Several of our customers have asked whether Microsoft's recent report on single sign-on flaws should make them worry about single sign-on in general.

Microsoft’s research paper focuses on the single sign-on protocols Facebook Connect, OpenID and Google ID. These are all social single sign-on systems whose primary objective is to provide convenience to the user rather than very strong security. As an example, when Facebook Connect was first announced, it was positioned as an easy way for third party sites to tap into Facebook’s social graph. Once you are signed into Facebook, sites like Yelp can use your active Facebook session to extract your name and photo as well as make it easy to post your own reviews on your Facebook wall.

Social single sign-on solves a different problem than enterprise single sign-on, which is designed with security as the number one priority. Security Assertion Markup Language (SAML) is the standards-based enterprise single sign-on protocol used by leading SaaS applications like Google Apps, Salesforce and WebEx. SAML’s security uses digital signatures to ensure message integrity and authentication. OneLogin’s SAML implementation uses 2,048-bit keys, which are considered to be impossible to break with the processing power available today and well into the future.

It can be hard for most people to grasp just how strong a 2,048 bit key is, so here is a video that visualizes how long it would take to crack a 2,048 bit key using a modern desktop computer.

    http://www.digicert.com/TimeTravel

If you want to understand the math behind the video, check out the details here.

    http://www.digicert.com/TimeTravel/math.htm

The math itself behind SAML is very strong and when vulnerabilities in enterprise single sign-on are found, they are related to a vendor’s implementation of the protocol and how it is integrated with the rest of their service. For example, a vendor may allow users to sign in with a password even when SAML is turned on, which could be viewed as way of circumventing multi-factor the authentication enforced by the identity provider.

You’re not alone – everyone suffers from password fatigue. Your pain is likely different, however, based on your role within the organization. With the increased adoption of cloud applications in enterprise, employees tire from having to create and remember several secure passwords, IT bares the administrative burden of disparate systems, and senior management owns the risks of a security breach.

Let’s first explore the responsibilities of senior management. A password-related security breach, seen all too often from leading organizations, generates unflattering media attention that both the CEO and CIO must respond to. Being in a position to publicly admit faulty security measures is never pleasant nor desirable for organizations that aspire to longevity.

Although upper management faces the public when a breach occurs, it’s the IT staff who must provide the answers as to why it took place and, more importantly, how to avoid being in that situation again. But with so many web applications to manage and no centralized administrative tool, cloud computing for IT means continually resetting passwords, integrating several applications with the company’s existing directory, manually giving new employees access to all their web applications, or trying – often in vain – to prevent ex-employees from accessing enterprise data hosted online.

So how can an organization – that wants to leverage all the benefit of cloud computing – avoid enterprise-wide password pain? Enter identity management in the cloud.

In a nutshell, OneLogin offers a secure gateway to an organization’s web-based applications, both in the cloud and behind the firewall. Instead of accessing and managing applications individually, OneLogin provides employees with a secure portal where all the applications are just one click away. As for IT, they gain access to a centralized administrative dashboard where security policies can be set and enforced, users can easily be denied or granted access, and where all applications can be integrated with the existing directory.

The move to the cloud doesn’t have to be problematic. By adoption OneLogin as the organization’s identity and access management solution, employees at every level can enjoy the benefits of cloud computing, pain-free.

OneLogin and Sheepdoginc.ca have partnered to give customers an easy-to-use identity management solution that provides security-enhancing functionality, such as single sign-on, user provisioning and directory integration. (press release)

“Google Apps is one of many cloud solutions used by our customers,” explains Julia Rivard, Sheepdoginc.ca’s CEO. “By partnering with OneLogin, we enable our customers to take their siloed cloud applications and bring them under one roof to better manage access as well as remove the security issues inherent to user-managed passwords.”

Identity management offers a number of security and productivity-enhancing benefits to Sheepdoginc.ca customers:

• Secure, one-click access to Google Apps and other web-based applications drives-up adoption.
• One directory integration point eliminates the need to integrate with every application's proprietary interface.
• Support for multi-factor authentication provides customers with the option to easily add another level of secuity.
• User provisioning for key applications such as Google Apps, Salesforce, Yammer, Box.net and Zendesk means administrators can save significant time as well as ensures that former employees are effectively prevented access.

Even tech-savvy employees can fall prey to an email phishing scam. To help organizations gauge the risk of employees entering their login credentials on a fake landing page, OneLogin launched an online test that emulates a typical phishing attack.

Here's how it works: At OneLogin Phishing Test, the test admin enters the email addresses of employees who should receive the emulated phishing scam – the email message will ask employees to confirm access to the company's Google Apps account. If employees enter their credentials on the fake landing page, they will not be aware that they has fallen prey to an emulate phishing test. They will simply be redirected to the real Google Apps page where they can enter their credentials as they normally would.

Although employees don't know that they have been phished, the Test Admin receives an email alert and is provided with a dedicated results page where they can monitor results.

Why use the test? The test does not capture or record any of the login information provided by employees who fall prey – it only records that action was taken. It's an easy and safe way to measure an organization's level of risk and helps determine what changes need to be made internally to prevent suffering the embarassement of a real security breach.

How do your employees fare? Start your emulated phishing test to find out.

OneLogin announces its Active Directory Connector that enables the authentication of cloud application users against an organization's Active Directory.

While IT benefits from having a single directory integration point, employees can use their Windows credentials to access web applications, hosted in the cloud and behind the firewall. By eliminating the need for employees to remember several usernames, passwords and login URLs, OneLogin increases the adoption of cloud applications and reduces the security risks inherent with the repeated use of weak login credentials.

“Enterprises are keen to reap the benefits of cloud computing, but do not want to abandon their existing IT infrastructure,” explains Thomas Pedersen, CEO at OneLogin. “Our new Active Directory Connector allows them to extend their directories deep into the cloud with no custom development required.”

As enterprises continue to adopt cloud computing, integrating their existing directory with various applications’ proprietary authentication APIs poses both security risks and maintenance headaches. OneLogin’s Active Directory Connector provides a single integration point that enables enterprises to centralize authentication, eliminate passwords and make it easier for employees to access web applications.

OneLogin enables any enterprise to get single sign-on within minutes via Security Assertion Markup Language (SAML). Users can easily and securely connect to SAML enabled applications, such as Salesforce, WebEx, Google Apps, Workday, Yammer, Central Desktop, SugarCRM, KnowledgeTree, SAManage and many others.

View Press Release here. 

As part of our ongoing commitment to providing excellent customer service, we are introducing uptime statistics on our website

www.onelogin.com/uptime

 as well as a Twitter operations account.

twitter.com/oneloginops

Monthly statistics will be updated at the beginning of each month. In the event of downtime, updates will be published at @oneloginops and once the issue has been resolved, details about the issue can be found on our availability page.

We use Pingdom to monitor our service every minute from multiple locations around the world. In the evnet of a downtime alert, we will investigate and post any relevant details. We occasionally get reports that OneLogin is unreachable from certain locations in the world, but since these are isolated network problems and unrelated to OneLogin and our hosting provider Rackspace, they will not be included the statistics. Real downtime where the system is actually unavailable for all our customers will be included in the statistics.

We are going to report two numbers. Total uptime is the total uptime for the month and includes both planned and unplanned downtime. SLA uptime is the uptime we commit to in Service Level Agreements and do not include planned downtime.

OneLogin and KnowledgeTree, a cloud-based document management solution, are hosting a joint webinar on Wednesday, November 17 at 2 p.m. EST, 11 a.m. PST. Register today to learn how to "Protect Documents in the Cloud with Secure Single Sign-On".

    https://www2.gotomeeting.com/register/328605570

Our presenters, Thomas Pedersen, CEO of OneLogin and Evan Person, director of Product for KnowledgeTree will cover the following: 

• Protect your KnowledgeTree documents and other cloud data – by preventing phishing, enforcing password policies, and adding additional authentication factors.
• Increase productivity – by making all users' apps accessible with one click from OneLogin’s dashboard or your own intranet. 
• Drive adoption of your organization's cloud apps – because when it’s easier for users to access their applications, usage automatically goes up. 
• Manage and control credentials – synchronize users with your existing directory, and allow instant provisioning or de-provisioning of multiple passwords. 

KnowledgeTree recently announced its implementation of OneLogin's free, open-source SAML Toolkit to provide web-based single sign-on. (press release)

Last night OneLogin had the opportunity to present at Open Angel Forum in Los Angeles alongside some other start-ups. I can say without blushing that OneLogin won hands down in the B2B category.

I can't give Jason Calacanis enough credit for putting together the Open Angel Forum. This is the perfect venue for start-ups who want to get in front of angel investors. Jason and team (Tyler Crowley & Jason Krute) deserve kudos for a well arranged event.

Also, the kobe burgers served were delicious. And the bayonet? I am sure Jason will blog about that story himself that at some point.

Most people think of single sign-on as something large enterprises need for security. And it certainly has been so in the past, but with offerings like OneLogin, single sign-on is accessible to anyone. I recently heard someone at a small software start-up say:

   "we don't have a large enough team to make a single sign-on program worthwhile"

That has been the conventional thinking in the past. But the cloud changes everything. People work remotely, teams are more autonomous and it's easy and risk-free to sign up for new apps that help you get your work done. Our customers often use in the range of 15-25 different apps and software development shops even more. 

For the smaller business the incentive for using single sign-on is not the size of the organization, but the complexity of their software landscape. At the last count, we used 24 different apps and we know already that we'll be adding 3 or 4 more soon. The ability for us to quickly access applications saves us valuable time. 

Application Programming Interfaces (APIs) make it possible to integrate existing applications in new and interesting ways. Today we are releasing the first iteration of OneLogin's RESTful API, which enables customers and integrators to programmatically manage users in OneLogin.

The API is very straightfoward and is fully documented in our support forums.

    http://support.onelogin.com/forums/123045-api/entries

The documentation contains example of how you can experient with the API from command line. API access is available on all paid plans.