There are a few points I thought it would be useful to expand on.

1. myOneLogin supports apps that dont provide federation. We manage ids and passwords for these sites. Many of our customers give their users a myOneLogin account configured to never let them see the user ID and password that is being supplied to their apps. Among the many benefits of this approach is that it eliminates account/pw sharing. Of course this approach isnt necessary if the web app supports SAML.

2. As you point out, we provide three factors, a confidence image, a browser cookie or certificate that provide 'clientless' mutual strong authentication , and the VIP mobile token. Customers can rely on our clientless methods on machines they work from regularly, while using the VIP mobile factor when roaming e.g. from public machines.

3. Internal apps that are already accessible through an SSL VPN are easy to include in a users myOneLogin portal. Juniper's SSL VPN support for SAML makes it easy for myOneLogin to provide secure access to external and internal apps.

4. myOneLogin can validate users against internal user stores (e.g. AD, LDAP) with our Directory Services Proxy (DSP) module. This module can also be used by an enterprise to generate and consume SAML – which relieves the enterprise or (service provider) from the effort necessary to implement their own SAML support..

Jon