Corporate Single Sign-on (SSO)

As companies of all sizes continue rapid adoption of Cloud-based services, they face increased challenges in securing employee access to these externally hosted applications. AssureBridge IDM 360™  is a perfect solution to enable employees to seamlessly and securely access hundreds of popular Cloud services, including Workday, SalesForce, ServiceNow, WebEx, Office 365, Concur, UltiPro, Taleo, DocuSign, WageWorks, Google Apps, Jobvite, Box.net, Dropbox, and many others.

Watch Video

There are a number of critical challenges and hurdles that companies wishing to allow corporate employees access to external services are required to overcome:

  • Credential proliferation presents serious security breach risks. Employees must use their corporate credentials to securely access online services.
  • Companies are required to comply with a variety of access control and employee termination policies and regulations.
  • Ensure that IDM infrastructure is hosted within the corporate network, the company is in full control of the employee data, and credentials never leave the company’s network.
  • Support multiple forms of authentication including Active Directory/LDAP, IWA, Database, OAuth/OpenIDConnect, and enforce multi-factor authentication as required.
  • Deal with disparate employee credentials stored on multiple system in multiple formats. Aggregate data from different sources to construct employee profiles.
  • Need to recruit and retain experienced staff with specialized Identity Management knowledge including SAML, OAuth, OpenIDConnect, LDAP, PKI, etc.
  • Ensure that SSO and data sync infrastructure is robust to support mission critical requirements.

Corporate SSO

The following describes how AssureBridge IDM 360™ platform helps address these challenges and deliver solid benefits faster, better, and in a cost-effective fashion.

Security and Compliance

Multiple sets of credentials that corporate employees use to access external services not only makes it inconvenient to use the services, but also significantly increases the risk of security breaches.  Additionally, it is hard to enforce the same strong corporate password and access policies to each service, often because the functionality such as mandatory password expiration and multi-factor authentication are not available. Consistently enforcing the same security policies on the external application access is becoming increasingly a compliance requirement for many organizations across a wide variety of industries.

IDM 360™ Single Sign-On service allows companies quickly and reliably connect with many externally hosted services using standard protocols such as SAML 2.0, thus easily meeting compliance requirements of using a single set of corporate credentials for the access.  Using SAML-based SSO also ensures that companies will comply with strict employee termination requirements. One users are de-provisioned in the corporate directory, they will no longer be able to access externally hosted corporate services and internal applications as their login, required by the SSO transaction to complete, will fail.

IDM 360™ IDP Integration platform allows companies to enforce a number of configurable rules and policies to ensure that the employee access is secure and compliant with regulations, such as SOX, HIPPA, PCI, etc. For example, based on a number of conditions, i.e. employee accessing a service dealing with sensitive HR information from the outside of the corporate network, a second authentication factor can be applied.  Other examples of security policies that can be applied include

  • Maximum invalid logon attempts – the system will not allow login after a given number of invalid login attempts is attempted and may lock the account
  • Forced authentication –  require the users to enter their credentials regardless of previous successful logins
  • Access control – even if user’s credentials are properly validate certain groups of users may still be denied access to a particular service

IDM 360™ Identity Provider Integration Nexus (IDP-x) offers a very powerful and flexible support for adding Multi-Factor Authentication to your users’ login experience. We support integration with all popular MFA/2FA solutions including Duo, Google Authenticator, SafeNet, Entrust, and others. Additionally IDM 360™ IDP-x provides support for a number of out-of-the box MFA solutions:

  • One-time Tokens (OTP)
  • Security Questions
  • Custom pluggable MFA service

User access to external and internal systems is often a subject to audit compliance. Specifically, knowing what service, when, how, and from where an employee accessed is important to track and store for subsequent evidence proof and audit reporting. The IDM 360™ Identity Provider Integration Nexus tracks and audit logs every user interaction including detailed progressive data profile including the target service, type of device, location, number of attempts, result, and many other data points.

Hosting and Costs

Infrastructure hosting and location of IDM components play a great role in ensuring overall security and compliance of Identity Management solutions. Although many companies are comfortable with using Cloud-based Identity Management solutions, some prefer, and often mandate, that the IDM infrastructure is hosted on the corporate network and that the company is in full control of the employee data. Additionally they require that the credentials, e.g. usernames and passwords, never leave the company’s premises and shared with 3rd parties.

IDM 360™ platform offers a dual deployment model to address these challenges:

  • AssureBridge offers a robust mission-critical Cloud-based infrastructure, which is securely hosted and managed by our expert staff
  • AssureBridge offers an option of a fully-managed virtual appliance that is deployed and managed within the customer’s corporate network

The on-premise hosting option is critical to those companies that are looking to enjoy an on-premise solution with all the key benefits of a SaaS-hosted application.

We also offer a flexible hybrid hosting model where certain components, for example IDM 360™ Identity Provider Integration Nexus, are hosted on-premise, while others, e.g. IDM 360™ SAMLConnect SSO Service, are hosted in the Cloud. You can learn more about out All-In-One deployment solution here.

IDM costs, both initial deployment costs and the on-going support costs, are an important factor when selecting an IDM solution. Often, especially if your company has many employees and plans to connect to many services over time, per user pricing models make it hard to predict and control costs.

AssureBridge offers a straightforward and east to understand subscription pricing model. The key highlights of out IDM 360™ pricing:

  • Allows for unlimited users and unlimited transactions
  • Annual subscription, so there is no need for a significant capital investment to get going
  • We price our SSO services per number of external services with which we integrate
  • We offer step pricing models which make it more cost effective and easy to implement additional application connections

To get more information on the pricing and to receive an estimate for your specific implementation please contact us.

Multiple Directories and Authentication Sources

It is a relatively straightforward solution when you need to authenticate employees against a single corporate Active Directory or LDAP and sign them in via SAML to an external application. The architecture becomes a lot more intricate and complex when you need to provide employee access to the same corporate service (e.g. Workday or SalesForce), but your employee accounts are not all stored in the same central corporate directory. Here are a few examples of these scenarios:

  • Company has employee accounts scattered across multiple directories, often due to past acquisitions, account type partitioning (employees vs. contractors), or regulatory considerations.
  • Company has multiple geographical locations, each with it’s own separately managed directory.
  • Company has a number of subsidiaries, each with an independently owned directory or an external authentication service (e.g. Google Apps).

If you are in any of the above situations, our IDM 360™ Identity Provider Integration Nexus™ is a perfect solution! The IDP-x™ platform provides support for validating employee credentials against various authentication sources, e.g. LDAP, AD, Integrated Windows Authentication (IWA), Database, and services, e.g. Web Services, Google Apps, Remote SAML, OAuth, or OpenIDConnect Identity Provider, simultaneously.  IDP-x™ supports a number of powerful and flexible rules and policies to determine how to route employee authentication requests.

When dealing with SSO partners additional challenges usually arise, specifically when the partners demand that the user identity and attributes are presented in a particular format. The issue of identity mapping is complex, especially when employee credentials are stored on multiple systems in a variety of formats, e.g. in an LDAP and in a relational database. In addition to the user identity, SSO trust often relies on the Identity Provider supplying a correct set of attributes or claims to the respective Service Provider application. These attributes, as a whole, represent a complete employee’s profile for a specific target online service. The IDP-x™ platform offers a number of features to address these requirements:

  • User’s identity mapping is flexible and customizable for each target service
  • User’s attributes/claims can be aggregated and enriched from disparate sources, including directories, databases, and remotes services, to construct a complete employee profile

In addition to regular desktop-based access, many online services offer a mobile interface, either via a native mobile application or via a mobile-friendly Web application. This requires companies to provide employees using mobile access with an easy and secure SSO login experience. The IDP-x™ and the MobileConnect™ products enable companies to meet these requirements. The following are key benefits delivered by the solution:

  • Provides uniform user authentication across Web and Mobile applications
  • Leverages AssureBridge SmartToken™ technology to produce highly secure long-lived mobile SSO tokens
  • Leverages leading industry security and SSO standards including OAuth, SAML and OpenIDConnect
  • Serves as a protocol bridge offering single OAuth entry point for mobile apps regardless of back-end SSO protocol
  • Provides adapters and services to shield developers from the complexity of SSO integration
  • Provides operational facilities including secure token management, revocation, and usage reporting

For more information on our Mobility support visit here.

Time-to-market

Single Sign-On and Identity Management integration project efforts, both in terms of the initial investment and the on-going support, are notoriously  underestimated and many complexities are easily overlooked. Companies often find themselves under the gun to deliver these solutions quickly to meet hard deadlines. AssureBridge RapidStep™ On-boarding is an innovative program that allows companies to achieve successful SSO integration in just a few days. Whether you choose our Cloud services or our On-Premise virtual appliance option, the rollout is quick and painless. Here are some of the features of our platform that allow us to achieve a record fast time-to-market:

  • Test harnesses and sample applications are available to substitute for partner applications that are not yet ready for integration.
  • Strong Identity Management and SSO integration expertise.
  • Full-service offering for setup and configuration of SSO connections.
  • State-of-the-art configuration management tools.
  • Detailed SSO tracing that helps identify connectivity and protocol issues quickly and efficiently.

As we do numerous integration projects with customers we accumulate highly valuable know-how that you will benefit from. Our extensive experience integrating with popular online services helps us overcome implementation hurdles and complete the SSO integrations rapidly. We are already pre-integrated with numerous popular online services including:

  • Workday
  • SalesForce
  • DocuSign
  • WageWorks
  • Service-Now
  • WebEx
  • Office 365
  • UltiPro
  • Jobvite
  • Concur
  • Google Apps
  • OverDrive
  • Taleo
  • CVent
  • Mzinga
  • Lynda
  • Box.net
  • Dropbox

To successfully deliver IDM projects companies are constantly required to recruit and retain experienced staff with highly specialized skills including SAML 2.0, LDAP, PKI, OAuth, OpenIDConnect, and many others. With our unique full-service offering companies are now able to supplement their development, engineering, and operations staff with AssureBridge experts who are well versed in these complex technologies and will help ensure that the projects are completed and delivered on-time. On-going support of our platform helps ensure continuity of the mission-critical IDM services and knowledge management.

In addition to connecting to externally hosted online services, companies often look to leverage the same Identity Management platform to integrate with internally hosted applications, both vendor and in-house developed ones.These applications are written in a variety of programming languages and are typically limited in their support of standard SSO protocols, like SAML 2.0. AssureBridge IDM 36o™ Single Sign-On platform provides a number of lightweight easy-to-use SSO adapters that allow developers quickly incorporate advanced SSO functionality into their applications without a need to know and understand the intricate details of complex SSO standards and protocols. We provide integration adapters for all popular programming languages including:

  • Java
  • .NET/C#
  • Perl
  • Python
  • PHP
  • Ruby

Reliability

Reliability is a very important concern when delivering enterprise Identity Management solutions. The main reason is that IDM components are typically on the critical path of key application interactions, for example:

  • User form-based login to access an application
  • User account lookup in a directory
  • User data synchronization between two sources
  • User mobile application access

The IDM 360™ platform provides a number of features to deliver the highest degree of robustness and high-availability to ensure that your mission-critical applications are protected from faults and errors:

  • All systems are deployed in highly available clustered configurations
  • We deploy our systems in a “share-nothing, n+1” fashion eliminating single points of failure
  • We are able to upgrade and maintain our systems without affecting user services
  • We provide a variety of monitoring for all our components to ensure proactive response and maximum service uptime

Data Synchronization

Adopting online corporate services for employees presents companies with a challenge of how to keep the data synchronized among multiple data sources. The data sources include:

  • Corporate directory (AD or LDAP) that is either considered a system of record for the employee profile data or needs to be synchronized with another system, e.g. an in-house Human Resources (HR) system like PeopleSoft or an external HR system like Workday or Ultipro.
  • Corporate HR system, either hosted internally or accessed via an online service. Often the HR system serves as the system of record for the employee data and events such as on-boarding, termination, personal information changes need to be reflected in other data sources, both internal and external.
  • Other online services, which have their own data stores and need to be kept in sync with the corporate system of record. These may include applications hosted in-house as well numerous externally hosted online applications, e.g. SalesForce, WebEx, ServiceNow, and many others.

Not allowing terminated employees to gain access to company’s corporate systems is handled by using the IDM 360™ Single Sign-On platform. Meeting a regulatory requirement that all terminated employees data is quickly and reliably removed from all services that the employees had the access to is often a daunting task. The IDM 360™ SyncFire platform is a perfect solution to automate such an important task and make sure that you are always in compliance and your data is consistent across all corporate systems.

Contact us

IDM 360™ Corporate Single Sign-On and Data Sync

Powerful platform that allows quick and secure implementation of SSO solutions, hosted on-premise or in the cloud.
Contact us