The need to provide identity and access management persists in the cloud, but cloud access management is handled differently than in on-premises applications where users sign on to a workstation and are connected to the business apps.
Commercial and government enterprises with growing Software-as-a-Service (SaaS) portfolios face the task of simplifying users' onramp to apps, and that is where SaaS single sign-on (SSO) comes in. As a subset of identity and access management, SSO lets users log in once to gain access to the applications they have been authorized to use.
Channel partners have an opportunity to help customers provide SaaS single sign-on capabilities. There are several roles for solutions providers to play in this field, from advising customers on their options to helping them deploy SSO solutions. The technology ranges from on-premises products to SaaS-based single sign-on offerings.
"We are seeing our customers rapidly moving to SaaS applications," noted Charles Radi, senior vice president and principal cloud architect at Cloud Technology Partners Inc., a Boston-based company that provides cloud strategy and implementation services. "This expected rapid growth in managed identities is driving the need for improved SSO, automation and audit/compliance."
SSO use among cloud adopters isn't widespread, said David Hoff, chief technology officer at Cloud Sherpas, an Atlanta-based cloud service provider. Cloud Sherpas partners with Google Enterprise and Salesforce.com, and Hoff said that the majority of his customers that have transitioned to the cloud aren't currently using SSO infrastructure.
Single sign-on technology drivers
Solutions providers say that the need for SSO will grow as organizations pile on more SaaS applications. Access issues become noticeable once customers adopt three to five cloud-based applications, spurring the SSO conversation, said Hoff.
This expected rapid growth in managed identities is driving the need for improved SSO, automation and audit/compliance.
Charles Radi, senior vice president, Cloud Technology Partners
Dealing with individual passwords for each application causes the quality of the user experience to diminish, particularly if employees are accustomed to ready access to Windows applications through an Active Directory login.
Cloud SSO provides a more seamless user experience, and Ashok Rout, deputy CTO at Social Interest Solutions Inc., a nonprofit IT solutions provider based in Sacramento, Calif. He said SaaS single sign-on is also a productivity booster.
Rout said the time savings of an efficient login process can add up for organizations with thousands of employees accessing multiple applications. "They very soon realize how much time they can save by implementing SSO," he added.
Security and admin savings represent the top two items that drive the business case for adoption of SaaS single sign-on, said Erik Sebesta, chief architect and technology officer at Cloud Technology Partners. From the security perspective, SSO reduces the number of passwords a user has to remember -- and may end the practice of writing it on a Post-it note. Simplified login reduces calls to the help desk when passwords are forgotten, providing administrative time savings.
Coupling SSO with other tools such as automated provisioning and de-provisioning further eases the burden on IT managers. A customer with a bevy of heavily used SaaS applications can expect a lot of legwork when it comes to bringing new employees on board or disabling access.
"The admin has to go into each one of those apps and manually lock you out," Hoff said. "That is when you start to see the power of ... a front-end authentication solution."
Many customers already have some type of identity and access management approach in place for their on-premises applications. An integrator can work with a customer to extend those overarching strategies to the SaaS world.
"The increase in the number of connected SaaS providers is driving the need to extend enterprise security to the cloud," Radi said. "The introduction of SaaS requires our customers to rationalize and gain alignment with the overall identity and access management strategy."
SaaS providers traditionally lack the ability to enforce enterprise security policies such as password management, zero-day start and stop, and audit/event logs, said Radi.
So, cloud adopters may decide to tap the identity and access management solutions they already have in place, such as products from CA, IBM or Oracle.
Sebesta noted that established enterprises typically use their existing traditional identity management solutions to extend SSO to SaaS.
At the other end of the solutions spectrum, customers may opt to deploy a nontraditional, cloud-centric SSO product. Okta, Ping Identity and Simplified provide these tools.
"Companies are ... buying more cloud services and want more of a cloud-based solution," said Frederic Kerrest, chief operating officer and co-founder of Okta.
Okta reports that it has added over a dozen integrators and resellers over the past year and plans to ramp its partner programs as traction accelerates.
"I think the large companies are really pushing the systems integrators to figure it out more quickly," Kerrest said.
But there is a middle ground between pure on-premises and pure SaaS. Some customers may mix and match on-premises SSO infrastructure with SaaS offerings. This scenario casts the channel partner in an integration role, and the link up often occurs through an Active Directory identity store.
Customers may build their own custom integrations between Active Directory and SaaS applications, said Kerrest, noting that the process can prove expensive and complicated from a support perspective. Okta offers Active Directory integration, which "gets customers out of the bridge-building business," said Kerrest.
Hoff, whose company taps Okta as one of its go-to SSO solutions, said a quarter of his Okta customers deploy the Active Directory connector. The majority of customers, he added, use Okta's native repository.
Channel opportunities for single sign-on
A channel company's role in SaaS and SSO varies according to its focus. An integrator, for example, may start out as a referral partner, introducing customers to cloud-based SSO and, eventually, building an implementation business around the technology.
A reseller, on the other hand, may opt to bundle an SSO solution with the SaaS apps it offers to customers. Kerrest said such companies look to resell the solutions alongside something they already provide because it increases the value proposition and boosts the revenue potential of a sale.
"Our customers are usually interested in our core solutions -- Google and Salesforce.com -- as the primary goal, and SSO is an additive solution that is part of their deployment," Hoff explained.
SSO implementation services can also generate revenue. Hoff said deployments aren't hugely complicated, but noted that a fair amount of integration may be involved. He said his company helps customers with such issues as password synchronization, two-factor authentication and Active Directory integration.
In addition to Okta, Cloud Sherpas also works with SecureAuth, which Hoff described as more of an on-premises appliance.
Whether customers have a cloud-only greenfield environment or a mixed setting with both SaaS and on-premises apps, there is opportunity to sell SSO services. Knowing what the alternatives are helps establish a reseller or integrator in a trusted adviser role.