Cloud-Based Single Sign-On Tools
One solution is to use a cloud-based single sign-on service. What services like OneLogin and Okta do is become the authentication provider for a cloud application like Salesforce.com. The cloud single sign-on service then links to Active Directory. From that point on, users can log in to the cloud application using their Active Directory username and password – the security of which is governed by whatever password policies are imposed on Active Directory passwords.
These services also allow companies to subscribe to a cloud service and enable multiple users to access it. This is done by tying each user’s Active Directory logon to the corporate username and password for the service. This offers the added benefit of keeping individual users from knowing the underlying username and password. That means they can never divulge it to a third party, and if they leave the company their access to the cloud service is terminated as soon as their Active Directory account is deleted.
Source: eSecurityPlanet