Single sign-on does not exist in a vacuum. Especially in an extranet environment, you need to know who those users are, what access they should have, and give them a way to manage their identity. Essentially, identity management cannot be separated from SSO.
When SSO projects come our way, the initial conversations are always around SAML federation, Web Access Management (WAM), or password vaulting. We talk about identity providers, service providers, SharePoint claims, and multi-factor authentication. Customers talk about their applications and user experience in SSO. What they don't bring up is how to manage those external users because other SSO vendors avoid that conversation like the plague.
If all applications were federated (they aren't), then this might not be as big of a deal but in truth, most of our customers have a mix of SSO technologies and you need to know who those users are. You will need to have self-registration for external users, automated provisioning for internal users, self service password reset for IdP credentials, attestation and certification of user accounts and access, and step up authentication for secure access.
EmpowerID's platform comes with base functionality for all of its modules. The base platform contains the metadirectory, RBAC engine, and visual workflow studio. All identity management workflows (create user, change password, etc) are part of the platform to manage the external user. Your users will have all of the abilities for SSO and you will know who they are and have extensive identity management capabilities.
But, remember, the customer is coming to us for SSO so the platform still needs to be able to offer single sign-on in the most comprehensive way. Many applications are federated (SAML, OAuth, OpenID, WS-Trust and WS-Federation) but for those that aren't the SSO platform needs to have multiple ways to handle that application.
SSO Manager offers a few options:
- Web Access Management (WAM): either using reverse proxy or an agent, SSO Manager can intercept access attempts to an application, send them over to EmpowerID for authentication and return them authenticated to the application without any interaction on their part
- Federated SSO: EmpowerID can act as either the identity provider or service provider using any federated protocol (SAML, OAuth, OpenID, WS-Trust, WS-Federation)
- Password vaulting: as a last resort, users can claim accounts, provide the username and password which will be vaulted securely on the EmpowerID server and provide the same seamless SSO experience for the user
- Shared accounts: for many applications such as Twitter or Facebook, corporate accounts need to be shared without giving out the password, the owner can share the account and revoke access when needed
- Virtual Directory: the EmpowerID metadirectory is exposed as a virtual LDAP directory that can be used as the back end identity store for any application
By offering this comprehensive solution, your users will authenticate and be presented with a dashboard of SSO applications; they don't need to know how you got them the SSO access, it is seamless. You can manage their access and user accounts all from one platform, on a single code base with the easiest and most efficient management in the industry.
Let us demonstrate these capabilities and you will see why the comprehensive platform is your best method to providing single sign-on.
Tags: Single Sign-on (SSO), Identity and Access Management (IAM)