Today, each person carries an average of three devices, and each one has access to multiple applications containing sensitive corporate data. Gone are the days of managing a monolithic file server attached to each employee’s workstation. Instead, IT finds itself tasked with securely managing a burgeoning number of users, devices, and applications spread across both on-premises and cloud-based infrastructure. What’s worse, IT is expected to provision new services at a pace that meets the “now” mentality of business while providing an end-user experience on par with popular B2C websites.
Cloud applications can be made available instantly, without the traditional burdens of IT infrastructure, and they are typically accessible from anywhere. However, a company with 2,000 employees, each with 10 cloud apps, is now managing - or forcing their employees to manage - 20,000 usernames and passwords. That’s 20,000 points of entry for a hacker or disgruntled former employee, not to mention a flood of password-related help desk tickets. Clearly, managing all those individual usernames and passwords is the wrong approach.
Instead, organisations need to address identity management and single sign-on in the cloud, and they need to do so in a cost-effective, efficient, and sustainable manner, while meeting the ever-rising end-user expectations around ease of use. There are standards that can help.
SAML for SaaS Apps Accessed from Your Web Browser
As an industry, it is in our best interest to promote standards that help IT make their organisations more secure and productive across all their devices and applications. SAML (Security Assertion Markup Language) is considered the “gold standard” for single sign-on and completely eliminates all passwords. Instead, it uses digital signatures to establish trust between the identity provider and the application. It provides a massive security boost by enabling enterprises to more easily control access to their sensitive data.
According to a recent study conducted by the Cloud Security Alliance and OneLogin, 67% of the SaaS vendors surveyed use SAML for single sign-on (SSO) identity management, while 19% plan to implement the standard within the next 12 months. According to the study, customer demand, improved security and compliance, and speed of integration are key drivers of SAML adoption.
Here are some reasons that SaaS vendors and enterprises alike favour SAML:
- Usability — One-click access from portals or intranets, deep linking, password elimination, and automatically renewing sessions make life easier for the user.
- Security — Based on strong digital signatures for authentication and integrity, SAML is a secure single sign-on protocol that the largest and most security-conscious enterprises in the world rely on.
- Speed — SAML is fast. One browser redirect is all it takes to securely sign a user into an application.
- Phishing Prevention — If you don’t have a password for an app, you can’t be tricked into entering it on a fake login page.
- IT Friendly — SAML simplifies life for IT because it centralizes authentication, provides greater visibility and makes directory integration easier.
Native applications (NAPPS) for SaaS Apps Installed on Mobile Devices
SAML is great for accessing web-architected apps from a web browser, but what about SaaS apps installed on smartphones and tablets? The SAML sign-in process would work, but it's woefully inefficient; users must authenticate their identity for each app they open. Professionals who rely on devices such as tablets and smartphones find this frustrating. Imagine having to sign in on a small touch screen with a username and password every time you open a new app. With the growth in the number of applications mobile professionals use in their day-to-day work, the problem is certain to get worse. We must find a better solution for the mobile environment.
A new standard is being developed to solve this problem. Called NAPPS (Native Applications), this standard is being driven by the OpenID Foundation and will provide SSO to apps that are installed on mobile devices. The standard is currently being developed by the NAPPS Working Group, and is due to be formalised later this year.
NAPPS will formalise the approach to SSO on mobile devices, creating identity provider services that will be responsible for managing access. While these will work in a different way than SAML, the end result will be the same: convenient, secure access to enterprise IT assets with IT back in control.
For the user, one click will open an application and he or she will have access to the full capabilities that the mobile version of the app allows. This is a true SSO experience for a mobile environment and because it’s a standards-based approach, a Token Agent built by one vendor should work with an identity server built or run by another, so customers are not locked into a specific vendor.
Things are moving fast; we expect to have the standard ratified by Q3, with the first application of NAPPS appearing in production environments by the end of the year. It will be a major step forward in linking identity, mobile and enterprise applications together to provide an easy and secure end-user experience. Isn’t that what mobile and cloud computing is all about?
About the Author
Daniel Power is Sales Director EMEA at OneLogin. He is a veteran in developing and managingoperations for technology start-up companies entering the UK. At OneLogin, Daniel’s role encompasses managing the company’s business development activities, recruiting reseller partners, working with strategic ISVs to SAML enable their offerings. He is an expert in identity management and single sign-on within the government and enterprise space.