000 in the space of a week, just to integrate a single modern application with a traditional SSO product. Our internal data shows that the average organization uses 60 apps. Add these issues together and traditional SSO can quickly become expensive.
Another challenge with deploying a legacy SSO product is repopulating a new user store, which isn’t easy. Profiles often already exist in a user directory like Microsoft’s Active Directory (AD). If an organization has multiple, untrusted AD forests, moving to a new SSO solution like ADFS sometimes requires IT to manually recreate relationships and develop trust between them.
Finally, adopting a SSO solution often also means deploying new hardware. ADFS requires at least six servers and a load balancer, per AD forest. Then there are firewall changes to consider. IT spends a lot of time and energy ensuring that the firewall is properly configured; a traditional SSO solution may require IT to poke holes in the firewall to enable communication with cloud applications. This results in more work for IT and the introduction of risk.
Connecting users to apps through legacy SSO solutions is difficult, requiring updated user stores, firewall changes, and additional hardware.
Given the above, it’s understandable that IT teams see SSO as difficult to deploy. However, this model has evolved, and a much better alternative exists. Cloud-based SSO solutions let organizations reap the benefits of SSO without the hassles of legacy deployments.
What makes cloud-based SSO easier?
1. Pre-built connectors to all apps
Modern SSO has pre-built connectors to popular apps so IT is freed from building app integrations from scratch. For example, the Okta Integration Network has over 6,000 integrations to the most popular cloud-based and on-prem technologies. This lets you quickly connect users, provision and manage accounts, and sync data across systems and apps. Otherwise, IT could spend months creating and maintaining connections between applications and a legacy SSO solution. Pre-existing integrations are a massive boost to speed and efficiency.
2. Compatibility with existing directories
Modern SSO can easily connect to your existing directories. If there are users in an existing AD or LDAP directory, SSO can automatically import accounts, attributes, and groups, eliminating the need to manually re-populate a new user store. For instance, Okta offers delegated AD authentication, provisioning and deprovisioning, directory sync, and AD password management. In essence, all changes between Active Directory and Okta are synchronized.
3. No hardware or firewall changes needed
A cloud-based SSO means, you don’t need to procure, install, configure, or support hardware on your own. With a good SSO product, no firewall changes are required. Okta SSO manages your connection to AD with a lightweight agent that connects to multiple AD domains and forests (even untrusted ones)—without the need for additional servers or changes to your firewall. The agent communicates with Okta using a standard outbound internet port (Port 443, for example).
A modern cloud-based SSO solution is not only easier to deploy, it's also far more cost effective. Okta's total cost of ownership can be half that of ADFS or other solutions like Oracle, IBM, CA, and Ping.
4. The ability to support on-prem web apps
Another common myth is that cloud SSO cannot support on-premises web apps such as WebLogic, E-Business Suite, or PeopleSoft, that use header-based authentication, kerberos, IWA, or other proprietary protocols. This was a limitation previously, but cloud-based SSO now has the ability to secure on-prem web apps without the difficulty that came from deploying legacy SSO. Due to this change, analysts recommend the use of cloud-based SSO (also known as Identity as a Service (IDaaS)) over legacy SSO: "By 2022, IDaaS will be the chosen delivery model for more than 80% of access management deployments globally" – Gartner's Access Management Magic Quadrant - 2018.
Fact: Modern SSO is not difficult to deploy
Modern, cloud-based single sign-on deployments are not difficult, nor complex. Prebuilt integrations and automatic user directory connectors make it easy to onboard new users and use new apps, without additional hardware or maintenance. The service is also easy to scale, highly available, and minimizes costs. Most importantly, however, security is outsourced to experts who are completely focused on providing users with the most simple yet secure access possible.