How to Get to Single Sign-On Gregg Kreizman Neil Wynne Twitter: @neilwynne Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
SSO Is Often About Treating the Symptoms, Not the Disease vs.
Key Issues 1. What are the forces driving enterprises to require SSO? 2. How should organizations plan for and choose SSO approaches and tools? 3. What are the market solutions, and which vendors and open source solutions can support different SSO needs?
Key Issues 1. What are the forces driving enterprises to require SSO? 2. How should organizations plan for and choose SSO approaches and tools? 3. What are the market solutions, and which vendors and open source solutions can support different SSO needs?
How Did We Get Here? Internal Systems Mainframe Application Servers Portals Lotus Notes ERP SaaS Windows "Thick" Client Java Web Terminal Emulators Mac SAP GUI Users here Notes Client User Interfaces and Devices Users there users, users, everywhere!
The Other Projects Are Hard. IAM Project Type and Complexity IAM Project Type Business Strategic Identity & Access Governance Identity Analytics Tactical IT User Authentication Limited Scope SSO ESSO Password Mgmt. Federation Web Access Mgmt. Directory Services PAM Externalized Authorization User Administration/ Provisioning Simple IAM Project Complexity/Cost Complex $ $ $ $ $ $
Emerging Trends Trends: - SaaS application needs are reinvigorating the IAM market and are disrupting legacy IAM programs. - Mobile resident apps and BYOD are adding to the disruption. - Social network identity-based authentication is a first step in a trend toward the use of external identities. Implications: - Enterprise IAM managers must implement a cohesive strategy that accounts for enterprise and cloud apps with access from traditional and mobile endpoints. - Social login and registration reduce friction and provide convenience, but will often require stepped up controls.
Key Issues 1. What are the forces driving enterprises to require SSO? 2. How should organizations plan for and choose SSO approaches and tools? 3. What are the market solutions, and which vendors and open source solutions can support different SSO needs?
Identify Use Cases and Relevant Target Systems Examples: Employees inside the (logical) enterprise accessing Web-architected applications, or a mix of Web and legacy-architected systems. Employees accessing SaaS applications. Consumers accessing your external-facing Web applications. Partners accessing your external-facing Web applications. Access from smartphones and tablets; native app clients.
Inventory and Assess Application Architectures and Lifetimes Application name Finance Employee intranet Application server architecture WebSphere/ Java IIS Application client user interface architecture Identity repository Current and other supported authentication methods Thick client DB2 One-time password tokens Web browser on desktops and mobile devices CRM SaaS Web browser on desktops and mobile applications Active Directory SaaS vendor's repository Password X.509 One-time password tokens User population and use cases Employees on-premises and remote Employees and contractors on-premises and remote Estimated application lifetime Replace in 2 years Greater than 5 years Password Employees Greater than 3 years
Can You Reduce the Problems Without Buying Anything New? LDAP Kerberos Retire or replace applications soon? Integrate apps with Active Directory via Kerberos Integrate apps with an LDAP accessible directory (RSO) Kerberos Active Directory Synchronize identities and passwords (RSO) Sync. Point apps at a virtual directory (RSO/SSO) App App Apps Virtual Directory
Key Issues 1. What are the forces driving enterprises to require SSO? 2. How should organizations plan for and choose SSO approaches and tools? 3. What are the market solutions, and which vendors and open source solutions can support different SSO needs?
When Is Active Directory a Part of the Cure? SaaS Type of Integration SSO or RSO SharePoint farm Unix, AD/bridge Trust ADFS App with direct AD integration App integrated directly with Windows/Active Directory. AD resource forest and 1-way trust for integrated apps. Users in multiple AD forests. Unix, Linux integration with AD/bridge. Kerberos SSO Kerberos SSO Kerberos SSO/LDAP App uses LDAP. RSO Apps in the cloud-adfs. SSO/RSO
Internal Web-based Applications, Internal and/or External Users (Software Wanted) External Internal Best Solution: Web access management (WAM) Mobile Support: Browser access good; native apps variable Example Vendors: CA Technologies, RSA (EMC), Entrust, Evidian, IBM, NetIQ,, Oracle, Ping Identity, SecureAuth, Open Source ForgeRock, CAS, OpenIAM
Web Access Management MarketScoope CA Technologies Entrust Evidian ForgeRock IBM Ilex i-sprint Innovations NetIQ Oracle Ping Identity RSA, The Security Division of EMC SecureAuth As of 13 November 2013 Strong Negative Caution Promising Positive Strong x x x x x x x x x x x x Positive
Web Access Among Partners, Internal IAM Islands, to SaaS/BPO, Product Wanted Service Provider Identity Provider SaaS Best Solution: Federation Mobile Support: Browser access good; native apps variable Example Vendors: WAM vendors, Microsoft, Open Source Shibboleth, OpenIAM, ForgeRock Options: Virtual directories and networking products extended with federation
Internal Access to Windows, Web, Java, Mainframe, Notes, SAPGUI, Applications Mainframe Application Servers Portals Lotus Notes ERP SaaS Windows "Thick" Client Java Web Best Solution: ESSO Mobile Support: Poor Terminal Emulators SAP GUI Employees Mac Notes Client Limited to Windows Clients with exception of Web apps for some products Example Vendors: ActivIdentity, Avencis, CA Technologies, Citrix, Evidian, IBM, Ilex Computing, Imprivata, i-sprint Innovations, NetIQ, Oracle, Caradigm (Formerly Microsoft/GE Healthcare)
ESSO Rarely Needed Inexorable shift to Web-architected apps SSO or RSO for legacy apps by integrating with AD, LDAP, or password synchronization Gartner client demand is for SSO to support use cases for employee-to-saas and login to consumer-facing enterprise applications Few ESSO vendors are making gains Healthcare is the only bright spot in the market Client Demand for ESSO 2008 2010 2012 2014
Web Access, Internal-to-SaaS/BPO, or SaaS/BPO Provider-to-many Customers, Outsourced Solution Wanted Bridge SaaS Best Solution: IDaaS Mobile Support: Browser access good; native apps variable Example Vendors: CA Technologies, McAfee (Intel), Okta, OneLogin, Ping Identity, RSA (EMC), Symplified, Symantec and many others
Cross Platform Enterprise Mobile App Access Options Your App VPN Client VPN Your App Your App Your App Web Kit SDK OAuth OIDC Web Access Manager API Gateway Application Server Your App A Your App B Container/Wrapper MDM/MAM Access Gateway
Mobile Apps From Third Parties: The West Gets Wilder Application resources SaaS What must the SaaS vendor provide? Your Organization Browser Native app What goes here? Authentication methods Administration What goes here? Access management Your Mobile Users Users administered and authenticated here
Mobile Apps From Third Parties: The West Gets Wilder Part 2 Application resources SaaS SP initiated federation Provisioning API Your Organization Browser Native app SDK, Webkit, SSO app Authentication methods Function: Federation IdP Provisioning connector Administration Access management Your Mobile Users Users administered and authenticated here
"We Want to Accept Social Login for Access to Our Applications" Use Available Authentication Data and Context Use On-hand Data Protected Resources Databases View healthcare data Transfer funds Identity Proofing Portal Access Manager Policies Initiate benefits change Minor profile updates Initial registration Marketing Nonsensitive information
Action Plan for CISOs and Data Center Managers Monday Morning: - Identify the most used target systems, and those generating the most help desk calls for authentication-related events. - Align these target systems with the common use cases discussed in this presentation, and prioritize these first for simplification. Your Next 90 Days: - Calculate the number and cost of calls related to password management and authentication failures. - Determine whether any targets will be out of scope within one to two years, and would thus reduce the problem space. - Evaluate the need for, and potentially identify solutions most of which were highlighted in this presentation to apply to these use cases. - If the outcome is positive, present the business case for moving forward, and establish the project. Your Next 12 Months: - Evaluate, select, and implement solutions; include communication and training. - Identify and highlight post-implementation benefits relative to costs.
Recommended Gartner Research How to Get to Single Sign-On Gregg Kreizman (G00247863) Choosing Among Federated Identity Management Options Gregg Kreizman (G00239178) Are You and the IDaaS Market Ready for Each Other? Gregg Kreizman (G00247865) Resolving Mobile Device Challenges to Single Sign-On Gregg Kreizman, Dionisio Zumerle, and John Girard(G00247868) For more information, stop by Gartner Research Zone.