Cloud Computing

Kjell Backlund (Finland) - Cloud Single Sign-On: Whose Call is it?

As Cloud applications are becoming more and more common, it is getting increasingly obvious that managing access to them is a very critical success factor. End user experience suffers severely if users are required to input different passwords for every application. Additionally, separate user administration for each application is both costly and error prone. The bigger the Cloud customer is, the more critical these challenges become.

As a result, efforts are being made to let Cloud customers control access to the applications with their internal user directories. Such efforts are being made both by Cloud customers and Cloud application vendors, and there are also companies offering man-in-the-middle solutions like authentication, identity management or provisioning as a service.

Comparing these different approaches from different perspectives helps us understand the implications of each approach and to decide which is best to put our bets on. Let's have a look at three of the most important perspectives: value proposition, technology and cost.


Value proposition

The value proposition for Cloud applications is very simple: the Cloud application provider makes life easier for its customers by taking care of everything related to running and supporting the application and the infrastructure below it. The only requirements on customers are, that they have basic infrastructure like computers, internet browsers and an internet connection.

Single sign-on and centralized user management are key factors in the usability and the user experience of any application in an enterprise. From the Cloud vendors' point of view, it is essential their Cloud applications are as easy to use and manage as any on-premise application the customer uses. This is the easiest way to make sure the customer really uses the application, and the manual administration required is kept to a minimum.

As single sign-on is a key feature of Cloud applications, it would be logical to adhere to the Cloud value proposition. This would mean customers only need basic infrastructure like a directory and a place to log on, and the Cloud Application provider takes care of the rest. If customers are required to invest in new technology or new expertise to get a key feature of the Cloud application to work, it will surely slow down adoption and rollout speed, in other words time to revenue. On the other hand, if customers are required to sign contracts with third parties to get the same feature, it certainly will not make life any easier for them. But, if the Cloud application provider could offer a solution that easily connects with the basic infrastructure customers already have in place, this is a true Cloud value proposition.



Letting customers control access to a Cloud Application with their existing infrastructure requires solving two technical challenges: automating user management and providing single sign-on.

Providing single sign-on is the easier of the two. On the customer side, it only requires figuring out who the authenticated user is by reading the necessary information from their user directory. On the Cloud application provider side, it requires finding the right user account and signing on. Finding the right user can be a little tricky, it requires either a manual mapping between the account in the customer's directory and the right account in the application, or a dynamical mapping based on some information that can be found both in the customer's directory and in the application.

Automating user management is more difficult. On the customer side, it still is only a matter of reading the required information from their user directory, either for one user at logon time, or in larger chunks every day or whatever period suits the situation. On the Cloud application side, there are more issues to solve. Every application has different user profile information, and creating and maintaining user profiles automatically requires significant knowledge of, and support from, the application.

Based on the above, it is obvious no matter which approach is chosen, most of the work will be on the Cloud application provider side. It is also obvious the required functionality on the customer side is quite basic and does not require any advanced technology. Using a third party offering authentication or provisioning as a service might provide a unified interface from the enterprise to a number of applications, but at the same time it creates a major single point of failure, both from a security and a usability point of view. It also adds contractual and support complexity, and there is no guarantee all the Cloud applications a company is using supports the same man-in-the-middle service.



One significant piece of every equation is cost. When it comes to automating identity and access management in Cloud applications, the key figure is cost per application per customer.

If the customer builds a solution, s/he can spread the costs to all the Cloud applications s/he is using. The direct costs will come from operation, licenses, integration and maintenance. The best known applications and protocols can be supported by commercially available solutions, and others can be built using vendor specific APIs provided by some Cloud application vendors. However, most Cloud vendors do not offer such APIs, and therefore a fully automated solution is not available at any cost.

If the customer decides to work with a man-in-the-middle, s/he can also spread the costs to all the Cloud applications s/he is using. Man-in-the-middle providers typically charge a fixed fee per user per month for all the applications they are supporting. The best known of these companies claim to support over 4000 applications, which is a respectable amount, but still only a fraction of all the applications available today. From the customer's point of view, the situation is similar to building a solution themselves: the best known applications and protocols can be supported with a commercially available solution, and some can be handled by integration using vendor specific API's, but some cannot be handled at any cost.

In both of the cases above, the customer can only spread the costs to the applications supported by the solution. Few organizations use more than 5-10 Cloud applications, and it's likely at least one or two of those applications are not supported by any commercial solution. As a result, the cost per application is relatively high, especially compared with the cost of the actual application.

However, if the Cloud application provider offers a solution, the cost can be spread over their entire customer base. As stated in the Technology section above, most of the complexity will be on the Cloud application provider side no matter which approach is chosen. In fact, much of the functionality required is already built into the Cloud applications, which means much of the cost is already being charged for as part of the monthly fee of the application. The only thing most Cloud application providers would need to add is an easy way to connect to the internal user directories of their customers using technology customers already have in place. Such solutions are also commercially available for Cloud application providers.



Cloud applications are all about making life easier for customers and using shared resources to drive down costs. Cloud single sign-on is a big part of making life easier both for end users and administrators. In summary:


  1. A true Cloud value proposition would give customers single sign-on without requiring investments in new technology or expertise.
  2. Most of the technical complexity in providing single sign-on and automating user management is on the Cloud application side, the functionality that must be on the customer side is quite basic. In fact, it is virtually impossible for customers to create a solution without considerable help from the Cloud application provider.
  3. Cost per customer per application is much lower if the solution is offered by the Cloud application provider because they have done most of the work already anyway, and they typically have many more users to whom they can distribute the costs.


Based on the above, Cloud single sign-on is the Cloud application provider's call. Customers should focus on making sure their Cloud application providers give single sign-on and automated user management the priority it deserves. They should demand a solution, which decreases complexity instead of increasing it.


Kjell Backlund is Founder and CEO of Emillion, a company pioneering in Cloud sign-on and user management since 2001.



« Russell Rothstein (U.S) Service Performance and Availability Issues in the Cloud - Part 1


Dean Redman (Australia) - The Changing Face of Corporations: Social Networking & Web 2.0 »


Do you think your smartphone is making you a workaholic?