Every development decision you make incurs a cost.
No, not just the cost of paying your developers (though Glassdoor reports the average salary of a software developer in the United States is an eye-popping $92,046).
There’s an opportunity cost with every decision.
Adding Single Sign-On (better known as SSO) is one of those times where you really have to weigh opportunity costs. Sure, your developers can probably develop an in-house authentication solution but — why? Why divert development resources to solving a problem that’s already been solved?
SSO, as we wrote in The Developer’s Guide to SSO, is outsourced authentication in the same way Stripe is outsourced payments infrastructure. Instead of building a service that manages authentication with an Identity Provider (like Okta or OneLogin) you can pay an outside vendor to do it. SSO is easier and lets your development team focus on other features.
That’s why we put together this list of the top SSO providers for 2020: to help you find the SSO provider that meets your needs now and can grow with you as your company scales.
Cognito is an Identity-as-a-Service product run by Amazon AWS. It supports SSO via SAML, OAuth 2.0, and OpenID Connect.
AWS Cognito provides two sign-in methods: what it calls user pools, where users of your app can sign in directly; and sign-in via third party, so you can federate with an IdP. Either way, the user pool takes care of the details for you. It handles the tokens that social logins return (think Google, Facebook, and Apple), as well as tokens from OpenID Connect and SAML-based IdPs.
With the Amazon Cognito User Pools API, you can manage directories and users. Here’s what a sample implementation might look like if you were to initiate an authentication flow:
You can see more examples in their API reference documentation.
The pricing for AWS Cognito is a little more complex than others in our list (it’s AWS, so no surprise there). Pricing depends on whether you’re using Cognito User Pools or federation via SAML or OIDC.
Cognito has a free tier for both lines. If you sign in via Cognito User Pools, you have 50,000 monthly active users (MAUs); if you federate users through identity providers based on SAML 2.0, you get 50 MAUs.
From there, pricing varies by region and number of MAUs:
So maybe we’re a little biased.
With WorkOS, you can add SSO to your app with a couple of lines of code. One integration means you can support SAML with IDPs like Okta, G Suite, OneLogin, and more. Our goal is to make your app enterprise-ready, and SSO is foundational to that goal.
We also offer directory sync and audit trails (SIEM).
Here’s what an implementation might look for an authorization workflow:
See more examples in our documentation.
We offer three plans: a free plan, a starter plan and an enterprise plan:
Enabling SSO is only the first step if you’re onboarding new customers. Customers especially will still need to configure your application and integrate it with the Identity Provider they’re using. With WorkOS, that configuration is made simple. We provide an Admin Portal so that you can offer your customers a seamless SSO onboarding experience.
It’s built for IT admins, making it easy for them to use independently. This is especially useful if you’re following a land-and-expand strategy (think Dropbox, Slack, Atlassian). Users, enamored with your app, can upgrade to SSO and configure it easily.
WorkOS lets you add SSO to your app with only a few lines of code, making it appealing for developers who want a solution that’s both simple and powerful.
Auth0 provides Identity-as-a-Service, meaning you buy access to an API that acts as a middleman between the application and the end user.
Auth0 also offers multifactor authentication (MFA), biometrics, SSO, and user management (as do most other identity-as-a-service providers). The company supports a huge range of IDPs and social identity providers, including AWS, Apple, 0Auth2.0, Yammer, and more.
Here's what a sample implementation might look like with Angular:
Auth0 provides similar code samples for developers using Android Login, React, and Apache.
Auth0 is free up to 7,000 active users, including unlimited logins. From there, they have Developer, Developer Pro, and Enterprise plans:
Many companies worry that bringing in a mediator like an identity-as-a-service provider means they have less control over the user experience. To combat this, Auth0 developed custom domains.
Auth0 users can build custom domains that match their companies’ branding and otherwise consolidate their authentication flows. Atlassian, for instance, one of Auth0’s customers, consolidated all of their products (Jira, Confluence, and Stride) under id.atlassian.com.
Important to note for devs: all this is self-serve.
Auth0 is an Identity-as-a-Service product that also provides MFA, biometrics, and SSO. It’ll appeal if you’re looking for self-service products.
The GCP Identity Platform is what we call a customer identity and access management (CIAM) tool. CIAM allows companies to manage the data behind customer identities and profiles and dictate what level of access each customer has to various apps.
The GCP Identity Platform, like other CIAMs, includes SSO but also includes authentication via MFA, SAML, OIDC, traditional email and password, social login, and phone.
Key to Google’s offering, as its marketing won’t hesitate to tell you, is Google’s scale. Google promises an uptime of 99.95% in its SLA.
Here’s what a sample implementation might look like for calling the Identity Platform REST API in order to do things like sign in users and work with tokens.
The endpoint will be:
A sample request would look like:
And a sample response would look like:
You can see more in their APIs and reference guide.
GCP is another of the more complex pricing schemes. How complex? Well, Google built a Google Cloud Platform Pricing Calculator to help you figure it out. But in broad strokes, pricing varies depending on which authentication methods you want to use and how often you use them.
GCP Identity Platform provides a neat feature called Cross-Account Protection. This service pings admins with security event notifications that warn you when there’s been some sort of big change to an end user’s Google Account. In other words, if an end user gets their credentials hijacked by phishing, hacking, or data breach, you’ll know about it. This enables you to protect the data that user (or in this case, whoever is pretending to be them) has access to.
Google does this in a minimally invasive way. Cross-Account Protection sends objects, which Google calls security event tokens, that only reveal the event, when the event happened, and who the event happened to.
The GCP Identity Platform is CIAM tool that packages SSO with MFA, SAML, and OIDC authentication. It will appeal to developers looking to use the scale and security of a Google product.
No list (of any technologies, perhaps) would be complete without mentioning Microsoft.
Azure AD includes Active Directory Federation Services (AD FS), which supports SSO, and Azure AD Connect, which supports directory integration and synchronization for on-premises set-ups.
Azure boasts 2,800 pre-integrated SaaS applications that come with automatic user provisioning.
Here’s what a sample implementation might look for an authentication redirect using MSAL.js, Microsoft’s authentication library for js.
Microsoft provides many more examples, all showing how to write a single-page application.
Azure AD has four editions: two are different flavors of free, and two are paid.
Azure AD is free as part of a subscription to what Microsoft calls a “commercial online service.” So, in other words, if you’re already subscribed to Azure, Dynamics 365, Intune, or Power Platform, then you can use AD for free.
Azure AD is also free if you’re an Office 365 subscriber. But if you use Office 365 E1, E3, E5, F1, or F3, then you get even more features than the regular free users:
Azure AD is a product that succeeds just like many other Microsoft products (like Teams) do.
Are you already part of the Microsoft ecosystem? Does your company use Microsoft 365? If you answered yes to the two previous questions, then Azure AD is going to be a compelling offer.
Azure AD isn’t just sheer convenience for developers and admins, though. It also comes with a host of developer tools, such as Microsoft Graph REST APIs, which lets you manage and access data programatically.
Azure AD supports SSO via AD FS, as well as directory integration via Azure AD Connect. It will appeal to developers looking for pre-integrated SaaS applications and developers that are already immersed in the Microsoft ecosystem.
Okta is a SaaS identity platform that promises independence and neutrality. The Okta platform offers a whole range of features, such as MFA, life cycle management, API access management, and, of course, SSO.
In 2019, Okta earned recognition from the likes of Forrester and Gartner (including a place on the esteemed “Magic Quadrant”). Okta further differentiates itself by developing niche expertise in verticals like health care, education, energy, and financial services.
Here’s what an implementation of Okta might look like in React if you were setting up the default behavior for an expired session:
You can see more examples, including implementations with Angular, Go, and Java in their documentation.
SSO from Okta has two pricing plans for SSO. One is more streamlined, and the other includes context-aware features:
Okta extends the usefulness of its SSO functionality via a browser plugin. This is a compelling feature because of how many apps out there (mainly, according to Okta, those don’t support SAML or a direct form POST to a URL) that ask users to laboriously enter their credentials.
Instead, end users go to a sign-in page of an app that works with Okta, and the plugin adds the user’s credentials for them. Note: The plugin works only with sites Okta has verified, and the plugin doesn’t store credentials once the authentication is done.
Okta is a SaaS identity platform that offers MFA, life cycle management, API access management, and SSO. It will appeal to developers who want to give their end-users an especially easy login experience.
The pitch for OneLogin can be summed up in one word: unity. The OneLogin Unified Access Management is targeted squarely at the problem of sprawl. When companies have tons of apps, SaaS and otherwise, splintered across on-premises and cloud environments, things get messy.
OneLogin instead promises simplicity via a portal that lets users access any application from any device.
OneLogin is especially tantalizing for large office environments. When admins hand out laptops or desktops, they can pre-install OneLogin Cloud Directory so that logging in to the OS grants users access to all of their other corporate apps.
Here’s what an implementation of OneLogin might look like if you were using the API that gets apps to embed for a user with ASP.net and C#:
You can see more examples in their API reference documentation.
OneLogin offers bundle prices and per-user price plans:
OneLogin also offers two bundle options:
OneLogin enables users to add credentials for personal apps, and shared credentials for shared apps. Why is that useful? Take Twitter, for example.
Employees have plenty of reason to log on to Twitter during business hours (as I keep telling my boss). Personal accounts are essential for sharing content, networking, and hiring. But logging in to your own account can be a pain (and a security risk) when every other account is part of your company’s SSO package. OneLogin allows users to add those accounts.
Twitter is also a good example for shared apps. Twitter doesn’t support multiple users logging in at the same time, so OneLogin lets users share access without having to hand out credentials to numerous people. That way, numerous people can post from the company Twitter account without any of them actually having the password. This kind of thing comes in really handy when the recently fired social media manager wants to log back in to Twitter for one last hurrah.
OneLogin provides access management functions that will be especially appealing to developers who’re providing solutions for large office environments that already have lots of SaaS applications in use.