Blog Home

Your next implementation should be a Single Sign On System

What is Single Sign On?

Single Sign On, or SSO, is probably a phrase or acronym that you have seen a lot. To understand what it is in the most basic sense, consider this analogy: the internet is like a shopping mall, and each storefront a domain. Now, each time you enter a different store, you are immediately asked to provide your identity, and again asked to confirm that identity upon checkout. After visiting more than a couple stores, this process would probably get pretty frustrating, right?

Single sign On

SSO is an access mechanism that allows users to securely authenticate with multiple applications and websites by logging in only once. It permits a user to use one set of login credentials (e.g., name and password) to access multiple applications, and furthermore helps to mitigate the management of multiple usernames and passwords.

A well known example online is the “Login with Facebook” button that you see when accessing various websites. Instead of going through the process of creating a new password and filling out personal information, a user can just create and access an account using their existing social media credentials.

Current Landscape

Our experience has been that it is fairly common for associations to use their AMS/CRM as the central hub of all information related to their members. This often includes user logins, making the CRM the SSO solution for the organization.

This is convenient but not desirable in the long term, due to the following reasons:

  • Single Point of Failure: SSO solutions need to be very reliable, because if they are offline even for a few minutes, you have locked out all users on all your IT systems that use this as their SSO. Most AMS solutions are single deployments and are not setup in a High Availability (HA) environment.
  • CRM’s are not designed to be SSO solutions So simple things like user registration and password resets are not as user friendly as an SSO solution should be.
  • Vendor Lock-in: Most systems encrypt passwords with one way hashing. If you save all user passwords in an AMS and then wish to migrate to a different AMS/CRM in the future, you cannot move the passwords and will typically need users to reset their passwords again. Migrating thousands of users is not something for the faint of heart!
  • Security Standards: Most SSO solutions are designed with more robust security like Multi Factor Authentication (MFA), group policies etc., which most AMS’s do not support.
  • Open Standards: Most AMS’s will allow for SSO via some sort of custom API. While SSO solutions have built-in support for open and well established industry standards for authentication and authorization like SAML, OAuth and OpenId Connect. These standards are often supported out of the box by other IT systems that you may have in your organization, which means that the job of integration systems with SSO is easier with a standards based system than it is with a custom API.

This is often well understood but just generally accepted as a trade off for simplicity. However, as associations move from monolithic AMS solutions to best of breed systems, it’s important to think of an independent SSO solution as a must have. The level of effort and cost is often times less than having all systems talk to the AMS.

Note about Open Standards

Some systems don’t support open authentication and authorization standards like OAuth, OpenID or SAML. While you may have existing systems that don’t support these standards, it should be an important consideration when picking new systems.

Single Sign On Solutions

There are many SSO offerings, some of them completely cloud based. Two of them that I happen to prefer the most are Gluu and Okta.

Gluu (www.gluu.org)

We are big proponents of open source software here at fusionSpan, and Gluu happens to be an Open Source SSO solution which is completely free to use. However, there is an option to upgrade to the premium version that comes with support. Gluu can be deployed very easily on any of the Cloud Service providers like AWS, Google Cloud etc. One trade off is that you will need someone to manage that hosting for you or your organization.

Okta (www.okta.com)

Okta is the leading commercial SSO solution out there, and fusionSpan is even an implementation partner. Okta already has connectors for most web applications and can auto import and sync data from a large number of systems. This allows you to keep all your user details in an external system like Salesforce, and still use Okta as the single sign on.

Okta does a lot more than SSO and can handle things like user provisioning to multiple applications (so if you add a user in your AMS, it automatically gets created in the LMS). and even has features where desktop logins in your organization can be tied to a single login.

Note about Salesforce

While Salesforce does provide implementations for OAuth and SAML and can be used as your Identity Provider, there is a catch. Salesforce logins are not free. Even community logins, while cheaper than regular users, come at a cost. If most of your members are logging into your Community site, then cost is not the major issue.

If your members are simply logging into systems like your website using Salesforce, then implementing an independent Single Sign On solution can be a substantial cost saver. The savings, along with the advantages listed above, make the decision to implement an independent SSO a no brainer.

The following two tabs change content below.
Manav Kher

Manav Kher

The official gear-head of fusionSpan. Manav has over 14 years of enterprise software development experience. Previously he spent 7 years in various lead development and architect roles at the National Cancer Institute (NCI). Notably, he contributed to the architecture and development of some of the core components of the caBIG infrastructure, for which he received the NCI caBIG Outstanding Achievement Award.
Comment Image

Leave a reply