In the last few months, it’s become clearer than ever that single sign-on (SSO) has come of age — something we predicted with our 2013 State of Cloud Adoption Access Study, which showed that 78% of companies intended to increase their use of cloud-based apps in 2013.
SSO leverages Security Assertion Markup Language (SAML, an XML-based open standard data format for exchanging authentication and authorization data between an identity provider and a service provider. When SAML is adopted, life gets easier for end users, but it also allows IT to maintain complete control over employee access to applications.
Hightail was working in the cloud before the term was even coined. At first the service was a simple way to send the large attachments that email couldn’t process, but has since grown to become a robust suite of online file storage and management capabilities. Today, the company serves 43 million registered users across 193 countries and 98 percent of the Fortune 500. Aside from offering professionals an easy-to-use collaboration solution, Hightail’s renowned reliability, untouched data security and endless innovation make it the go-to solution for professionals.
Not only a leader in the industry, Hightail is now one of the leading SaaS companies using SAML- powered SSO via OneLogin’s SAML Toolkits.
Several major business drivers led them there:
- Hightail wanted to replace a previously-existing in-house active directory solution, which left customers using programs like LotusNotes and others out in the cold
- Hightail needed to provide support for multi-factor authentication
- Hightail knew they needed SAML given increased customer interest in the standard
The company first learned of OneLogin’s SAML toolkit during a Hightail launch event, where Thomas Pedersen, OneLogin’s founder and CEO, spoke about the benefits of SAML. OneLogin has developed open-sourced toolkits for five web development platforms: ASP/.NET, Java, PHP, Python and Ruby. Coincidentally, Hightail was beginning to look at how best to SAML-enable their app.
After evaluating other vendors — including Google’s Shibboleth — Hightail found OneLogin to be the easiest to integrate, with the widest support options of any available vendor. The company was new to SAML integration, so Pedersen traveled to Hightail to present to a room full of engineers explaining how best to integrate SAML. OneLogin’s SAML Toolkit would guide the engineers through, in their words, “the easiest integration [they] had ever done.”
Hightail had the added challenge of working across multiple environments and types of devices — mobile, desktop, iOS, Android — and Thyaga Vasudevan, director of product management for enterprise from Hightail says:
“As a professional user in the enterprise, I want the flexibility of getting my content at any time from any of my devices — laptop, mobile, desktop or web — so I need to make sure I can do this via SSO from any of these locations. If we only implemented on the web app only, then anyone on other apps wouldn’t be SAML enabled. So we decided to roll it out across all devices. Within mobile apps specifically, a user enters and is redirected to an IdP page within the mobile experience instead of being taken to HTML. The user enters credentials, is authenticated, then redirected back into HTML - which provides a generic architecture that applies across all of our device resident apps and results in a great experience for the end user. As it turned out, the SAML portion of integrating across devices was very straightforward. The important pieces were to figure out the design and workflow.”
Vasudevan feels the benefits of SSO are:
- The fact that many of Hightail’s customers are large enterprises that are not on Active Directory, but instead on Lotus Notes or other platforms, means they needed a great solution for user provisioning and other SSO benefits — which they are now providing via OneLogin.
- From a business perspective, IT admins are increasingly bringing up SAML and requiring it for SaaS apps they are adopting. They want the absolute minimum of user headaches that different logins and passwords bring, and SAML integration is providing this.
Vasudevan recommends that SaaS companies looking to move to SAML do the following:
- Understand the business value of implementing SAML. Communicate this clearly to your engineering team and show them the increased efficiencies and decreased expenditures resulting from SAML.
- Identify use cases SAML will solve. For instance, Hightail knew they needed to support multi-factor authentication, and SAML provided the quickest and most effective path.
- Start small. Once you’ve decided to implement, it helps to start small and simple. More complex integrations can wait until the team has the new system in place and understands the potential challenges.
- Focus on the user experience from the beginning. The flow of information after sign-on is very important. After the login screen, where do they go from there? Can that same flow work on the desktop and the web app?
- Don’t assume SAML will work across all IdP’s. Be prepared to work closely with your SSO vendor’s support team to make sure everything is supported and behaving correctly.
- Set up a log data infrastructure from the beginning. Dumping all of the fields before moving into production allows you to detect and resolve problems over time. If a SAML token comes across as expired, is it because the client misconfigured their IDP? Is it a problem on the server? Log files will be critical to troubleshooting through rollout and beyond.
- Don’t try to figure out Active Directory Federation Services (ADFS) on your own. There are some nuances that are very complicated and take a lot of time for internal teams to figure out. Understand from the beginning where your strengths are and arrange for consultants as needed to keep the project on track.
Adds Vasudevan: “All SaaS providers should make the move to SAML. As companies increasingly look for their vendors to be SAML-enabled, it’s more important than ever that you integrate this standard — and we wholeheartedly recommend doing so with OneLogin’s SAML Toolkit for the most effortless route to that end.”