What is the best single authentication method?

trying to find out what is the best single authentication method is.

example:  having external users accessing Software As A Service (saas)
mwaukiSystems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Key is to establish clear user account so it means you need to have Identity access management (IAM) systems.
Most suppliers now offer identity and access management as a service (IAMaaS) in addition to on-premise versions. It is the main route to market for some, including Okta, Centrify, Intermedia and OneLogin.
IAMaaS makes sense for many because if the applications to which external access is granted are cloud-based, why not the IAM system as well? In addition, the external users being granted access are likely to do so over the internet, so the IAM systems involved have to be open to the outside world anyway.
Related, the System for Cross-domain Identity Management (SCIM) standard. The SCIM Protocol is an application-level, REST protocol for provisioning and managing identity data on the web.

With this well understood, to your question, SAML is perceived as one of the better authentication means to incorporate a user’s authorization information, including additional information such as the user’s role and identity within an external application’s data request package.
In keeping with a SaaS model, some vendors have begun to offer “SAML as a Service.” These offerings were created to help companies address the need for a flexible SAML model. To date, there are several SAML Internet application providers, including Ping Identity, Layer 7, SecureAuth, OKTA and others.
The business model is simple;

  1. - the host company creates a SAML connection to the SaaS provider while in turn establishing connections with many other companies.
  2. - When a user needs access to data and applications hosted by other SaaS providers, they log into the SAML provider’s application and a user’s SAML assertions are routed to one or more application providers as information is retrieved.
  3. - While this approach is not SSO in its purest sense, as the end user needs to log into an external SAML SAAS application to be able to move freely between the Internet-based applications, it does succeed in eliminating numerous logins.
  4. - Furthermore, assuming this authentication can be done as the user initially accesses the data, preferably at the beginning of the work day, based on the company’s security policies the end user will not experience a constant disruption of authentication requests while performing their tasks.
https://searchsecurity.techtarget.com/answer/SaaS-access-management-Finding-the-best-single-sign-on-technology
mwaukiSystems EngineerAuthor Commented:
thank you, btan.  i will check it out and let you know...
skullnobrainsCommented:
you may want to provide a bit of context :

external saml providers ( such as google's ) are very convenient when dealing with web based UIs because web users can be easily redirected back and forth.

if you want your own SAML(-like) server, you can use CAS, or shiboleth which are relatively easy to install and work with.

on windows based lan environment, ntlm is by far the easiest implementation and can be integrated into virtually anything using either existing libs or reimplementing the protocol, but it's not very difficult to break through and exposes users passwords to brute force hacks. nevertheless, it is still a choice to be considered in small sized lan environment with little exposure to sniffing.

kerberos ( gssapi ) is harder to implement and will require more work and trust relations in a domain environment but the client part will be native to any system and the security is much better than ntlm's. the windows implementation allows to still tickets though a complex procedure, though.

the 2 latter allow easier integration with a wide range of existing software and protocols ( pop/imap/smtp, ftp, http, ... ). the 2 first are mostly a good fit for web UIs

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mwaukiSystems EngineerAuthor Commented:
thank you very much, skullnobrains!

great options!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.