SaaS brings a lot of advantages to businesses - no need to invest in purchasing and maintaining licenses and infrastructure, and no need to worry about upgrades and bug fixes. Larger companies, however, face a major challenge related to user authentication and management. Larger companies have invested a lot of time and effort in improving user productivity, compliance and security, and in cutting user management costs.

They have done so using technologies like single sign-on and centralized user management. SaaS applications are now challenging those efforts and threatening to bring them back to the situation where every user has several different usernames and passwords and the customers have several different user directories to maintain.

In order to be part of the solution, instead of being the actual problem, SaaS providers have to find fast and easy ways to make user experience and administration of their applications just as easy as for any on-premise application. They need to offer users single sign-on, and they have to make it possible for customers to use their centralized user management to manage access to SaaS applications as well. If this could be done in a way that is fast and easy to deploy by the customers, one of the worst barriers to wide-spread use of SaaS in large organizations would be eliminated.

Current ways to integrate SaaS applications with customer user management

Currently there are a few common ways for SaaS providers to give users single sign-on and/or to let customers use their internal user management solutions to manage access to the SaaS application:

1. Identity federation
2. Delegated authentication
3. Encrypted links
4. User directory synchronization

Identity federation, as a concept, is exactly what is needed – SaaS providers can offer customers single sign-on and automated user management based on current information in their internal user directory. Identity federation based on SAML, WS-Federation or ADFS, however, requires each customer to invest in and roll out software compliant with those technologies. Currently very few organizations have adopted such solutions, so there is not really an existing user base. Even if the software would be given away for free, it still requires lots of time and technical resources from the customer to setup and maintain it.

Delegated authentication provides users single sign-on by using an existing logon, for instance on a corporate intranet, to generate tokens that can be used to grant access to a SaaS application. However, delegated authentication does not bring any help to maintenance of user profiles and access rights, which still have to be maintained manually in the application. It also requires time and technical resources by the customer.

Encrypted links are probably the most common way to provide single sign-on from intranets to external applications. The challenge is of course that some encryption mechanism is needed by each customer, and that links can be copied and misused if there is no timestamp element in the link. Using timestamps, on the other hand, creates synchronization problems, which are hard enough to tackle within one organization but impossible with hundreds or thousands of customer organizations.

Synchronization of user directories does not enable single sign-on, but it makes it possible for users to use familiar accounts and passwords when logging on to the SaaS application. From a security point of view, copying such information to one or more external user directories is definitely a major risk. Then there are challenges related to conversions from one user directory to another, as well as challenges related to timing, frequency and automation of those conversions.

None of the methods described above really meets the value proposition of SaaS. Instead of starting to use the applications immediately, customers run into integration and rollout projects requiring time and technical resources. As a result the rollout of the SaaS application is significantly prolonged.

A lighter approach

Google Analytics, the SaaS application for monitoring web site usage, offers a different and interesting view to the problem. Each Analytics customer needs to integrate Analytics with its web site in order to be able to collect and monitor usage statistics. By choosing a scripting integration model requiring only a few lines of JavaScript on the web pages, Google managed to lower the requirements on the customers’ web sites and the technical skills required to do the integration. As a result, they managed to get hundreds of thousands of customers in 18 months. Achieving the same with an integration model based on a protocol or a web services interface would have been mission impossible.

A similar approach can be used to make identity federation easier and faster to roll out. With server side scripting in the existing intranets of SaaS customers, the need for separate identity provider software can be eliminated. Each intranet platform supports some kind of server side scripting, like Active Server Pages, Lotusscript or JavaServer Pages. These technologies are well known to customers, and the functionality required to provide customers single sign-on and identity federation requires a script of only about 50 lines. The need for training and support is similar to that of Google Analytics, which means that most customers can roll out the solution in their organization without the help of the SaaS provider.

We at Emillion developed Distal, which enables identity federation with the existing intranets of customers using server side scripting. Distal supports most common intranet platforms, such as Microsoft, Domino, Java and Apache, out of the box, and it integrates with most of the major access management suites and technologies. We believe that Distal is the easiest way for SaaS providers to offer their customers single sign-on, especially from their customers’ point of view.

Aditro, the Nordic leader in human resources solutions and services, deployed Distal into their Nordic HRM ASP service platform. Tero Ansio, Head of Aditro Human Resources explained the reasons exactly as described above: it is very easy for our customers to start using it immediately. Users can access the ASP applications directly via their intranet connection, and still we get reliable sign-on.”

A scripting identity federation solution is exactly what a SaaS application needs, as it adds little to the time and effort required to roll out a SaaS application in an organization. Any SaaS provider aiming at growth figures even close to those of Google Analytics should at least try it out.