The fusionSpan Blog

Your next implementation should be a Single Sign On System

Author Image
By Jason Cookman |February 13, 2020

What is Single Sign On?

Single Sign On, or SSO, is probably a phrase or acronym that you have seen a lot. To understand what it is in the most basic sense, consider this analogy: the internet is like a shopping mall, and each storefront a domain. Now, each time you enter a different store, you are immediately asked to provide your identity, and again asked to confirm that identity upon checkout. After visiting more than a couple stores, this process would probably get pretty frustrating, right?

Single sign On

SSO is an access mechanism that allows users to securely authenticate with multiple applications and websites by logging in only once. It permits a user to use one set of login credentials (e.g., name and password) to access multiple applications, and furthermore helps to mitigate the management of multiple usernames and passwords.

A well known example online is the “Login with Facebook” button that you see when accessing various websites. Instead of going through the process of creating a new password and filling out personal information, a user can just create and access an account using their existing social media credentials.

Current Landscape

Our experience has been that it is fairly common for associations to use their AMS/CRM as the central hub of all information related to their members. This often includes user logins, making the CRM the SSO solution for the organization.

This is convenient but not desirable in the long term, due to the following reasons:

  • Single Point of Failure: SSO solutions need to be very reliable, because if they are offline even for a few minutes, you have locked out users on all your IT systems. Most AMS solutions are not setup in a High Availability (HA) environment.
  • CRM’s are not designed to be SSO solutions So simple things like user registration and password resets are not as user friendly as an SSO solution should be.
  • Vendor Lock-in: Most systems encrypt passwords with one way hashing. If you save all user passwords in an AMS and then wish to migrate to a different AMS/CRM in the future, you cannot move the passwords and will typically need users to reset their passwords again. Migrating thousands of users is not something for the faint of heart!
  • Security Standards: Most SSO solutions are designed with more robust security like Multi Factor Authentication (MFA), group policies etc., which most AMS’s do not support.
  • Open Standards:  SSO solutions have built-in support for open and well established industry standards for authentication and authorization like SAMLOAuth and OpenId Connect. Which means that the job of integrating other systems with SSO is easier with a standards based system.
This is often well understood but just generally accepted as a trade off for simplicity. However, as associations move from monolithic AMS solutions to best of breed systems, it’s important to think of an independent SSO solution as a must have. The level of effort and cost is often times less than having all systems talk to the AMS.

Note about Open Standards

Note about Open Standards Some systems don’t support open authentication and authorization standards like OAuth, OpenID or SAML. While you may have existing systems that don’t support these standards, it should be an important consideration when picking new systems.

Also when a vendor says we support SSO – its important to ask if they support SSO where users passwords are not stored in their system. Often times the SSO that vendors support is the ability for other systems to use their authentication API, and not the other way around.

Single Sign On Solutions

There are many SSO offerings, some of them completely cloud based. We like:

Auth0 (

Auth0 We like Auth0 because its a very feature rich identity platform and surprising affordable (the base version is free to use). It provides a lot of flexibility in integrating backend systems and customizing the user experience.

One great feature for associations is that it has a migration feature, where users can use their existing credentials and slowly migrate over time to Auth0 from the current AMS/CRM user sign on process.

Gluu (

GluuWe are big proponents of open source software here at fusionSpan, and Gluu happens to be an Open Source SSO solution which is completely free to use. However, there is an option to upgrade to the premium version that comes with support. Gluu can be deployed very easily on any of the Cloud Service providers like AWS, Google Cloud etc. One trade off is that you will need someone to manage that hosting for you or your organization.

Okta (

Okta Okta is the leading commercial SSO solution out there, and fusionSpan is even an implementation partner. Okta already has connectors for most web applications and can auto import and sync data from a large number of systems. This allows you to keep all your user details in an external system like Salesforce, and still use Okta as the single sign on.

Okta does a lot more than SSO and can handle things like user provisioning to multiple applications (so if you add a user in your AMS, it automatically gets created in the LMS). and even has features where desktop logins in your organization can be tied to a single login.

Note about Salesforce

Note about Salesforce

While Salesforce does provide implementations for OAuth and SAML and can be used as your Identity Provider, there is a catch. Salesforce logins are not free. Even community logins, while cheaper than regular users, come at a cost. If most of your members are logging into your Community site, then cost is not the major issue.

If your members are simply logging into systems like your website using Salesforce, then implementing an independent Single Sign On solution can be a substantial cost saver. The savings, along with the advantages listed above, make the decision to implement an independent SSO a no brainer.

Jason Cookman
Your next implementation should be a Single Sign On System

Jason is a Senior Salesforce Architect and has been with fusionSpan since June 2014.He has multiple Salesforce Certifications and has led the solution architecture on dozens of Salesforce implementations. In addition he has created apps on a variety of platforms and frameworks including MuleSoft, Spring Boot, AngularJs and Drupal. He has been coding in Java, php and JavaScript for more than eight years and has over six years of experience developing on the Salesforce Platform in Apex, Visualforce and Lightning. He is a graduate of the University of Maryland with a double bachelor degree in Computer Science and Accounting. Jason's favorite foods are ramen, ramen and more ramen.

More posts