Talking to a client the other day about enterprise to cloud access, it became apparent that before considering cloud SSO, cloud provisioning needed to be taken care of. More than that, role based cloud provisioning.
And this is where it gets tricky in the IAM marketplace. There are a few companies offering cloud single sign on and doing it well. They just don't have the platform in place to integrate with the on premise world and do role based provisioning to the cloud as part of that solution.
And, think about your business goal here for a second. You want to make sure that the right users have the right access to the right applications. So, first you need to do role based provisioning; anyone in sales and support needs access to salesforce. Only those users should be provisioned; after moving to another department they should be deprovisioned. Data security is one thing to consider but so is license consumption...you pay monthly for these licenses.
Once you've provisioned the correct users to the cloud application (in this case salesforce), you need some role mapping. That sales rep should have different access than the sales manager than the support rep. Map your corporate roles to the cloud app role and not only do you get user accounts for the right folks but they get the right access. As they move jobs, the dynamic role in your enterprise directory maps to the cloud role and presto boomo, accurate access to cloud applications!
And, now for the thing that people worry about. Cloud single sign on...federating with the cloud application. This is arguably the least important step but the one that gets the most attention. Who cares if you only need one password if you have the wrong users getting access? Luckily, it's possible to do all three and leverage the same directory if you can do SAML federation from the directory that is handling the cloud provisioning and access.
There must be others doing all three aspects of this cloud provisioning, but if any of this rings true to you, schedule a demonstration of EmpowerID and see how to get the right users the right access to the right cloud resources, and SSO them while you're at it!
Tags: Single Sign-on (SSO), Role Based Access Control (RBAC), User provisioning