10 Things You Must Know Before Implementing a Single Sign On (SSO) Solution
Great news, you are about to implement a Single Sign On (SSO) solution into your organization. This means that you are on the right track. SSO solutions like Okta, Onelogin, Bitium, and others are more than just password managers. They bring you tight security and granular control of SaaS application access, minimizing even further the attack surface. With the growing number of SaaS applications being used, implementing an SSO is no longer a question of why, but rather when.
Here are the 10 things you must know before you start implementing an SSO solution into your organization. Knowing these in advance will save you a lot of time and annoyance.
1. Know What SaaS Apps You Have
The first thing you must do is mapping out all applications currently in use in your organization. This task may seem simple on the surface but covering the unknown takes time. You may discover many surprises at this point, finding unused applications, orphan ones, and some you may not have been aware of.
Talking to our customers, has revealed time after time, that the number of SaaS applications in use is usually 60% more than what IT managers have estimated.
If you are not using a SaaS management tool already, you should start considering using one. SaaS management tools give you immediate and full visibility to all SaaS application used by your organization.
2. Know Your Users. External Users Included
After you’ve mapped your SaaS applications, you should map the users of those applications, including your external users. External users are the contractors and temporary employees which we tend to forget when thinking about who needs access to our systems. Nevertheless, they need to be able to login to certain systems.
Do they need any special configuration? Does the SSO provider allows you to set different settings for external users? Can you specify expiration dates for temporary employees?
3. Know Which SaaS Apps Can be Connected
Not all SaaS applications support Single Sign-On. There are several SSO protocols available and you should check for SAML 2.0 support by your SaaS apps.
As part of your SaaS mapping, you should identify which SaaS app supports SAML and whether your SSO platform provides a fallback, such as alternative protocols or support form-based login.
Security Assertion Markup Language 2.0 (SAML 2.0) is a standard for exchanging authentication and authorization data between security domains. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.
4. Connecting to your Azure AD or G-suite
Many organizations rely on G-suite or Azure AD as their identity provider. Some may use a different Directory as a Service (DaaS) solution.
Your SSO of choice should be able to delegate your authentication request to the relevant service, allowing you to have a single master of records for your users’ identity.
5. Automatic Provisioning Strategy
Some SaaS applications may offer you automatic provisioning. Should you enable that or not?
Automatic provisioning allows you to simply add your users to your SSO provider and the relevant group, and from this point the user will be automatically provisioned on his first login to the SaaS app.
While this method may save you time, without a SaaS management tool, it may cause your license management to get out of control as any provisioned user may automatically assign additional an paid license to it.
6. Understand the Hidden Cost of SSO
Many IT departments are not prepared for the cost of implementing SSO that arises from upgrading the SaaS application in use. It may come as a surprise to you, but many SaaS vendors do not offer SAML support in their basic offering and upgrading to higher tiers is required in many cases. The cost is not marginal, and in many cases, may surpass the payment to the SSO provider itself.
Take Dropbox, for example. SSO support is enabled only for their Advanced plans. $20/user/month as opposed to $12.50/user/month on their Standard plan.
Using Zoom for meetings? Get ready to pay an extra $5 per user/month.
And if you want your user to login to Slack using SSO, the price doubles from $6.67/user/month to $12.50/user/month.
These are just 3 examples. You should check your current plans with your SaaS vendors and plan your SSO project budget accordingly.
7. Multi-Factor Authentication Side Effects
It is highly advised to add Multi-Factor Authentication (MFA) along with your SSO solution, or at least to your critical business application, as it serves two purposes. First and foremost, it adds a crucial layer of security. And second, it raises the security awareness of your employees.
Yet, pay attention as some SaaS accounts may have been used as shared accounts, where more than one employee can access them. Enabling MFA on certain business applications may block the access to those shared accounts. Make sure to validate those aspects with your users before rolling out MFA on those business applications.
8. Time to Configure and Connect SaaS apps
No matter what the SSO vendors promise you when are selling you a solution, be aware that migrating your SaaS application to Single Sign-On takes time. This goes far beyond clicking a few buttons as there are several factors that contribute to the overall complexity here:
- Upgrading SaaS application to the right plan, as discussed in section 6.
- You need to configure SAML for each SaaS application you need. This is a manual process and is error-prone. The configuration of each SaaS application is different.
- For some SaaS applications, moving from email/password login to SAML login may force all your users to reconnect. Some users may find themselves locked out of crucial business applications if they don’t follow all the guidelines. This may be a significant interruption to their workflow. Make sure you communicated well upfront and coordinate the change with the relevant stakeholder well in advance.
9. SSO is Not a Silver Bullet
As with other great technological promises, SSO is not different; it is not your silver bullet. SSO doesn’t replace your employees’ common sense and best practices on keeping access to SaaS apps secure. Now the access to the entire employee apps lies in the security of their passwords. Keep educating your employees about password best practices. Repeat the basics, about not writing them down on sticky notes or sending them over by Slack or email. This is more important now than ever before.
Make sure your employees make the best out of the SSO solution you’ve provided and not blindly rely on it.
The IT workplace is changing, and so is the role of the IT department. Providing your organization with the right set of tools is your role. Implementing an SSO solution is no longer just a nice-to-have tool, it is the right tool to implement today. Without it, your organization will either be less secure, or will just keep lagging behind the competition. Keeping up with all the SaaS apps out there is just impossible without the right tools.
Give Torii a try! It’s a simple and quick setup, and it gives you instant visibility and control to all your SaaS apps.
Uri Nativ has over 19 years of software engineering experience as both an engineer and a hands-on manager. He founded the Klarna Engineering center in Tel-Aviv, holding the position of VP Engineering & Site Manager. Uri has broad experience building B2B enterprise products from his days at VMWare, EMC, nLayers, and Sanctum.