The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

Single Sign On – why it’s important for SaaS Subscription Management

Single Sign On (SSO) provides a quick and secure way to log in to multiple services using a single username and password. Perhaps surprisingly, it can also help you manage your SaaS Subscriptions.

What is SSO?

SSO works by taking your initial login to a system (for example your PC), encrypting it so it is secure (also called tokenisation) and then using that token to access all other systems automatically without further need for username and password submission. There are many benefits to this approach including:

  1. Passwords are not shared with third-party service providers
  2. Tokens automatically expire, and can be revoked centrally
  3. Central management of authentication, meaning your Join, Move, Leave (JML) process is streamlined
  4. Password standards can be complex, because your users only have to enter the password once per day.
  5. Users are prevented from using the same password for multiple services, reducing the risk of a single site hack enabling access to other sites.
  6. Reduction in cost and improvement in productivity because there will be less forgotten password requests to your Service Desk.

On premises SSO has been around for over 20 years – for most users probably hooking together your PC Login, Outlook account, and intranet with your Active Directory. However, when applications move to the cloud there are suddenly many more authentication requests. And, typically, you don’t want to be giving each SaaS provider access to your corporate directory. Similarly, you don’t want your employees to manage separate identities and passwords for each service – that will lead to weak passwords, password re-use, and potentially harm adoption of new services.

As a result providers such as Okta, OneLogin, SailPoint, and Microsoft offer cloud-based SSO services which integrate with (and usually replace) your on premises directory. Identity and Access is then managed in a single place meaning that you have one place to go to see which systems, both internal and external, a user has access to. The primary benefit of this is that it simplifies both the user login experience and also the process of managing identity. It also streamlines onboarding, often with the use of personas – for example each new staff member in the Contact Centre automatically receives logins to the same systems as their colleagues.

Managing SaaS Spend using SSO

READ ALSO:  Market Guide - Office 365 Optimisation

So, how does SSO help manage your SaaS Subscriptions? When user identity is stored in a single place it is vital to get detailed reports on which login has been granted access to which systems. This capability was developed by the SSO providers primarily in response to IT Security & Compliance requirements, particularly around SOX compliance which requires regular User Access Reviews (UARs) and Privileged Access Reviews (PARs). With the implementation of GDPR comes a requirement to maintain a Record of Processing Activity for a subject’s PII. With these stringent regulatory requirements already being met by SSO vendors it is a simple step to extend them to provide data useful for an IT Asset Manager or SaaS Subscription Manager.

For SaaS Subscription Management applications integrating with an SSO solution can provide fine-grained inventory data such as;

User Name

Device Name

Access Time

Usage

Primarily this enables the SaaS Subscription Manager to discover which users are using which SaaS apps and for how long, enabling harvesting and optimisation of subscriptions. When combined with cost data from other sources (e.g. Accounts Payable) along with a corporate hierarchy it enables cross-charges at a departmental level to be calculated. If budgets are held centrally “showbacks” can be reported instead, which can enable budget holders to target departments not making efficient use of their SaaS Subscriptions. Organisations need to do this themselves because as yet there is no common standard for SaaS Providers to make this information available to their customers. Whilst some (e.g. Microsoft, Salesforce) may provide API access to this data as part of the service, others (e.g. Adobe) only make it available to customers paying a premium for their services. And there is a very long tail of SaaS Providers who make no information available other than what’s contained on the monthly invoice.

This piecemeal approach leaves Subscription Managers juggling multiple bills for multiple vendors, making it difficult to generate accurate costs and forecasts for SSO usage. This is a big contributer to the estimated 30% wastage of SaaS Subscriptions – soon to amount to $30bn annually.

SSO Discovery – Benefits and Challenges

SSO as a discovery and inventory method for SaaS has some key differentiators compared to other methods. Of greatest significance is ease of deployment (no agent or plugin is required) and the ability to capture usage on personal devices which may not be managed by the organisation. Furthermore, by only capturing SaaS apps known to an organisation, there are no privacy concerns associated with this method. All usage will be corporate usage only and covered by your existing acceptable use and privacy policies.

READ ALSO:  How to reduce software maintenance costs in line with reduced consumption

My conference session and recent articles highlighted, however, that no single SaaS discovery method is sufficient to discover all SaaS usage. In the case of SSO integration there are two difficulties to overcome. Firstly, this will only discover apps known to the organisation – it won’t find Shadow IT. The app needs to be set up in the SSO vendor’s product in order for it to be SSO-enabled, and this usually can only be done by IT, because they manage the SSO product. Secondly, the app needs to be compatible with the SSO vendor’s product. This is becoming less of an issue as the SSO market grows rapidly and authentication standards get adopted widely. However, it may still be the case that you have SaaS apps that don’t integrate with your chosen SSO provider.

Summary

 To summarise, SSO integration is one of the best methods for inventorying your SaaS applications and providing detailed and actionable insight into their usage. Most SaaS Subscription optimisation tools provide this integration, either as a primary or secondary source of inventory data. Many further enhance this data by pulling in data from HR & Finance systems to provide a full-width SaaS Subscription Optimisation Service.

If you’re using one of these tools I’m interested in hearing from you, either in the comments below, in the Forum, or ideally via a Product Review on the ITAM Review Marketplace. This is an emerging market and will be a key battleground for tool providers as SaaS spend continues to rise.

 

email

About AJ Witt

A former IT Asset Manager, AJ is Industry Analyst for The ITAM Review. He's interested in hearing from end users of ITAM tools and also vendors. He enjoys writing about the SaaS Management market, practical aspects of ITAM operations, and the strategy of major software publishers. You can connect via email (aj.witt@itassetmanagement.net) or LinkedIn. AJ enjoys cycling, music, and spending time with his family.

4 Comments

  1. Kylie says:

    Nice article, AJ. Very useful!

  2. @piarasmacdonnel says:

    SSO when implemented across the board is excellent but as you point out in your article not all vendor integrate with your chosen SSO solution. For Iaas and Paas you’ll need other solutions.

    From a SAM perspective I really like it because someone else will maintain it and we just need to collect the data.

  3. AJ Witt says:

    @piarasmacdonnel Agreed – there is a lot of fragmentation of capabilities, which I’d imagine will reduce as the market and technology matures. Looking at the really big picture I’d love to see some standards work as part of 19770, defining the inventory information a XaaS product should report, and a data format/API standard for that.

  4. srinivas says:

    AJ,

    May be i am picking this thread late . I am using OKTA for SSO , we have a bunch of Sass applications like JIRA, ZOOM , Tanium , Crowdstrike Etc . To add to the list , we are buying another tool ‘Produciv’ for Sass application analysis , how can we stop this dupe investment’s, when OKTA could done analysis part . Can i upload legacy data onto SSO engine like PO’s, contract’s etc for analysis purpose .

Leave a Comment