Why your cloud app should be SAML-enabled

April 2016 Information Security

For many companies, SSO (Single Sign-On) and MFA (Multifactor Authentication) have gone from being ‘nice extras’ to ‘must-haves’. If you haven’t already lost business because your application doesn’t support these features, chances are good that you soon will.

David Meyer, VP of product at OneLogin.
David Meyer, VP of product at OneLogin.

In many regulated industries such as healthcare and legal, identity management and SSO are mandated and other industries, such as high tech, that place a high value on efficiency and business integrity, simply won’t use a product that doesn’t support SAML (Security Assertion Markup Language).

Doug Meier, the director of security and compliance at Pandora says, “Identity management SSO is so crucial to Pandora that if a prospective cloud app vendor doesn’t have a SAML-connector for its SSO system – which happens about 30 percent of the time – the company will walk away.”

Other companies may not require SAML, but without a doubt, they sure would love to have the features SAML provides. One of the top feature requests for HipChat, with 2768 votes is SAML. Commenters are begging for SSO because the ease would increase app usage by employees, while others reveal they have given up the app after three years of unmet requests and have turned to a competitor.

Implementing SSO and MFA is time consuming

Getting it wrong can be disastrous: just like with any other crucial technology decision, choosing a solution that turns out to be difficult to maintain or doesn’t hold up over time can be a major setback in time and money.

Therefore, your focus should be on finding a solution that is hassle-free and long lasting. Managing federation with a slew of different providers or rolling your own MFA adds a significant amount of technical debt.

For early to mid-stage startups, simply rolling out SAML enables organisations using an identity management system such as OneLogin, to layer MFA before authentication happens via SAML, effectively increasing the security of your application, with no work on your part. Add a line like this to your FAQs: “We support multi-factor authentication through our cloud IAM partners,” and call it a day.

SAML is hassle-free and long lasting

SAML is easy because it doesn’t take a lot of time and money to implement. SAML is an XML-based, open-standard data format for exchanging authentication and authorisation data between parties, in particular, between an identity provider and a cloud application. It’s true that SAML used to be a huge and complex investment to enable. However, now you can enable SAML in as little as two hours. Learn how to enable SAML at www.onelogin.com/resources/saml-toolkits.

And SAML is safe because it is an industry standard that has been around since 2002 and is used by thousands of applications and all the leading IAM vendors. It isn’t going to disappear any time soon or be replaced by some new flavour-of-the-day that comes along.

Add value (that you can charge for)

By enabling SAML, you’re increasing the value of your app through all the benefits SAML provides: SSO, better usability, speed, and phishing prevention. You can enable SAML on your higher cost plans, such as an enterprise plan, and be reimbursed for the value you added.

Improve your application’s security profile

By using SAML to authenticate an identity instead of passing a username and password, it can decrease your vulnerability to several attacks:

• Completely eliminates the phishing attack vector. The user doesn’t even have a password that they could enter and they won’t ever see a login screen.

• Users often reuse passwords between sites. If another site is compromised and the passwords leaked, they won’t be able to be used on your application.

• Password resets can be used to compromise an application if a user’s email account has been hacked. With SSO there is no password to reset (and no users sending frustrated e-mails that they can’t login).

If your application is easy to use and automatically provisioned for employees, the likelihood that they will use it increases significantly. For many applications, the hassle of trying to remember the password or ask a co-worker to ‘add you to the account’ slows adoption.

Being an industry-standard not only makes SAML safe, but also improves your credibility – because when you follow the industry standard, you prove to potential customers that you know what you’re doing.

OneLogin offers free open-source SAML toolkits ( www.samltool.com) in five different web development platforms: .Net, Java, PHP, Python, and Ruby.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

NEC XON shares lessons learned from ransomware attacks
NEC XON Editor's Choice Information Security
NEC XON has handled many ransomware attacks. We've distilled key insights and listed them in this article to better equip companies and individuals for scenarios like this, which many will say are an inevitable reality in today’s environment.

Read more...
iOCO collaboration protection secures Office 365
Information Security Infrastructure
The cloud, in general, and Office 365, in particular, have played a significant role in enabling collaboration, but it has also created a security headache as organisations store valuable information on the platform.

Read more...
Cybercriminals embracing AI
Information Security Security Services & Risk Management
Organisations of all sizes are exploring how artificial intelligence (AI) and generative AI, in particular, can benefit their businesses. While they are still figuring out how best to use AI, cybercriminals have fully embraced it.

Read more...
A strong cybersecurity foundation
Milestone Systems Information Security
The data collected by cameras, connected sensors, and video management software can make a VMS an attractive target for malicious actors; therefore, being aware of the risks of an insecure video surveillance system and how to mitigate these are critical skills.

Read more...
Surveillance and cybersecurity
Cathexis Technologies Information Security
Whether your business runs a security system with a handful of cameras or it is an enterprise company with thousands of cameras monitoring sites across a multinational organisation, you must pay attention to cybersecurity.

Read more...
Cyber-armour for a healthcare industry under attack
NEC XON Information Security Healthcare (Industry)
Malicious actors have exploited compromised credentials, a clear and present danger when healthcare providers' reliance on remote access software allows adversaries to disguise themselves as legitimate users and gain unauthorised access to critical environments.

Read more...
Cybersecurity and AI
AI & Data Analytics Information Security
Cybersecurity is one of the primary reasons that detecting the commonalities and threats of what is otherwise completely unknown is possible with tools such as SIEM and endpoint protection platforms.

Read more...
What are MFA fatigue attacks, and how can they be prevented?
Information Security
Multifactor authentication is a security measure that requires users to provide a second form of verification before they can log into a corporate network. It has long been considered essential for keeping fraudsters out. However, cybercriminals have been discovering clever ways to bypass it.

Read more...
SA's cybersecurity risks to watch
Information Security
The persistent myth is that cybercrime only targets the biggest companies and economies, but cybercriminals are not bound by geography, and rapidly digitising economies lure them in large numbers.

Read more...
Cyber insurance a key component in cyber defence strategies
Information Security
[Sponsored] Cyber insurance has become a key part of South African organisations’ risk reduction strategies, driven by the need for additional financial protection and contingency plans in the event of a cyber incident.

Read more...