Single Sign On (SSO) provides a quick and secure way to log in to multiple services using a single username and password. Perhaps surprisingly, it can also help you manage your SaaS Subscriptions.
What is SSO?
SSO works by taking your initial login to a system (for example your PC), encrypting it so it is secure (also called tokenisation) and then using that token to access all other systems automatically without further need for username and password submission. There are many benefits to this approach including:
On premises SSO has been around for over 20 years – for most users probably hooking together your PC Login, Outlook account, and intranet with your Active Directory. However, when applications move to the cloud there are suddenly many more authentication requests. And, typically, you don’t want to be giving each SaaS provider access to your corporate directory. Similarly, you don’t want your employees to manage separate identities and passwords for each service – that will lead to weak passwords, password re-use, and potentially harm adoption of new services.
As a result providers such as Okta, OneLogin, SailPoint, and Microsoft offer cloud-based SSO services which integrate with (and usually replace) your on premises directory. Identity and Access is then managed in a single place meaning that you have one place to go to see which systems, both internal and external, a user has access to. The primary benefit of this is that it simplifies both the user login experience and also the process of managing identity. It also streamlines onboarding, often with the use of personas – for example each new staff member in the Contact Centre automatically receives logins to the same systems as their colleagues.
Managing SaaS Spend using SSO
So, how does SSO help manage your SaaS Subscriptions? When user identity is stored in a single place it is vital to get detailed reports on which login has been granted access to which systems. This capability was developed by the SSO providers primarily in response to IT Security & Compliance requirements, particularly around SOX compliance which requires regular User Access Reviews (UARs) and Privileged Access Reviews (PARs). With the implementation of GDPR comes a requirement to maintain a Record of Processing Activity for a subject’s PII. With these stringent regulatory requirements already being met by SSO vendors it is a simple step to extend them to provide data useful for an IT Asset Manager or SaaS Subscription Manager.
For SaaS Subscription Management applications integrating with an SSO solution can provide fine-grained inventory data such as;
Primarily this enables the SaaS Subscription Manager to discover which users are using which SaaS apps and for how long, enabling harvesting and optimisation of subscriptions. When combined with cost data from other sources (e.g. Accounts Payable) along with a corporate hierarchy it enables cross-charges at a departmental level to be calculated. If budgets are held centrally “showbacks” can be reported instead, which can enable budget holders to target departments not making efficient use of their SaaS Subscriptions. Organisations need to do this themselves because as yet there is no common standard for SaaS Providers to make this information available to their customers. Whilst some (e.g. Microsoft, Salesforce) may provide API access to this data as part of the service, others (e.g. Adobe) only make it available to customers paying a premium for their services. And there is a very long tail of SaaS Providers who make no information available other than what’s contained on the monthly invoice.
This piecemeal approach leaves Subscription Managers juggling multiple bills for multiple vendors, making it difficult to generate accurate costs and forecasts for SSO usage. This is a big contributer to the estimated 30% wastage of SaaS Subscriptions – soon to amount to $30bn annually.
SSO Discovery – Benefits and Challenges
SSO as a discovery and inventory method for SaaS has some key differentiators compared to other methods. Of greatest significance is ease of deployment (no agent or plugin is required) and the ability to capture usage on personal devices which may not be managed by the organisation. Furthermore, by only capturing SaaS apps known to an organisation, there are no privacy concerns associated with this method. All usage will be corporate usage only and covered by your existing acceptable use and privacy policies.
My conference session and recent articles highlighted, however, that no single SaaS discovery method is sufficient to discover all SaaS usage. In the case of SSO integration there are two difficulties to overcome. Firstly, this will only discover apps known to the organisation – it won’t find Shadow IT. The app needs to be set up in the SSO vendor’s product in order for it to be SSO-enabled, and this usually can only be done by IT, because they manage the SSO product. Secondly, the app needs to be compatible with the SSO vendor’s product. This is becoming less of an issue as the SSO market grows rapidly and authentication standards get adopted widely. However, it may still be the case that you have SaaS apps that don’t integrate with your chosen SSO provider.
To summarise, SSO integration is one of the best methods for inventorying your SaaS applications and providing detailed and actionable insight into their usage. Most SaaS Subscription optimisation tools provide this integration, either as a primary or secondary source of inventory data. Many further enhance this data by pulling in data from HR & Finance systems to provide a full-width SaaS Subscription Optimisation Service.
If you’re using one of these tools I’m interested in hearing from you, either in the comments below, in the Forum, or ideally via a Product Review on the ITAM Review Marketplace. This is an emerging market and will be a key battleground for tool providers as SaaS spend continues to rise.