Technology Decision Makers

last person joined: yesterday 

A group for those in nonprofit IT decision-making roles to connect with peers and share best practices. This Technology Decision Makers group is for nonprofit IT or MIS Directors/Managers as well as CIOs and CTOs to connect with their peers and share best practices. Topics for discussion include, but are not limited to: hardware and software management, product reviews, emerging technology, best practices, collaborating effectively with other departments, and management conundrums. Membership is restricted to IT staff at nonprofit organizations.

SSO providers

  • 1.  SSO providers

    Posted Nov 21, 2018 08:53
    ​​We are looking to combat password fatigue and increase security by implementing Single Sign On,  using our Intranet (by Interact) as the portal. The first product we looked at was Manage Engine's, since we already use a couple of their products and it would be the most economical. But frankly, the interface is so clunky I can't imagine great adoption with our users.

    So back to the drawing board. Of the front runners, which seem to be Citrix, Okta and OneLogin. Does anyone have any experience with these? I'm really a babe in the woods on this one, having never dealt with SSO before, but senior management is very anxious to have this implemented.

    Some particulars:
    • We use Active Directory in its most plain vanilla version you can get. Our Windows security is rock solid in design and execution.
    • Besides applications that are licensed or owned by us but are operated in the cloud, such as our EHR, Sage Acct., ADP, we have web apps that are run by external, 3rd party providers, mostly the government.
    • Everything has to be 100% HIPAA compliant
    • We have ~750 users, soon to go to 800+. One third are per-diem on-call, or part-time, but they still get full access to systems
    • We are a Microsoft shop, going to Office 365 in 2019.

    Any help would be very much appreciated.

    ------------------------------
    Grace Barry
    Director of Information Technology
    Family Service League
    Huntington, NY
    ------------------------------


  • 2.  RE: SSO providers

    Posted Nov 26, 2018 08:09

    We use OKTA and seriously considered Onelogin.  The difference was that OKTA gave us a bigger nonprofit discount.

    With OKTA we have AD integration so that AD is the final authority for security/logins.

    I know that it works with ADP, and probably 95% of other websites.  We have about 20 programs we deal with and most work with OKTA.  We have, for example, one app that is dependent upon Silverlight.  That thing is just never going to work with OKTA.  If you have a site, like many banks, where the username is one one page and the password is on the next, I find those rarely work.

    Our biggest issues are:

    1. training users to understand that if it's not a SAML or AD app like Gmail or O365, they need to change the password in OKTA when they change their password in the APP.  ADP is an example of one app with a rigorous password change schedule that causes lots of helpdesk calls.  When I've talked to folks at OKTA, the response has been "Yeah, ADP does not go out of its way to work with us.  We use ADP for our payroll so we feel your pain".

    2. You're going to be tied to Chrome.  We don't mind because I want us to be a Chrome shop, but Chrome is the only browser that easily, invisibly, and reliably updates the OKTA agents.  Firefox isn't bad, but hardly invisible.  IE and Edge are disasters.



    ------------------------------
    Colin Boyle
    Step Up Suncoast
    Sarasota, FL
    cboyle@manateecaa.org
    ------------------------------



  • 3.  RE: SSO providers

    Posted Nov 27, 2018 08:37
    ​Colin, thank you for this valuable input.
    We are an IE shop because of legacy apps that pretty much won't work with anything else. And I have a philosophical problem with Chrome -- but without getting into that can of worms, all the good feedback ok OKTA leads me to believe it would be worth trying to reconcile these issues in order to proceed with testing it.
    Also good news about the bigger discount -- definitely appreciated.
    Best,
    Grace

    ------------------------------
    Grace Barry
    Director of Information Technology
    Family Service League
    Huntington, NY
    ------------------------------



  • 4.  RE: SSO providers

    Posted Nov 26, 2018 10:10
    We got closest to adopting Okta, but since we're on Office 365, we never made the final push. We squeak by with Azure Active Directory, which integrates with Salesforce, Zoom, Dropbox and other services.

    ------------------------------
    Emilio Arocho
    Director, Technology and Digital Strategy
    Food and Drug Law Institute

    Community Organizer, NTEN Nonprofits and Data group.
    ------------------------------



  • 5.  RE: SSO providers

    Posted Nov 27, 2018 08:39
    ​Emilio, we are moving to Office 365 within the next 12-18 months. Do you mean that you use Azure AD in place of an SSO third party app? I'm very new to this SSO world other than understanding SAML and LDAP.

    Thanks,
    Grace

    ------------------------------
    Grace Barry
    Director of Information Technology
    Family Service League
    Huntington, NY
    ------------------------------



  • 6.  RE: SSO providers

    Posted Nov 27, 2018 16:34
    ​Hi Emilio; does that require3 a Premium AD license and if so which one P1 or P2?

    thx

    ------------------------------
    Dan Dwyer
    Director IT
    CFHI
    Ottawa, ON
    ------------------------------



  • 7.  RE: SSO providers

    Posted Nov 28, 2018 11:15
    Implementing SSO with Azure (called Enterprise Applications) does require Azure AD Premium P1. The good news is that it is available for free as part of the EM+S E3 bundle. Implementing the solution is straightforward, although it does require planning and an understanding of all of the applications you are trying to integrate

    Microsoft does also provide a solution for integrating SSO for on premise applications through the App Proxy https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy

    Please feel free to contact me directly if you have more questions.

    Matt

    ------------------------------
    Matthew Eshleman
    Chief Technology Officer
    Community IT Innovators
    Washington, DC
    ------------------------------



  • 8.  RE: SSO providers

    Posted Nov 28, 2018 13:44
    Edited by Emilio Arocho Nov 28, 2018 18:03
    @Grace Barry That's correct, we use Azure AD in place of an SSO third party app.

    @Dan Dwyer Mathew answered that question faster than I could!

    Just a tip to others that are interested in doing this: Microsoft is usually your best source for documentation on how to set up SSO using Azure Active Directory. For example, here's the link that walked us through setting up SSO with Salesforce.

    ------------------------------
    Emilio Arocho
    Director, Technology and Digital Strategy
    Food and Drug Law Institute

    Community Organizer, NTEN Nonprofits and Data group.
    ------------------------------



  • 9.  RE: SSO providers

    Posted Nov 28, 2018 11:24

    Grace,

    Here was the problem we had with IE/Edge: Whenever there was an update to the OKTA agent (which was frequently) it required the user to run an MSI or EXE.

    Chrome updated the agent automagically and Firefox was somewhere in the middle.

    You could probably get around this with a good deployment tool like PDQ Deploy.

    I also want to be clear that I haven't tried to run OKTA on IE in about 2 years, so they may have a way around this now.



    ------------------------------
    Colin Boyle
    Step Up Suncoast
    Sarasota, FL
    cboyle@manateecaa.org
    ------------------------------