Looking for a good SSO solution
Posted by DiabolicalDong@reddit | sysadmin | View on Reddit | 61 comments
We currently manage over 1,000 computers/users, some remote and some in designated desks. We are looking to deploy an SSO solution to combat password reuse and password resets. We looked into MiniOrange and ManageEngine. They have quite an extensive list of integrations.
Any quirks that I must be aware of before going ahead with the evaluation?
If you are looking to implement an SSO solution, which integrations would you prioritize.
RevealVast7178@reddit
If you already have an identity source that everyone signs into daily, I’d start there instead of bolting on a separate SS͏O layer that just becomes another thing to babysit when it hiccups or when conditional access needs to match what you already enforce; the real work is picking what you onboard first (email/V͏PN/HR/finance, then the stuff people touch 20x a day), and accepting that a bunch of vendors will still try to charge you for “SSO” or have half-baked SAML docs. For the long tail of apps that won’t play nice, I’ve had decent results corralling the leftover creds in Ps͏ono so you’re not fighting reused passwords while the SSO rollout crawls forward.
Worried_Froyo_7726@reddit
If you already have an identity source that everyone signs into daily, I’d start there instead of bolting on a separate SS͏O layer that just becomes another thing to babysit when it hiccups or when conditional access needs to match what you already enforce; the real work is picking what you onboard first (email/V͏PN/HR/finance, then the stuff people touch 20x a day), and accepting that a bunch of vendors will still try to charge you for “SSO” or have half-baked SAML docs. For the long tail of apps that won’t play nice, I’ve had decent results corralling the leftover creds in Ps͏ono so you’re not fighting reused passwords while the SSO rollout crawls forward.
Aegon2050@reddit
What could tyjat be?
adityaj07@reddit
Focus on real integrations (VPN, legacy, custom apps) and avoid tools that need heavy manual setup per app. For a simpler rollout, you can check out OneIdP it offers SSO with centralized access and reduced password fatigue across apps.
Admirable_Gear_5952@reddit
Focus on real integrations (VPN, legacy, custom apps) and avoid tools that need heavy manual setup per app. For a simpler rollout, you can check out ScalefusionOneIdP it offers SSO with centralized access and reduced password fatigue across apps.
NeckRoFeltYa@reddit
Entra is great, we have a mix of servers so connectise is a great alternative.
delicate_elise@reddit
What manages your identities today? Active Directory? Entra? Google Workspace?
We use Entra. You know what's nice? Every third party integrates with them and provides instructions. It's easy to manage. There are no servers. It's secure. My coworkers can manage it if I'm away. It doesn't go down. It does so much more than SSO and provides greater security.
sofixa11@reddit
https://nvd.nist.gov/vuln/detail/CVE-2025-59218
Yeah, it isn't. Nobody at Azure seems to care about or understand security. They have a ~quarterly critical, usually cross-tenant, usually trivial to exploit, usually "how the fuck did that make it through QA/security", vulnerability. Usually with Microsoft being very slow to respond and fix, with a laughably small bug bounty, and usually with them having no clue if it has been exploited or not (like in this case).
If you think you're secure in Azure, you haven't been paying attention.
demonseed-elite@reddit
Considering that CVE you posted is marked: "This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency."
The only one not paying attention is you.
sofixa11@reddit
So it's okay that anyone could become global admin on any Azure tenant, easily, with no logs, and Microsoft not having any idea if it was exploited?
Yeah, they fixed it. But this kind of vulnerability happens quarterly for them...
Khue@reddit
I'm by no means a Microsoft apologist, but like... what is your real world experience that's leading you to this concept that QA processes will catch all vulnerabilities? You know vulnerabilities can appear at any time during the SDLC so a vulnerability becoming disclosed after QA sign off is not like a wildly unexpected thing right? Like in 2025 alone, Tomcat embed criticals were identified multiple times... Honestly you're entire opinion here on how SDLC and Vuln Management works leads me to believe that you have little to no experience within this realm.
sofixa11@reddit
Please take a look at the list of vulnerabilities. It's not about catching all of them, it's that the majority from Microsoft are embarrassingly bad and should have never went anywhere near production.
Khue@reddit
It's also not just about the vulnerabilities themselves man. It's about defense in depth. What other mitigations are in place to offset the vulnerabilities? Are there WAFs that address the CVEs? It's about identifying if the vulnerabilities are reachable. It's about evaluating the EPSS scores. What CVSS framework were these vulnerabilities using 3.1? 4.0? It matters. Regardless of your opinion about how "embarrassingly bad" they are, you're one guy on the internet. Thinking that your opinion matters over security experts working at a company like Microsoft is kind of crazy... and again, I am not being an apologist here for Microsoft, my opinion would be the same for any company their size and with a system as complex as Entra.
sofixa11@reddit
One of their latest exploits was anyone being able to become global admin on any tenant, with no protection/ramification being possible, no logs of them doing so, no logs of their actions after doing so.
Again, look up the vulnerabilities and form your decisions, stop trying to buzzword yourself out of them. WAFs don't protect you from your cloud provider's core infrastructure being made with hopes and dreams as security measures.
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
It took them between a week and 3 weeks to entirely fix this, which is also not great. The vulnerability was them not verifying access token signatures/tenants, which is just absurdly bad.
Khue@reddit
Again, you don't live in reality.
sofixa11@reddit
Did you read the blog post from the person who found that particular vulnerability?
I work at a company that also sells a few security products, and I work with our engineering and our security teams. We're a fraction of the size of Microsoft and seeing our internal security review processes, I cannot imagine anyone even remotely cares or understands anything at Microsoft. None of their shit would have passed an initial review where I work, let alone gotten to production.
Khue@reddit
Bro... From your post:
What is your expectation? A security researcher identified a vulnerability and Microsoft fixed it within days and then continued to review the vulnerability and began mitigating other platforms and services where the actor token spoof could be exploited.
This seems like a pretty decent response to a newly identified and disclosed exploit.
Look at the time line:
The fix was issued in 3 days. What is your expectation? Help me understand what you think the proper time line should be.
sofixa11@reddit
That this kind of vulnerability never makes it to production in the first place. They weren't validating access tokens belong to the tenant that's inside them, which is a stupid thing to miss.
And yes, their resolution on this one was decently quick, 3 days to a patch, 9 days to confirm it's actually been fixed. But on many others they took much more time, and gave only embarrassing bug bounties to boot.
Khue@reddit
It is unrealistic to have an expectation to catch all vulnerabilities. This is why there are professional security researchers (red teamers specifically) that don't work for Microsoft. Furthermore, this isn't a basic validation of an access token, this is a highly specific multiphased attack leveraging two different platforms, Azure AD Graph API (specifically the legacy version that reached end of access in August of last year) and S2S back end systems. The usecase for this exploitation is so highly specific, that unless you've seen this attack before, there's no reasonable way someone would have this in their regression test set.
You're expectation on an internal Microsoft team identifying this specific vulnerability is unrealistic. The skill set required to know both the publicly undocumented Access Control Service and Graph API legacy process by which access token validation occurs is so specific that there are maybe a handful of people in the world that would think to attempt this. Dirk was one of these guys.
Again, you have an expectation that is divorced from reality. I think your "Microsoft is shit" bias is overriding your common sense.
sofixa11@reddit
My expectation is that any endpoint receiving an access token would do appropriate validation of that access token.
Did you look at any of the other vulnerabilities?
Azure is shit in security (and reliability, and speed), yes. The rest of Microsoft is no better or worse than any org of their size with their legacy would be expected to be. But Azure is drastically worse than AWS or GCP. They don't have a cross-tenant exploit roughly once a quarter for which they have no logs, and which is due to basic validation failures.
Khue@reddit
Again, you don't live within reality and your whole comparison to AWS is based on the fact that no cross tenant vulnerability has been found yet. Your premise is just straight irrational and unrealistic.
sofixa11@reddit
AWS predates Azure by a few years, and is much more widely used. There have been cross-tenant vulnerabilities for it found, just nowhere near the frequency, criticality and absurdity.
Apologies for expecting Azure to not have a critical cross-tenant vulnerability every quarter.
There's an article from 4 years ago about why it's so bad they suck so hard in security: https://www.lastweekinaws.com/blog/azures-terrible-security-posture-comes-home-to-roost/
And nothing has changed, seemingly.
Keep ignoring it, that will surely make Azure take security more seriously
DoogleAss@reddit
This entire conversation can be chalked up to a single statement:
“That’s just like.. your opinion. man!” /s
I think both of you are stuck I. Your own perspectives.. yes all companies and products have vulnerabilities and one can’t expect them to all be found in house. Hence why security research exists in the first damn place lmao
Having said that as the other poster pointed out this isn’t an exploit some noob researcher is going to find because they started poking around. as stated this was a complex multiphase vulnerability to exploit
By your logic every AV company should have fixes for viruses before they even exist ya know because someone should have seen that vulnerability and come up with every possible scenario there in
That logic is flawed.. having said that I don’t disagree that MS can do better but we could say that about every Tech Company on planet earth so
Morkoth-Toronto-CA@reddit
Why haven't I heard of this before? Where is this list of dozens of cve's?
Less exaggeration, more facts please.
sofixa11@reddit
Apparently because you haven't beeing paying attention.
https://www.lastweekinaws.com/blog/azures_vulnerabilities_are_quack/
From a few years ago, but nothing has changed.
Two recent vulns: https://www.token.security/blog/azures-role-roulette-how-over-privileged-roles-and-api-vulnerabilities-expose-enterprise-networks
https://research.eye.security/consent-and-compromise/
A couple of older ones from Wiz:
https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution
https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases
https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr
Morkoth-Toronto-CA@reddit
Rude much?
demonseed-elite@reddit
If any one of these had any serious exploitability, every ransomware group in the world would be crawling all over Fortune 500 Enterprise systems. Learn some real Cybersec rather than repost junk "sky is falling" sensation garbage.
Spagman_Aus@reddit
“nobody at Azure understands security” ok pal
sofixa11@reddit
How else do you explain the rate of critical cross-tenant CVEs?
jordansrowles@reddit
Apart from you know, twice in October and once in February last year, and at least once every year to keep us on our toes.
turbokid@reddit
It goes down so rarely you can point out specific outages.
Forsythe36@reddit
Also if you’re down so is everyone else lol.
jordansrowles@reddit
It doesn't go down means 100% uptime, almost impossible with any architecture unless you have properly built failovers
Khue@reddit
To be fair, I don't think that was Entra going down but rather Azure Front Door... but your point is still valid.
gihutgishuiruv@reddit
Its been great this year, though! 😁
Khue@reddit
It's wild that there's even documentation for specific SSO integrations that MICROSOFT maintains and keeps up to date. Like there's step by step instructions for integrating SSO for Sendgrid... from Microsoft.
disclosure5@reddit
Nothing is more ridiculous than having Entra already and then going off to spend money on a third party SSO solution, which it itself implemented using a janky sync from the Entra that's already your primary logon. Then you take all the conditional access policies providing your security and make a best effort at reimplementing them in your third party tool. I've seen it in so many places it's absurd.
SR1180@reddit
Ah, the SSO project. It's one of those things that promises to make your life so much better, but the implementation can be a special kind of hell if you don't plan it right. You're smart to ask about the quirks before you dive in.
I've wrestled with both ManageEngine and MiniOrange in the past, and they fit a specific niche, but you need to know what you're getting into.
The Quirks: With ManageEngine, the big one is that it's part of a massive suite. It works great with other ManageEngine products, but it can feel a bit clunky and 'enterprise-legacy' when you're trying to make it play nice with modern, cloud-native apps. Be prepared for a lot of Java-based interfaces and configuration screens that feel like they're from 2010. It works, but it's not slick.
With MiniOrange, the quirk is that it feels like a Swiss Army knife. It has a connector for everything, which is amazing on paper. In practice, some of those connectors are rock-solid, and others feel like they were built by an intern over a weekend. You'll find that for your 10 main apps, it's perfect, but for that one weird app your finance team uses, you'll spend a day in a forum trying to figure out why the SAML assertion is failing.
What to Prioritize (The Real Answer): Don't start with the apps. Start with the directory. Your first and most important integration is with Active Directory / Azure AD. If that sync isn't rock-solid, your entire SSO house is built on sand.
After that, prioritize in this order:
The Pain Points: What are the 5 apps that generate the most password reset tickets for you? Start there. A win on those is an immediate win for your sanity.
The Crown Jewels: Your ERP, your CRM, your financial system. These need to be locked down tight.
The High-Volume Apps: Microsoft 365, Google Workspace, Slack. Get your daily driver apps onboarded.
My advice is to run a proof-of-concept with your top 3 'pain point' apps and your top 2 'crown jewel' apps. If the SSO solution can handle that weird mix smoothly, you're probably good to go.
Ihaveasmallwang@reddit
Entra. Set it up to do pass through authentication from on prem AD where you have the password policies set to prevent reuse. Can also set it up to check leaked credentials lists if you sync password hashes. Works great for password reset too if you enable password write back. Works just as well for on prem users as it does for remote users. Probably has the largest number of integrations out of any of the SSO solutions. Almost every vender has documentation for setting up SSO with Entra. We are heavily in the Microsoft ecosystem though so that's included with what we already pay for. Your mileage may vary.
The only other real decent choice is Okta but it's not cheap.
I've been managing SSO for years and can count on one hand the amount of times I've seen vendors with actual support for the products you mentioned.
Out of curiosity, were you looking at those because they are cheaper?
orion3311@reddit
Dont use passthru!
Ihaveasmallwang@reddit
Microsoft recommends it to enforce on-premise user account states, password policies, and sign in hours.
This solution fits exactly with OP’s requirements.
greenstarthree@reddit
Picking an SSO solution is the easy part. It’s paying extra for almost every service you want to use it with that’s hard to swallow.
https://sso.tax
cjchico@reddit
Updated list: https://ssotax.org/
DragonsBane80@reddit
They need a layover where it shows those vendors and if they signed the CISA secure by design. Guaranteed non-zero.
WorkLurkerThrowaway@reddit
We need more details on your environment but Entra and Okta are the two big answers depending on what you have going on.
heapsp@reddit
If you are a heavy microsoft shop, entra ID with enterprise applications.
If you are a wide range shop and not everyone uses entra or it's inconsistent, Okta.
Frothyleet@reddit
Yup, you nailed it. Okta is a great platform. Especially a few years back, it was way more feature rich than Entra ID (AAD at the time).
Nowadays, it's still a good product, it's just makes little sense if you already have Entra P1/2 licensing.
If you are not a M365 heavy shop, it's an obvious choice for SSO.
progenyofeniac@reddit
This right here. I’ve managed both Entra and Okta. I feel like Okta is flashier and offers more options, but Entra is my 100% recommendation if you’re already a Microsoft shop and in the M365 space.
idle19@reddit
Okta
justmirsk@reddit
If you are looking to combat password resets and account lockouts, etc., I would look at a passwordless authentication solution.
I am an integrator and partner of Secret Double Octopus, we do a lot of passwordless MFA and SSO deployments for them.
There are other options in the passwordless space as well, I believe Secret Double Octopus is the best.
Additional options: - Microsoft Native (Entra Joined Devices) - Hypr - Duo (I really see them as MFA, not passwordless to the desktop)
I don't really run into other competitors other than Hypr and Microsoft, but there are others. My list focuses on vendors that provide passwordless to the desktop AND applications, that is a key distinction. Duo, Okta, and others can all provide passwordless options to SAML/OIDC based web applications, but the legacy apps and desktops are not handled by them as well.
If you are interested in learning more about Secret Double Octopus or passwordless authentication, I am happy to answer any questions you might have. I am not posting our website here as I do not want to violate any rules. This is not meant to be an advertisement.
Somnuszoth@reddit
Okta is definitely a good option for SaaS based a federating to Entra makes things easier to adopt. It can be a stand alone identity provider too. Duo used to be more limited on capabilities and more of an authentication mechanism, but has been greatly improved to become more of an IdP. What is the rest of your IAM stack and what does it look like? Duo feeds into a lot of Cisco and other telemetry but you should really be identifying what your end goal looks like and how to get there before picking the tool.
RichardAtRTS@reddit
You say “SSO” but by the two things you listed, are you actually talking about Desktop MFA?
malikto44@reddit
Like others have said, if you have a Microsoft presence, go Entra. It has its issues; it has its outages, but in general, you can't get fired for going M365.
However I use two SSO systems. One if the one all the users use... i.e. Entra. The other FreeIPA, which is configured to replicate via multiple on-site machines and a couple offsite, using a different (but linked) cloud tenant. This provides LDAP to all the network devices and iDRAC consoles, and because FreeIPA allows for Google Authenticator to be used as an add-on to the password field, every network device now has 2FA on it, with lockouts for password hammering, and excellent logging. The Linux systems can use both Entra and FreeIPA, but
sudois only configures to work with some FreeIPA users.This is useful, especially if something takes out Entra, or there is a network issue that blocks connectivity.
dustojnikhummer@reddit
You are probably already using Entra or Google Workspace, so why not that?
kaiserh808@reddit
You’re most likely already a Google or Microsoft customer, so look into their SSO offerings to see which of your other services will tie in with what you’ve already got. If your preferred first-party solution is lacking, then have a look at Okta.
SystemGardener@reddit
If you have entra why not just use the built in offering. It’s incredible easy to setup and manages.
ReputationNo8889@reddit
As others have said, it depends on your exact requirements. If you have Microsoft Licenses, use Entra. If you want something "Simple" and open source, check out Authentik. If you dont want to self host and want Multi Tenant support then Zitadel can be an option. As to "Integration" what are you look for exactly? Any IDP that provides OIDC/SAML auth should be able to integrate with any plattform that supports it.
Please tell us what you need exactly, then one can try to recomment something.
hitman133295@reddit
Okta is a really good choice if you need to leverage API and lots of automation in the future.
uvblue@reddit
Get your requirements in order and be specific about it. Start with your resource mapping (budget, personnel, dev/integration/support capacity, and time frame). Some solutions will be security focused (e.g. keycloak), others will be integrability-at-any-cost (authentik is good), some are compliance focused, and many (if not all) commercial ones are support / SLA / ROI driven (at a premium). The range goes all the way from building-your-own (usually a bad idea) to complete outsourcing you identity management operations (also, usually a bad idea).
iNteg@reddit
OnPrem? SaaS tooling? all depends on your usecase outside of the 1000 computers/users.
If you're windows, and local devices, Active Directory, or Entra. if you're a mix and SaaS heavy, Okta potentially. I haven't worked with ManageEngine for many things outside of some AD stuff a few years ago, but I use Okta currently in a mostly cloud environment for SSO, and it works really well.
But if you're mostly worried about Password reuse/resets then whatever you need to do for SSO and having good password reset policies AND a self-service option would help a lot.
brownhotdogwater@reddit
What? You want an idp? Federation of on prem?