As an Identity and Access Management (IAM) Solution Provider, we provide several options when it comes to giving users the ability to log in to applications. The two main options we provide are:
- Forms-based authentication
- Security Access Markup Language (SAML) authentication
Forms-based authentication means we are storing the info a user needs to log in to a particular website, like their username and password, within our database and passing it through to the application when the user needs access to that application. This is basically what a Password Manager does.
SAML authentication means the application is configured to trust that OneLogin will handle the authentication process. There is no username and password combination that needs to be stored and passed through to the application. The user can only log in to the application if they have successfully logged in to OneLogin.
When folks come and talk to us, they often wonder why they should go with OneLogin, an IAM, versus another solution that is just a password manager. One of the main reasons is that we support SAML. SAML is a much more secure way to control user access to applications than simply storing and passing through username and passwords to an application. There are three main reasons why SAML is better than simple password management.
- Log in once
- Less vulnerable to brute force attacks and other types of attacks that take advantage of using passwords for authentication
- Centrally manage and track access to applications
Log in once
When SAML authentication has been enabled between an IAM like OneLogin and the various applications users need access to, then users need only log in once to get access to those applications. All they need to do is log in to OneLogin, then select the application they want to get into. Because the application is configured to trust OneLogin, the application will allow the users in without prompting for additional credentials. (As long as the user has been assigned to the application within OneLogin.) This means administrators can secure how users log in to OneLogin and know that the applications are just as secure. Administrators can enable whichever additional authentication factors they feel are necessary. They can even eliminate the need for passwords all together by enabling a passwordless authentication flow to OneLogin.
Less vulnerable to attacks
By eliminating the need for users to remember a whole bunch of passwords, users are more likely to remember the one password they need to get into OneLogin, and, therefore, are less likely to feel it is necessary to save that information someplace accessible to bad actors. By eliminating the need for passwords all together for either just the applications or even for both the applications and OneLogin, attacks such as brute force attacks that try to figure out which passwords will work to get into a system will no longer work at all.
If all the users have to go through an IAM like OneLogin to access their applications, then IT departments will have more centralized management of who is accessing the applications and a way to centrally track when the applications are being logged in to. With password managers, even with centralized managed password managers, users could still simply go straight to the applications themselves and provide the necessary credentials so there is no way to centrally track their access.
SAML does not fully eliminate the need for password management functionality. There are still going to be applications that don’t support SAML authentication or similar authentication options like OpenID Connect (OIDC). Thus IAMs like OneLogin support the password management type of functionality as well. OneLogin does this through its forms-based authentication option. BUT if you have the choice between using something like forms-based authentication or using SAML, you should always choose SAML.