What is the best single authentication method?

mwauki used Ask the Experts™
trying to find out what is the best single authentication method is.

example:  having external users accessing Software As A Service (saas)
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018
Key is to establish clear user account so it means you need to have Identity access management (IAM) systems.
Most suppliers now offer identity and access management as a service (IAMaaS) in addition to on-premise versions. It is the main route to market for some, including Okta, Centrify, Intermedia and OneLogin.
IAMaaS makes sense for many because if the applications to which external access is granted are cloud-based, why not the IAM system as well? In addition, the external users being granted access are likely to do so over the internet, so the IAM systems involved have to be open to the outside world anyway.
Related, the System for Cross-domain Identity Management (SCIM) standard. The SCIM Protocol is an application-level, REST protocol for provisioning and managing identity data on the web.

With this well understood, to your question, SAML is perceived as one of the better authentication means to incorporate a user’s authorization information, including additional information such as the user’s role and identity within an external application’s data request package.
In keeping with a SaaS model, some vendors have begun to offer “SAML as a Service.” These offerings were created to help companies address the need for a flexible SAML model. To date, there are several SAML Internet application providers, including Ping Identity, Layer 7, SecureAuth, OKTA and others.
The business model is simple;

  1. - the host company creates a SAML connection to the SaaS provider while in turn establishing connections with many other companies.
  2. - When a user needs access to data and applications hosted by other SaaS providers, they log into the SAML provider’s application and a user’s SAML assertions are routed to one or more application providers as information is retrieved.
  3. - While this approach is not SSO in its purest sense, as the end user needs to log into an external SAML SAAS application to be able to move freely between the Internet-based applications, it does succeed in eliminating numerous logins.
  4. - Furthermore, assuming this authentication can be done as the user initially accesses the data, preferably at the beginning of the work day, based on the company’s security policies the end user will not experience a constant disruption of authentication requests while performing their tasks.
mwaukiSystems Engineer


thank you, btan.  i will check it out and let you know...
you may want to provide a bit of context :

external saml providers ( such as google's ) are very convenient when dealing with web based UIs because web users can be easily redirected back and forth.

if you want your own SAML(-like) server, you can use CAS, or shiboleth which are relatively easy to install and work with.

on windows based lan environment, ntlm is by far the easiest implementation and can be integrated into virtually anything using either existing libs or reimplementing the protocol, but it's not very difficult to break through and exposes users passwords to brute force hacks. nevertheless, it is still a choice to be considered in small sized lan environment with little exposure to sniffing.

kerberos ( gssapi ) is harder to implement and will require more work and trust relations in a domain environment but the client part will be native to any system and the security is much better than ntlm's. the windows implementation allows to still tickets though a complex procedure, though.

the 2 latter allow easier integration with a wide range of existing software and protocols ( pop/imap/smtp, ftp, http, ... ). the 2 first are mostly a good fit for web UIs
mwaukiSystems Engineer


thank you very much, skullnobrains!

great options!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial