MFA for Identity Access Management and Single Sign-On

Why you need MFA for IAM and SSO


Web-facing Single Sign-on (SSO) is with no doubt the users’ preferred IT service. To the point that the first question asked by job applicants has become “do you have an SSO in place?”, so the story goes. With a simple browser, a connection, and a single set of credentials, users can access their applications and work from anywhere and without the headache of remembering, changing, and managing application-specific credentials.

The downside is that anyone finding (i.e guessing, hacking, eavesdropping, phishing…) a valid user password has a complete access to that user’s applications accounts and to all the information stored in these accounts (documents, transactions, customer contacts, emails…). Someone taking over a user account can also impersonate that user, fool his contacts, and make transactions on his behalf.

Authentication is the only real protection for web-facing SSO, like anything else in your IT that can be accessed online. Organizations have long thought that enforcing complex password policies was enough to protect online accounts but it is now widely accepted that users are better left out of the security equation. MFA is therefore the only efficient way to secure user authentication to the SSO and in turn, to protect the application accounts.

How to add MFA to your IAM or SSO solution

There are 3 main ways depending on your SSO or IAM vendor and how you have integrated it.

Most SSO and IAM vendors support a delegation of authentication using protocols such as Radius or SAML 2.0. This way, you can configure your SSO to delegate authentication to an Identity Provider enforcing MFA.

Alternatively, if you can configure your SSO to authenticate users using LDAP, you can add an LDAP proxy enforcing step-up authentication on top of the current authentication.

Finally, most SSO and IAM vendors provide a way – by adding a custom script or a plugin – to customize the authentication workflow and trigger the MFA option provided by the SSO vendor or by an identity provider enforcing MFA.

inWebo MFA for IAM and SSO solutions

inWebo supports all the aforementioned methods. On the user side, this is compatible both with inWebo App-based and browser-based authenticators.

To implement inWebo MFA for your SSO or IAM, you’ll simply need to create an inWebo account for your organization and to configure both this account and your SSO or IAM to trust each other using one of the methods. There’s no server or additional infrastructure to install and configure. Here is the step-by-step documentation. Our pre-sales and support engineers are here to help if you face any difficulty.

Over the years, our partners and our customers have implemented inWebo 2-factor solutions with Identity & Access Management, Single Sign-On, and Federation solutions including Forgerock OpenAM, Microsoft ADFS, Ping Federate, Gluu Server, Memority, WSO2 Identity Server, Simeio Solutions, NetIQ, Gigya, Shibboleth, Ilex International, Auth0, SailPoint, CA SiteMinder (now CA SSO), and probably many more we’re not even aware of since our SAML 2.0, radius, and web services connectors work out-of-the-box.

IAM vendor MFA or inWebo MFA?

The 3 main reasons why you should prefer the latter over the former:

  • Vendor lock: inWebo MFA is not tied to any application or vendor, it is universal and supports a lot more applications. Not only most applications (including Office 365 and G Suite), but also VPN, remote access, SSO, CMS, Windows Logon. Moreover, with inWebo, users only need one authenticator.
  • Convenience: inWebo MFA supports smartphones as authenticators, but also computers, tablets, and browsers, thus making the whole process frictionless including for users who don’t have a smartphone or don’t want to install IT applications on their personal phone.
  • Administration and security: while it seems pretty easy to activate the MFA option provided by the IAM or SSO vendor, a proper and secure administration of MFA for an Enterprise-grade applications is a completely different story. inWebo MFA is a turnkey solution that meets IT organizations’ complex administration requirements, not just a script to verify OTPs.