Embed Size (px)
Citation preview
I D A P T I V E . C O M
W h I T E P A P E r
TOP TEN CONSIDERATIONS When Choosing a Modern Single Sign-On Solution
Table of Contents
©2020 Idaptive. All Rights Reserved. idaptive.com
3 Introduction
4 VersatileDirectoryIntegrationServices
6 Self-ServiceCapabilities 6 Self-ServicePasswordResetandSelf-ServiceAccountUnlock 7 Self-ServiceAccessRequests 7 Self-ServiceApplicationOnboarding
7 VPN-lessAccessandSSOtoOn-premiseApplications
8 ComprehensiveProtocol,APIandWidgetSupport
9 ApplicationCatalogandWizard-drivenApplicationOnboarding
10 PartnerFederationandIdentityProxying(Chaining)
12 ApplicationAccessGovernance
13 AdaptiveSingleSign-On
13 MobileExperience
14 Availability,Scalability,andPerformance
Informationinthisdocument,includingURLandotherInternetWebsitereferences,issubjecttochangewithoutnotice.Unlessotherwisenoted,theexamplecompanies,organizations,products,domainnames,emailaddresses,logos,people,placesandeventsdepictedhereinarefictitious,andnoassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,placeoreventisintendedorshouldbeinferred.Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofIDaptive,LLC.
Idaptivemayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromIdaptive,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
3
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.com
Theadoptionofcloudandhybridinfrastructure,theincreasingnumberandvarietyofapps,andtheproliferationofremoteworkforceareforcingcompaniestoabandontraditional,perimeter-basedsecurityapproaches.Instead,companiesnowembracethe“ZeroTrust”basedsecuritystrategywithidentityatitscore.
TheconceptofZeroTrustisbasedontheprincipleofmaintainingstrictaccesscontrolsforeverypersonorsystem,regardlessofwhethertheyarewithinoroutsideofthenetworkperimeter.TheZeroTrustapproachtoaccessensuresthateveryuserisverified,theirdevicevalidated,andtheiraccessisintelligentlylimitedusingtheprincipleofleastprivilege.Consequently,SingleSign-On(SSO)andAccessManagementarefoundationaltoZeroTrustandidentitymanagement.
Sinceidentityistheonlytrueperimeter,usercredentialsarenowoneofthemaintargetsforcybercriminals.Accordingtothe2019VerizonDataBreachInvestigationsReport1,80%ofhacking-relatedbreachesstillinvolvingcompromisedandweakcredentials,with29%ofallbreaches,regardlessofattacktype,involvedtheuseofstolencredentials.Despitethesefiguresandtheever-increasingcostofsecuritybreaches,companiescontinuetoleveragepasswordstosecureusercredentials.AccordingtoestimatesfromMicrosoft2,thereareover300,000,000fraudulentdailysign-inattemptstoMicrosoftServices,and53%ofallusershavenotchangedtheirpasswordsinthepast12months3.Pooridentitymanagementpracticesandcompromisedpasswordsrapidlyerodetrustintheorganizations’digitaltransformationinitiativesandexposecompaniestounnecessaryrisk.
Introduction
12019DataBreachInvestigationsReportbyVerizon.
2“Onesimpleactionyoucantaketoprevent99.9percentofattacksonyouraccounts”blogbyMelanieMaynes;Microsoft.
3PsychologyofPasswords:NeglectisHelpingHackersWin.2018reportbyLastPassbyLogMeIn.
4
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
Overrelianceonpasswordsnegativelyimpactsend-userproductivityaswell.Thetypicalemployeeuserlosesabout12.6minutesperweek4enteringorresettingpasswords.Foranorganizationwith48workweeksinayear,thiscantranslateinto$284peremployeelostannuallyonpasswords,assuminganaveragewageof$28.44/hourintheUnitedStates5.Inaddition,theaveragenumberofhelpdeskcallsatypicalemployeemakesinanorganizationisabout216.About30%ofthosecallsarerelatedtopasswords7.Attheaveragecostof$70perhelpdeskcall,thiscouldtranslateintoanannualhelpdeskcostof$441peremployee.
Singlesign-onenablesorganizationstoeliminatepasswordsprawl,implementmorerobustcredentialcontrols,anduseasinglesecureidentityforalltheorganizations’applications,endpoints,andresources.ThisnotonlyhelpsincreaseuserproductivityandimproveuserexperiencebutalsohelpsreducehelpdeskcostsandITburden.
However,notallSSOsolutionsarecreatedequal,andchoosingtherightonecanbeachallenging process.ThiswhitepaperdiscussesthetoptenconsiderationsthatwillhelpyoutoselectthebestSSO foryourorganization.
VersatileDirectoryIntegrationServicesOneofthemostimportantconsiderationsforamodernsinglesign-onsolutionisitsversatilityinintegratingwiththeorganizations’existingdirectoryservicethatservesastheauthoritativesourceofalluseridentities.Manyorganizations,especiallylarger,moreestablishedenterprises,oftenrequirecomplexuserdirectorystructures.FororganizationsthatuseMicrosoftActiveDirectory(AD),thesecaninvolvemultipledomainsandforests,witheachdomainhavingdozensof,ifnotmore,organizationalunits(OU)andhundredsofgroups.Insomecases,theseorganizationshavebeenformedthroughmergersandacquisitions,addingfurthercomplexitytotheirenvironment.Insuchcases,consolidatingalltheuseridentitiesacrosstheenterpriseintoanewdirectorycanbeamulti-yearprojectbyitself.
AnySSOsolutionthatrecommendsandnecessitatesthistypeofconsolidationbeforeitsimplementationnotonlyriskstheprojectitselfbutcanalsocauseconsiderablehardshipandoverheadacrosstheentireITdepartment.So,choosinganSSOsolutionthatenablesorganizationstodecidewheretheywanttostoreandmanagetheirauthoritativesourceofidentitiesisadvisable.Inotherwords,agoodSSOsolutionwillseamlesslyintegratewiththeorganization’sActiveDirectorydomainsandforests,LightweightDirectoryAuthenticationProtocol(LDAP)compliantdirectories,aswellasotherconnecteduserdirectories.
42019StateofPasswordandAuthenticationSecurityBehaviorsReport,conductedbythePonemonInstitute.
5USBureauofLaborStatistics,Jan2020.
6METAGroupresearchconductedonbehalfofPricewaterhouseCoopers
7METAGroupresearchconductedonbehalfofPricewaterhouseCoopers
11
5
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
Additionally,arobustSSOsolutionshouldprovideitsownDirectory Servicethathascustomizableschemasforusersandothertypesofidentities,suchascomputersandservers.ItiscrucialthatthisserviceallowsanorganizationtoextenditsexistingADschemawithmoreattributeswithoutneedingtomodifytheschemaintheirAD.Stand-aloneDirectoryServiceisparticularlyimportantfororganizationswithdiversesetsofend-users.Forexample,anorganizationmaywanttoseparatepartner,contractor,andconsumeridentitiesfromtheemployeeidentitiesandstoretheminaseparate,highlyscalabledirectoryindependentfromtheorganization’scoreemployeeauthoritativedirectory.
Lastly,anotherkeyconsiderationofanSSOsolutionistheabilitytopresentaVirtualDirectoryInterfacetoanyapplication.VirtualDirectoriescandynamicallylinktogetherdisparateidentitiesacrossseveralauthoritativedirectoriesandperformUser Disambiguationtoresolveintoasinglemasteridentity.UserDisambiguationreferstotheabilitytosearchthroughmultipleuserdirectoriesthatmayhaveanidenticaluseridentifier(e.g.,username)andchoosetheidentityfromtherightdirectorythatmatchesthecredentialssuppliedbytheend-user.
LDAP
Social Directories
Active Directory
LDAP Directory
Federated Directory
Cloud Directory
Cloud Applications
hr Applications
3rd Party Cloud Directories
6
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
Self-ServiceCapabilitiesSelf-Service Password reset and Self-Service Account Unlock
Helpdeskrequestsforpasswordresetsandaccountunlocksnotonlynegativelyimpactend-userproductivitybutalsoincreasetheoverallhelpdeskcostssubstantially.Consequently,aleadingSSOsolutionmustincludecapabilitiesthatenableend-userstoresettheirpasswordsandunlocktheiraccountswithouttheneedtomakehelpdeskcalls.
Thecriticalthingtobeonalookoutforwhenevaluatingself-servicecapabilitiesistheabilityforend-userstoresetpasswordsorunlockaccountswithouttheneedtofirstlogintoacomputertogetaccesstotheself-servicetools.Inotherwords,itisnotreasonabletoexpectyouruserstologintotheirworkcomputerwiththeirforgottenADpasswordorintoalockedADaccounttouseself-servicetools.Instead,theself-servicetoolsneedtobeavailableattheloginscreenorthroughacloudinterfacethatcanbeaccessedfromanywhere.WhenselectinganSSOsolution,chooseonethatactsasacredentialproviderforWindows(orincludesapluggableauthenticationmoduleforMac)andenablesend-userstoperformself-serviceactionsondesktopsaswellasmobiledevices.
Theotherkeyaspectofself-servicepasswordresetandaccountunlock,isrelatedtoaddinganappropriatelevelofauthenticationassurance.Meaning,theSSOsolutionshouldhavetheabilitytoverifytheuseridentityusingauthenticationfactorsotherthantheuser’spasswordpriortoallowingself-serviceaction.Tothatend,chooseanSSOsolutionthathasbuilt-inMulti-FactorAuthentication(MFA)capabilitiesforself-servicepasswordresetandaccountunlock,oronethatseamlesslyintegrateswithyourexistingMFAvendorforthesame.
22
Help Desk User
LDAP
Active Directory
LDAP Directory
Self Service
Employee User Account UnlockPassword Reset
7
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
Self-Service Access requests
Employeeswithinanorganizationareoftenonthemove,changingdepartments,expandingontheirrolesandresponsibilities,andgettingpromoted.Eventsliketheseoftenresultinemployeesneedingaccesstonewapplicationsandresources.Traditionally,thismeantthatemployeeshadtosubmithelpdeskrequeststogetaccess.ThehelpdeskwouldthenprovisionaccesstonewapplicationsupontheITadministratorortheemployeemanager’sapproval.
LeadingSSOsolutionsshouldincorporatethisaccessrequestworkflowandenableend-userstogainaccesstoappswithouthelpdesksupport.ThereforewhenselectingyourSSOsolution,spendsometimeevaluatingtheapplicationaccessrequestcapability.Thesolutionshouldincludeasearchableapplicationcatalog,theabilityforend-userstoeasilyrequestaccess,andaflexibleback-endapprovalworkflow.Thisworkflowmay,forinstance,notifytheemployee’smanagementchain,anapplicationadministrator,oragroupofuserstoreviewtherequestand,iflegitimate,approveitdirectlyintheSSOportaloramobileapp.
Self-Service Application Onboarding
IntimeswhentheITteamsareoverwhelmed,findingresourcestoenableSSOfornewapplicationscanbechallenging,soappswithsmalleruserbasegetde-prioritized.Tosavetime,powerusersoftheseappsoftenreuseotherapplicationcredentials,therebyexposingcompaniestoadditionalrisk.ThemoreapplicationsarenotimplementedwithSSO,thehighertherisk.ModernSSOsolutionsshould,therefore,providethecapabilitytoauto-capturethepasswordsenteredintoapplicationsandauto-fillthematalatertime.Inthisway,end-userscancreateacomplexanduniquepasswordforeachofthenon-integratedappsandleveragetheSSOsolutionfortheseamlessloginexperience.
VPN-lessAccess andSSOtoOn-premiseApplicationsAsorganizationsmigratetheirworkloadstothecloud,someofthekeyapplicationsremainhostedinlocal,on-premisesdatacenters.Concernsoversecurity,applicationavailability,andcompliancearesomeofthemainreasonswhyCIOschoosetokeepapplicationsin-house.Employeesneedtoaccesstheseon-premisesapplicationsinthesamewaytheyaccesscloud-basedapps–seamlessly,fromanydevice,andatanytime–tostayproductive.Traditionally,ITleveragedVirtualPrivateNetworks(VPNs)toprovideemployeestheremoteaccesstoresourceshostedon-premises.However,providingusersaccesstotheVPN,whenalltheuserneedsistoaccessanapplicationrunningwithintheon-premisedatacenteramountstogivingtheuserkeystothekingdom.OnceusersareauthenticatedandconnectedtoaVPN,
33
8
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
theycantheoreticallyaccessanyresourceontheentirenetwork,limitedonlybypoliciesalreadyinplaceattheauthenticationandauthorizationstep.Inotherwords,VPNenables“all-or-nothing”access.Abetterwaytocontrolaccesstoon-premappsisthroughanapplicationorareverseproxycapability.Withreverseproxies,youcanprovideusersapp-specificaccessbasedontheirrolesandfurthersecureon-premresourceswithmulti-factorauthentication.
Theotheraspectofthisrequirementisrelatedtotheabilitytoproxytheuser’sidentitytotheapplication,whichallowsyoutointegratetheon-premisesappswithSSOsolutions.Manyon-premandlegacyapplicationsdonotsupportmodernSSOprotocolslikeSAML,OpenIDConnect,WS-Trust,andothers.Instead,theysupportbasicauthenticationmethods,suchasform-basedauthentication,HTTPheader-basedauthentication(e.g.,remote_user,X-Forwarded-Forheaders),usernameandpasswordreplay,andthelikes.Consequently,leadingSSOsolutionsshouldbeabletosupportavarietyofauthenticationmethodsmentionedabovetoensurethatyoucansetupSSOwithyouron-premapplications.
ComprehensiveProtocol,APIandWidgetSupportMostenterprisestodayhaveamixofcloudandon-premisesapplications.TheseapplicationsoftenleveragearangeofprotocolsrelatedtoauthenticationandSSO.Forexample,moderncloudandon-premisesapplicationscansupportstandardssuchasSecurityAssertionMarkuplanguage(SAMLv1.0,1.1,2.0),OpenIDConnect(OIDC),OAuthv2.0,andWS-Federation.Legacyapplications,ontheotherhand,mayonlysupportbasicorform-basedauthentication,whichallowsanidentityprovidertosupplytheusernameand(protected)passwordstotheappviaaform.Header-basedauthenticationisyetanotherwayforapplicationstoreceiveinformationaboutauserfromtrustedidentityprovidersandenableSSO.AleadingSSOsolution,therefore,needstosupportalltheprotocolsandmethodsmentionedabove.
Itcouldbethecasethatapplicationsinyourenvironmentsupportnoneofthemodernortraditionalauthenticationmethods.YourSSOsolutionwouldthenneedtohaveasecure,encryptedpasswordvaultandabrowserextensiontosupportSSOforthesetypesofapps.Thebrowserextension,anadd-onthatyouinstallinyourwebbrowser,capturesusercredentials,storestheminthevault,andinjectsthemintotheusernameandpasswordfieldsorformstologusersintoapplicationsautomatically.
44
IdaptiveConnector
Windows Server
Idaptive Next-GenAccess Cloud
Contractors
EmployeesInternal WebApplications
HTTP/HTTPS
9
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
Lastly,custom-builtapplicationscanbedesignedtoauthenticateagainstanidentityproviderbyreceivinganauthenticatedusertoken.ThesetokensfrequentlyadheretospecificationsmentionedintheSAML,OIDC,OAuth,orWS-Truststandards.TheSSOsolutionmustprovideeasilyconsumableAPIstointegratethesecustom-builtapplications.Inaddition,well-documentedAPIsgreatlysimplifyandaccelerateappdevelopment.Therefore,theavailabilityofadedicateddeveloperportalwithpublishedcodesnippetsandwidgetsthatcanbeeasilyembeddedintoapplicationsbydevelopersshouldbeoneoftheconsiderationsinyourvendorselectionprocess.Forexample,avendorcouldprovidecodeforaloginwidget,whichcanbeembeddedintheapplicationandreducethetimedevelopersneedtospendworkingonappauthentication.TheSSOsolutionmustalsoprovidedevelopmenttoolkits(SDKs)forappdevelopmentplatformslikeReact,Swift,Python,PHP,Java,andC#tohelpdeveloperstoincorporatesecuritycontrolstotheirwebandmobileapps.
ApplicationCatalogandWizard-drivenApplicationOnboardingToday,enterprisesleveragehundredsofapplicationstosupportavarietyofuserpopulationsandusecases.ThevaluederivedfromtheSSOsolutionis,therefore,directlyproportionaltothenumberofapplicationsthatcanbeintegratedwiththesolution,andtheeasewithwhichnewappscanbeadded.TheprocessofonboardingapplicationsintoanSSOsolutioncanbeachallengingtaskthatmaytakesubstantialeffort,time,andknowledgeoftheSSOprotocolsandstandardsthatapplicationssupport.
55
1 0
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
AleadingSSOsolutionaddressesthischallengebyprovidingacatalogofpre-builtapplicationtemplatesandintegrations.ThesetemplatesremovetheneedtounderstandSSOprotocolsandsimplifytheconfigurationdowntoafewkeysettings.Aspartofyourevaluationprocess,ensurethatapplicationsthatarecurrentlyusedinyourorganizationorthatyouplanondeployingarepresentinthecatalog.
Itisimportanttonotethatnocatalogwillcontainallofthepossibleenterpriseapplications.Forapplicationsthatdonothavetemplatesintheappcatalog,theSSOsolutionmustprovideanintuitive,easytouseonboardingwizardtoguideadministratorsthroughtheonboardingprocess.Thesewizardsshouldhavecleardocumentationorembeddedhow-tovideosthatfurtherhelpadministratorstolearnhowtoonboardtheapplicationsrapidlyandreducethetimerequiredtoderivevaluefromtheSSOsolution.
BelowareexamplesanddescriptionsofcapabilitiesacrossthefivekeyareasthathelpanorganizationachievetheBasicLevelofMaturity.
PartnerFederationandIdentityProxying(Chaining)Mergersandacquisitionsareoneofthemostcommonwayscompaniesgrow.Asorganizationscombinesystemsandemployeepopulations,themanagementofuseridentitiesbecomeschallenging.Forexample,eachofthemergingorganizationsmayleveragedifferentuserdirectoriesandSSOsolutions(IdentityProviders)fortheiremployeesandcontractors.Alongsimilarlines,companiesoftenworkcloselywithpartnerorganizationswho,inturn,havetheirownSSOsystems.Regardlessofthecircumstances,employeesofoneorganizationfrequentlyneedtoaccessapplicationsofanotherorganization.Itmaynotbefeasibleordesirableforoneorganizationtoduplicatetheotherorganizations’identitiesacrosssystemstoenableaccess.Thisiswheretheconceptoffederationscomesin.Federationenablesanorganizationtoseamlesslyallowanotherorganization’suserstoaccessitsapplicationswithouttheneedtoauthenticate,duplicate,andmanagethelifecycleoftheotherorganization’susersorsettingupaseparateVPNinfrastructureforpartneraccess.Inessence,federationenablestheoneidentityprovidertotrustanotherorganization’sidentityprovidertoauthenticateandmanageusers.
66
Partner Organization
Partner IDP
IdaptiveConnector
Organization
SAML/OIDCFederationOrg Employee Idaptive IDP
Org Applications
Partner Employee
SAML/OIDC
PartnerActive Directory
OrgActive Directory
1 1
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
AleadingSSOsolutionshouldsupportpartnerfederationsusingbothSAMLandOIDCstandardsandhavetheabilitytoreceivetrustedauthenticationtokens.Thetrustedtokensshouldbeencrypted(FederatedAssuranceLevel38)andprovethattheuserhasindeedauthenticatedwiththeotheridentityprovider.TheSSOsolutionshouldalsobeabletoleverageanyadditionaluser-relatedinformation(SAMLattributes,forinstance)providedinthetokentofurtherauthenticateandauthorizetheuserforaccesstoapplicationsanddata.
Inothercases,organizationsmayhaveanexistinglegacySSOsolution,withhundredsofapplicationsalreadyintegratedwithit.Thelegacysolutionmaycomewithmanychallengesandlimitations.Forexample,legacySSOsystemsmayhaveapoorend-userexperience,requirecomplexscriptingordevelopmentforapplicationintegration,ordemanddedicatedheadcounttomanagetheinfrastructurethattheSSOsolutionrunson.Forsuchorganizations,transitioningtoamodern,cloud-basedSSOsolutioncanbemadeseamlessthroughtheconceptoftheIdentityProvider(IdP)proxyingorchaining.
InachainedIdPmodel,themodernSSOsolutiontruststheSSOtokenprovidedbythelegacyIdPauthenticatingtheusertoanexistingapp.BoththelegacyandthemodernIdPsareinterconnectedandintegratedwithasingleauthoritativeuserdirectory.AlltheexistingapplicationsremainintegratedwiththelegacySSO,whileallofthenewapplicationsareintegrateddirectlywiththemodernSSO.Inotherwords,ifthemodernSSOsolutionsupportsIdPchaining,anorganizationdoesnotneedtoadoptabigbangapproachandmodifyalloftheexistingapplicationintegrationstoworkwiththenewSSO.ThisallowsforagradualmigrationtothemodernSSOsolutionandmakesthetransitionseamlessandeasy,especiallyfortheapplicationownersandITadministrators.
WithchainedIdPs,organizationscanalsodramaticallyimprovetheuserexperience.InthechainedIdPmodel,employeesonlyinteractwiththemodernSSOsolution,whichprovidesamorestreamlinedloginexperienceregardlessoftheapplicationusersneedtoaccess.
1. A user tries to log in to Salesforce.com
2. Salesforce.com redirects the user to Idaptive
3. Idaptive recognizes that the access request is from a federated user and redirects the request to the IDP
4. The IDP prompts the user for login credentials and attempts authentication
6
5
8
7
• 3rd Party IDP is chained to Idaptive IDP• Idaptive IDP acts as an SP to the 3rd Party IDP• 3rd Party IDP does directory credentials authentication• Idaptive performs the second-factor authentication
Relying Party/ServiceData Center
On-Prem IDP
On-Prem Directory Idaptive IDP
9
SIGN-IN
Authentication Profile x
Profile Name*
5. The IDP authenticates the user against the enterprise directory
6. The IDP passes a SAML response to Idaptive with user attributes
7. Idaptive determines that the user requires secondary authentication. MFA prompt is presented to the user
8. Once successfully authenticated, Idaptive passes an assertion to the Service Provider
9. The user accesses Salesforce.com
8NISTstandard800-63c
1 2
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
ApplicationAccessGovernanceAccessGovernanceisoneofthekeycapabilitiesneededbyindividualsresponsibleforapplicationsecurityandcompliance.Thegoalofaccessgovernanceistoreducethecostandeffortinvolvedinoverseeingandenforcingaccesspoliciesanddemonstratingcompliance.Tothiseffect,leadingSSOsolutionsshouldbeabletoprovidereportsthattrackuseraccess,identifynon-compliancewithrole-basedaccesscontrols.Forexample,thesereportsshouldidentifyspecificusersthathaveaccesstosensitiveapplications,whatroleshavepermissionstowhichapplications,andwhatchangeshaveoccurredintheaccesspermissionsofaparticularuser.Thesereportsareessentialtocontinuallyensurethatusersonlyhaveaccesstoapplicationstheyneedtoperformtheirduties.
AnothercapabilityrelatedtoAccessGovernanceistheabilitytoorchestrateanapprovalworkflowforself-serviceapplicationaccessrequests.Self-serviceapplicationaccessrequests,aswementionedearlier,enableemployeestorequestaccesstoapplicationswithoutsubmittinghelpdesksupporttickets.Theseworkflowscanbeconfiguredtoincludemulti-levelapprovalsfromtheemployee’smanagementchain,thesecurityteam,theapplicationadministrator,oreventheITadministrationteam.Theapprovalworkflowisinstrumentalinensuringthatthereisagovernancemodelinplaceforend-usersbeinggrantedaccesstoapplications,andtheorganizationremainscompliantwiththeirregulatoryandsecurityobligations.
Lastly,manyleadingSSOsolutionsarenowstartingtoimplementAccessCertificationcapabilities.AccessCertificationsalloworganizationstooperationalizecontinuousorperiodicaccessreviewstoensurethattheusershaveaccesstoonlywhattheyneed.Duringthesereviews,management,applicationowners,orITadministratorshavetocertifythatonlyapprovedusershaveaccesstotheapplications.IfautomatedAccess
77
Needs access to a new app
Makes an accessrequest in Idaptive
Request approved by manager
Employee changes department
Access granted to the user Request approved by
application admin
Access Request Reports & Periodic Recertifications
1 3
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
idaptive.comidaptive.com
Certificationscapabilitiesarenotavailable,ensurethattheSSOsolutioniscapableofinterfacingwiththeenterprise’sHRsystemtoautomaticallyprovisionaccessaccordingtotheuser’sidentityandroles.Whenauseristerminatedorchangespositions,theHRsystemshouldnotifytheSSOsystemtoperformthedeprovisioningforallthesystemsintheuser’srolethatarenolongerneeded.Thiswillensurethatmanualaccesscertificationsproducerelativelycleanresults,andorganizationsremainincompliancewiththeiraccesspoliciesorgovernmentregulations.
AdaptiveSingleSign-OnOneoftheprinciplesoftheZeroTrustAccessSecurityarchitectureistoleverageasmuchcontextualinformationabouttheuseraspossiblewhilemakingaccessdecisions.MosttraditionalSSOsolutionsrequireausertoauthenticateonce.Afterthat,theSSOsolutiongrantstheuseraccesstoalltheauthorizedapplicationsforapre-definedperiodoftime,typicallythelengthoftheusersession.Inotherwords,oncetheuserhasbeenauthenticatedtotheSSOsolution,alloftheapplicationsexplicitlytrusttheuserandlettheuseraccessthemaslongastheSSOsessionisvalid.ThisexplicittrustviolatestheconceptofZeroTrust.
AmodernSSOsolutionshouldemployacombinationofrulesandmachinelearningtodeterminewhetherausershouldbegrantedaccesstoanapplication,evenaftertheuserhassuccessfullyauthenticatedtotheSSOsolution.Theserulesincorporatecontextualinformationrelatedtotheuser,suchasthedeviceusedforaccess,thenetworkfromwhichtheuserisrequestingaccess,thetimeofaccessrequest,andfinally,theuserlocation.Additionally,aleadingSSOsolutionshouldbeabletoleveragethiscontextualinformationtolearntypicaluserbehaviorusingmachinelearning.Basedonthehistoricalbehaviortrends,thesystemsshouldthenbeabletoidentifyatypicaluserbehaviorandassigneachuserariskscoreduringtheprocessofaccessingapplications.Iftheriskscoreoftheuserexceedsacertainthreshold,theusershouldbepreventedfromgettingSSOintoanapplication,regardlessofwhetherheorshepossessestheauthenticationfactorsrequiredtoaccessit.
WhenlookingforamodernSSOsolution,ensurethatthesolutionyou’reconsideringsupportsbotharules-basedSSOaswellasmachinelearning-drivenrisk-basedadaptiveSSO.
MobileExperienceToday,employeesexpectanytime,anywhereaccesstotheircorporateapplicationsfromalltypesofdevices.ThesedevicesincludenotonlyWindowslaptopsandMacbooksbutalsomobiledevicessuchassmartphonesandtablets.Accessingweb-basedapplicationswithSOOfromlaptopsanddesktopsissimpleandonlyrequiresawebbrowser.SSOaccesstocorporateappsonmobilewebbrowsers,however,isabitmorecumbersome.
AmodernSSOsolutionshouldprovideadedicatedmobileapptomakeaccessingapplicationsfrommobiledevicesasseamlessaspossible.TheappshouldbeavailableforbothiOSandAndroidplatformsandincludealandingportalpagethatdisplaysalltheapplicationsauthorizedtousers.Theappshouldalsoenable
88
99
1 4
TOP TEN CONSIDERATIONS WHEN CHOOSING A MODERN SINGLE SIGN-ON SOLUTION
theusertoenrolltheirmobiledevicewiththeSSOsolution.ThedeviceenrollmentprocessallowsSSOsolutionstoverifythatthedevicemeetstheminimumsecurityrequirementsandenablesorganizationstopushspecificdevicemanagementpoliciesandcertificates.Theabilitytodeploycertificatesonmobiledevicesisnecessaryforcertificate-basedauthentication(CBA),whichallowsend-usertoaccessnativeapps,suchasSalesforce,OneDrive,orOutlook,withoutadditionalauthenticationsteps.
Availability,Scalability,andPerformanceSinceSSOsolutionsgateaccesstoallapplicationsunifiedundertheSSO,theymustbehighlyavailableandreliable.WithoutfunctionalSSO,employeeshavenomeansofaccessingeventhemostbasicapplicationssuchasemail,HRsystems,orproductivityapps.Software-as-a-Servicedelivered(SaaS-delivered)SSOsolutionsoftenrunonhighlyreliablecloud-basedplatformsandtendtoperformfarbetterthananon-prem,privatelyhostedSSOsystems.Forexample,cloud-basedSSOsshouldbeabletodynamicallyscalewithdemandandautomaticallyfailoveracrossgeographicregionsintheeventofadisaster.Replicatingthesecapabilitiesinanon-premisesdatacentercanbeaverychallengingandexpensivepropositionformostenterprises.
Whenconsideringacloud-basedSSOsolution,paycloseattentiontotheservicelevelagreement(SLA)commitments,especiallyintermsofRecoveryTimeObjective(RTO)andRecoveryPointObjective(RPO).RTOisthemaximumamountoftimetakenbytheSSOsolutiontorecoveraftertherehasbeenadisasterthatbringstheservicedown.RPOisthemaximumamountoftimepriortothedisasterforwhichtheuserdatamaybelostpermanently.AleadingSSOsolutionwillprovideRPOandRTOofatmost24hourseach,andsincebothRTOandRPOareSLAcommitments,youcanholdtheSSOsolutionvendoraccountablefornotmeetingthem.
Alongsimilarlines,makesurethatyoualsoconsiderSSOsolution’suptimehistoryandcommitments.Typically,youwanttofindasolutionwithanuptimecommitmentofatleast99.9%(threenines),meaningtheservicecanbedownforamaximumof8.77hoursperyear.
Lastly,ensurethatthesolutioncanscaleupinanefficientandcost-optimalmannertoyourgrowingorganizationneeds,whetherthescalingupinvolvesmoreemployees,moreusecases(extendingtheservicetoyourpartnersandconsumers),oraddingmoreapplications.
1010
IdaptivedeliversNext-GenAccess,protectingorganizationsfromdatabreachesthroughaZeroTrustapproach.Idaptivesecuresaccesstoapplicationsandendpointsbyverifyingeveryuser,validatingtheirdevices,andintelligentlylimitingtheiraccess.IdaptiveNext-GenAccessistheonlyindustry-recognizedsolutionthatuniquelyconvergesSingleSign-On(SSO),adaptiveMulti-FactorAuthentication(MFA),EnterpriseMobilityManagement(EMM)andUserBehaviorAnalytics(UBA).WithIdaptive,organizationsexperienceincreasedsecurity,reducedcomplexityandhavenewfoundconfidencetodrivenewbusinessmodelsanddeliverawesomecustomerexperiences.Over2,000organizationsworldwidetrustIdaptivetoproactivelysecuretheirbusinesses.
idaptive.com©2020Idaptive.AllRightsReserved.
