Adaptive 2-Factor Authentication for Citrix Netscaler

Posted by Chris Hayes on Thu, Apr 30, 2015

2-Factor for Citrix via empowerID

What is Adaptive authentication? By definition something adaptive should have a capacity or tendency toward adaptation when faced with different scenarios. empowerID has taken this concept and applied it to our class leading Radius service for Citrix and other "edge devices" like Cisco, Juniper, Palo Alto, F5 and more.

Having managed many Citrix NetScaler strong authentication projects myself I understand the challenges faced when enabling 2-factor authentication with NetScaler products.

Common questions that you should ask yourself when undertaking a project like this are.
  • What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
  • What kind of logging and reporting is available?
  • How scalable is the solution?
  • How are the configurations stored?
So we know some of the questions you need to be aware of, let's walk through an empowerID workflow for Citrix NetScaler below.

 

Adaptive Auth for Citrix

  1. Multiple users go to login to the NetScaler
  2. The NetScaler takes in a username and password
  3. This information is passed to empowerID's Radius endpoint
  4. empowerID looks at the group membership of the user
  5. One user will go through 2-factor authentication
  6. One user will go through Single Factor authentication
  7. Both users will be presented with the same information after authentication
This truly adaptive model means you can migrate some your users to 2-factor authentication while keeping some at single factor authentication.

So let's get back to a few key points:
  1. What methods does the authentication support?
  • Can I migrate users by groups in the back end rather than cut everyone over at the same time?
    • Fully supported, keep everyone going to the SAML login page and empowerID will determine if the user needs 2-factor or single factor authentication.
  • What kind of logging and reporting is available?
    • empowerID's audit and reporting engine leads the pack when it comes to real time reporting and auditing.  While other products can't push reports up to a central audit point empowerID doesn't have the same limitations.  Built from the ground up to scale you can log into one place and review all audit reports.
  • How scalable is the solution?
  • How are the configurations stored?
    • empowerID configurations are stored in a database, the way it should be done.  Not in flat web.config or .conf files, these aren't methods that scale.

    Ready to learn more?

     Request a Demo

    Tags: Active Directory, IAM, Identity Management, SAML, Citrix, Palo Alto, Identity and Access Management (IAM), Radius, 2-Factor, Cisco

    empowerID to Present at KuppingerCole European Identity & Cloud Conference

    Posted by Chris Hayes on Tue, Apr 28, 2015

     

    empowerID is excited to announce that CEO Patrick Parker will present at the European Identity & Cloud Conference (EIC) hosted by KuppingerCole on May 5-8 at the Dolce BallhausForum Unterschleissheim in Munich, Germany.


    Patrick's session entitled "How to Manage Authorizations in Cloud Services" takes place on Tuesday, May 5


    Topics covered will include:

    • The race to transplant onsite infrastructure and applications to the Cloud
    • How to enable strong yet flexible control over authorization
    • How to approache the challenge of role and attribute-based authorization
    • Patrick will give an overview of the authorization capabilities offered by the Microsoft Azure and Amazon AWS platforms and include best practice suggestions.
    empowerID was identified as an "Overall Leader" in the KuppingerCole Leadership Compass in 2014.  Click here for your copy of the latest KuppingerCole IAM/IAG Leadership Compass

    Tags: Role Based Access Control (RBAC), RBAC, SAML

    EmpowerID - Combining Intelligence with Web and SAML SSO

    Posted by Chris Hayes on Wed, Apr 01, 2015

    RBAC ABAC SSO resized 600

    Everyone's heard of Single Sign On or SSO.  By helping your end users get through their day, it allows them to first validate their enterprise identity and then seamlessly get into all of their enterprise applications.

    The ugly secret of the SSO landscape is the lack of any real access control.  If you need to provide access to an application like Salesforce you have to add them into an Active Directory group.  That is simply not something that scales and will instantly become an administrative burden.  Let's not even get into what happens when that person moves to a new department, are you really going and removing them from the groups they shouldn't have access to anymore?

    EmpowerID has created the world's first integrated Role Based Access Control (RBAC) and SSO mechanism that allows you to assign resources like salesforce.com to a business role not a group.  This gives you unprecedented flexibility to assign resources to things like SharePoint, Salesforce or whatever the application is.

    BusinessRole

    With EmpowerID you can assign resources to specific roles, like the example above where bank tellers in will be part of different active director groups but they can all be assigned the "Teller Business Role" and as such be allowed to access common resources for that role.  We've made it simple for you as an administrator too, manage these rules right through the EmpowerID WebAdmin console like you see below.

    Easily assign a resource to a role

    Reach out and we can walk you through how to add intelligence into your SSO engine today.

    Request a Demo

    Tags: WS-Fed, RBAC, Federation, Access Governance, SSO

    EmpowerID Named Overall Leader in IAM / IAG Suites

    Posted by Patrick Parker on Thu, Feb 05, 2015

    Rating graph

    EmpowerID has been recognized as a three time leader in a recent KuppingerCole report evaluating Identity and Access Management (IAM) / Identity Access Governance (IAG) Product Suites.

    The IAM/IAG Leadership Compass “focuses on complete IAM/IAG (Identity Access Management/Governance) suites that ideally cover all major areas of IAM/IAG as a fully integrated offering,” Martin Kuppinger wrote in the report.

    KuppingerCole, a respected global analyst focused on Information Security, examined Identity and Access Management / Governance Suites for this report. They specifically evaluated products that are integrated solutions with a broader scope than single-purpose products. Martin Kuppinger concluded in the report, “With their Windows-based product they [EmpowerID] offer one of the best integrated IAM Suites. All components have been built by EmpowerID, allowing for tight integration into a well thought-out architecture. This integrated approach is a clear strength of EmpowerID."

    To request an unabridged copy of the the KuppingerCole report on IAM/IAG Suites, please visit http://info.empowerid.com/download-the-free-kuppingercole-iam-suites-leadership-compass.

    Tags: Role Based Access Control (RBAC), GRC, authentication, IAG, IAM, Group Management, Governance and Regulatory Compliance, Identity Management, Federation, User provisioning, Attestation, Separation of Duties, Identity and Access Management (IAM), Access Governance

    Worlds First Virtual Directory Built on Node.js®

    Posted by Chris Hayes on Thu, Feb 05, 2015
    nodejs logo
    EmpowerID has cleaned the dust off of the Virtual Directory market with the world's first Virtual Directory Service written in Node.js and integrated it with our world class IAM Suite.

    Virtual Directory Services (VDS) are supposed to aggregate identity and user information stored across data stores into a single point of access.  The dirty little secret of the market is latency when the VDS is returning indentity information.  This compounds itself again and again when making LDAP calls.  Some have tried to move from a "Proxy" view and use a Cached view, but I/O is still slow.

    EmpowerID looked at the current VDS landscape, identified issues and built our VDS from the ground up on Node.js.  Compared to legacy VDS technology that spawns a new thread for each connection or request and takes up RAM, Node.js operates on a single-thread using a different type of I/O call.  This allows it to support tens of thousands of concurrent connections.
    toptal blog 1 BPicture from toptal.com Why use Node.js
    So, why use EmpowerID's VDS?
    • Highly Scalable, a VDS should be able to handle incoming LDAP connection requests and we do it better than anyone in the industry.
    • Data Transformation allows you to easily support legacy apps that require a fixed schema
    • Persistent Metadirectory Cache that automatically refreshes the source data
    • Ties in with full IAM Suite from EmpowerID.
    • Group-based authorization and provisioning for all of your authentication endpoints
    • Application authorization provides a virtual view of all existing groups
    • Easily onboard new organizations' directory stores into a unified view
    • Create a single unified user profile from your disparate user stores

    Ready to learn more?

    Request a Demo

    Tags: IAM, Federation, Virtual Directory, VDS

    Manage Your Office 365 Environment Without DirSync

    Posted by Chris Hayes on Mon, Jan 05, 2015

    Automate Provisioning Sync resized 600

    All too often the migration to the cloud involves supporting bits and pieces of software that you didn't expect. These road bumps can easily turn into a major headache for your organizations IT team. Migrations to Office 365 require a "user sync tool" out of the box called DirSync or AAD Sync. These extra pieces of software are difficult to manage, configure and maintain with many companies desperately looking for alternatives.

    The EmpowerID Office 365 Manager allows your organization to take control of all aspects during your migration to Office 365.  If you're just starting or have fully cut over to O365 you can now put DirSync out to pasture.

    EmpowerID Office 365 Manager allows for:

    Single Sign-On Enable - Allowing employees to continue to login to Outlook, OWA, Lync, and SharePoint using their same corporate Active Directory username and password with Microsoft ADFS.

    Administration and User Provisioning - Automate provisioning, delegation administration, and de-provisioning all without DirSync or AAD Sync.

    Access Governance - Audit and periodically re-certify access to Office 365 mailboxes and groups based upon your organizations specific attestation requirements.

    Audit Logging - Keep track of what's happening in your enviroment.  Even have reports emailed to you for review.

    Role-Based Delegated Admin - Allow seperate business units to manage their users or even seperate companies.

    Self Service Password Management - Stop the high number of password reset calls to your helpdesk.

    On top of total governance of Office 365 from an on-premise IAG solution you can also manage multiple tenants from a single Active Directory domain or multiple AD domains to a single tenant, something that is available with EmpowerID. Allowing your organization to manage complex Office 365 deployments means you can ensure new domains can be integrated should the need arise.

    Screen Shot 12 29 14 at 11.14 PM

    If you're ready to learn more you can watch this previously recorded Office 365 demo or shoot us an email and we'll walk you though your options.

    Request a Demo

    Tags: IAG, O365, DirSync, Office 365

    B2C Single Sign On & Identity Management That Wins Over Consumers

    Posted by Bradford Mandell on Mon, Oct 20, 2014

                                  describe the image

    Organizations that manage successful brands know what their customers want from a website experience and are able to provide it.

    Consumers want simpler processes.  

    They want a quick, seamless authentication experience. 

    They want to get to a site from any device that is handy at the time, whether it’s a pc, a tablet or a smartphone.

    They have lots of choices and they are bombarded with lots of information. Your branding must be visible and the flow of your customer through your site must be smooth so they will have a positive experience, remember you and want to return.

    And your security for their identity needs to protect them and you without being obtrusive.

    Your prize, if you capture consumers with a well-designed web presence, is a solid foundation for  business growth, faster fulfilment of your clients’ needs, and substantially greater efficiencies that can  reduce costs and drive profitability.

    And of course you are supposed to accommodate all that and keep to a modest IT budget… phew!  

    Here’s what it’s going to take:

    • A highly scalable Single Sign On (SSO) and Identity and Access Management (IAM) platform – one that can take you where your ambition wants to go.  Your IAM infrastructure may need to manage millions of users and tens of thousands of logins an hour.
    • Flexible branding – the login process can’t be generic, it and related Single Sign On (SSO) pages need to be customizable to your themes.
    • Support for social media logins is a must if you want to simplify the user experience and entice the widest number of users possible.
    • Self-service password reset and challenge questions that allows consumers to quickly get back in to your site if they forget their username or their password.
    • 2nd factor authentication capabilities and even identity validation will be needed if you need to provide an extra level of protection for your data or resources.  You may want the ability to step up authorization when a user needs to access more sensitive information.
    • A flexible API is another core need – on that can be embedded into your existing applications to connect to common authentication, provisioning and authorization processes.
    • You will want a licensing model that scales from a modest user base to one that is still affordable if you exceed your best expectations.
    • And while many SSO platforms claim that you can easily entrust provisioning to another platform that they can connect to, that’s going to cost you more money to develop, to implement and to support. So you will want a platform that is capable of integrating all of your essential identity management tasks from the start.
    • There is a lot of other technical stuff that you are going to want, like compatibility with all the major standards (SAML, WS-Fed, OAuth), password vaulting and reverse proxy for those legacy apps that can’t make a standard federated connection, but that still need to talk to your federated environment (because throwing out everything you own to pave way for new standards isn’t always practical).

    There is a solution that provides all of the above: EmpowerID. 

    EmpowerID is an integrated and modular platform, built on a single codebase and driven by workflow with prebuilt one-to-many SSO and Identity Management scenarios with the needs of consumers in mind. 

    EmpowerID’s visual workflow designer and adaptive HTML5 interfaces offer a vastly improved and simplified approach to traditional SSO and IAM challenges.  It can be stood up in just a few days or weeks depending on the customization desired, instead of the months that other applications take. 

    Most importantly, EmpowerID supports a satisfying access experience for consumers and drives strong ROI with its secure, seamless and flexible identity processes.  

                                                       Request a Demo

    Tags: WS-Fed, authentication, Identity Management, Federation, consumers, SAML, Single Sign-on, Password management, SSO, social media

    SSO and Delegated Management Module for Office 365 Released

    Posted by Patrick Parker on Fri, Sep 12, 2014

    365 banner resized 600

    Yesterday we announced the release of Office 365 Manager, a new module that enables organizations to extend their existing on-premise security and audit control model to the Microsoft Office 365 and Azure Active Directory Cloud. We have also released a new web site dedicated to information on Office 365 Manager. The new site is located at http://office365.empowerID.com.

    We are seeing rapid adoption of Office 365 to reduce the cost of IT operations. Office 365, however, is presenting our customers with some security and management challenges because it offers only basic audit controls and a limited ability to delegate administrative tasks. Our new Office 365 Manager provides organizations with the first and only Identity and Access Management solution that applies existing security practices for on-premise Active Directory and Exchange to the management of Office 365 in the Cloud.

    Office 365 Manager allows organizations to leverage the same secure delegation and flexible administration model that they use for their behind the firewall systems. It addresses a key shortcoming of Office 365 which runs on Azure Active Directory and lacks a hierarchical structure that forces the placement of all users, groups, mailboxes and contacts in a single location. By extending the existing structure of a customer’s on-premise Active Directory, LDAP, or HR system to Office 365, Office 365 Manager can securely delegate responsibilities by role, department, business unit and location.

    With Office 365 Manager's Single Sign-On capabilities, your internal users can continue to use their existing Active Directory username and password when logging in to Outlook, OWA, Lync, and SharePoint after they have been migrated to the Office 365 cloud. External partners or customers can leverage Social Media logins, your own branded EmpowerID login, or even their remote corporate AD credentials.

    Top 10 features and benefits of the new Office 365 Manager:

    1.    Role-Based Delegated Administration to Reduce IT Staff Workload 
    2.    Automated Provisioning and Sync for Better Productivity and Security 
    3.    Dynamic Group Management for Improved Group Security 
    4.    Single Sign-On for Ease of Use 
    5.    Multi-Factor Authentication for Improved Access Security 
    6.    Mobile Device Security (BYOD) To Properly Secure Mobile Device Access 
    7.    Self-Service Password Management to Reduce Help Desk Workload 
    8.    Shopping Cart Style Self-Service to Automate Request Fulfillment and Audit Tracking 
    9.    Access Recertification and Audit Reporting For Better Access Governance 
    10.     Mailbox and Folder Permission Audit, Management, and Self-Service for Improved Productivity and Governance

     

                                                   Secure  Office 365  Today!

    Tags: Single Sign-on (SSO), Role Based Access Control (RBAC), User provisioning, Office 365

    Innovation and Productivity Gains From Identity and Access Management

    Posted by Bradford Mandell on Tue, Jul 15, 2014

    IAM Innovation

     

    Security for identities.  Managing user access to applications.  Auditing user access.

    “Ugh”, you might think, “That sounds like more cost, more time, and more responsibility for IT”.

    But a platform approach to Identity and Access Management (IAM) that is rich in innovation can result in lower costs, better productivity, and reduced demands for IT resources, while providing managers with better and more timely information.

    Take for example a home healthcare provider with $2 billion in revenue and 40,000 employees in 40 states facing constant pressure to reduce costs as a result of declining government reimbursements for their services.  This organization had already used their considerable size advantage to create efficiencies and reduce costs wherever possible.  Then their Chief Security Officer (CSO) conducted a review of IAM technology and presented his management with a plan that would improve the productivity of their employees, reduce the workload on IT, improve the security for patient data and assist their organization in continuing to be a leader in the quality of patient services.

    Built from a series of acquisitions in an industry that experiences high turnover, this organization lacked an efficient process for provisioning home healthcare workers into the many web applications they need to perform their work.  The process began with HR creating a manual request for IT to provision a new user into the apps they require, and once this was completed, the new user had to register themselves and create a password in each application. This process was complex and required too much effort for the home healthcare employees to learn and to maintain.

    The CSO’s experience with several of the oldest and most installed IAM platforms made him wary of starting a new project with one of them because of their high licensing costs and the difficulty in customizing them to meet an enterprise’s specific needs.  He wanted a solution that would be easier to implement and easier to mantain.

    After evaluating multiple products, he chose the EmpowerID platform for its different and innovative approach to Identity and Access Management.  Built on a single codebase with a workflow core and shipping with hundreds of ready to deploy workflows, the CSO was impressed with EmpowerID's broad functionality and its ability to easily design and to automate complex IAM processes with its visual Workflow Designer. 

    The CSO determined during a software trial that EmpowerID’s powerful Role-Based Access Control (RBAC) engine could create effective roles based on both an employee’s place in the organizational hierarchy and their location, and it could scale easily for the size of their staff. EmpowerID proved itself to be flexible in also offering Attribute-Based Access Control (ABAC) for their scenarios where the use of contextual policies to govern access is more appropriate. 

    He also discovered that EmpowerID’s integrated Single Sign-On (SSO) module federates not only with more recent web applications that natively support SAML authentication, but also with legacy applications that lack SAML capabilities.  Thus he could accommodate all of his user scenarios end to end, from provisioning to access, using EmpowerID, rather than having to integrate two or more applications. 

    The CSO concluded that EmpowerID’s “all in one” approach could create the solution they needed in a shorter timeframe with fewer professional services and less risk to their project timeline and budget. The ability to show his management faster ROI helped him to obtain funding for the project. 

    EmpowerID’s User, Group and SSO Manager modules were then deployed to provision and to manage federated identity for the application portal, allowing new users to be added within hours, instead of days, and enabling the use of one login by a healthcare provider to access all of their applications. 

    New user onboarding was further simplified by creating a feed from the organization’s PeopleSoft HR application to EmpowerID, which in turn creates all the user accounts and access privileges in the applications they need, based on their business role. New users require less training and are ready to go to work as soon as they claim their identity upon first logging into the application portal.

    The home healthcare staff appreciate EmpowerID's friendly HTML5 user interfaces that adapt to the screen size of any device they use, whether a tablet or a smartphone, and the reduction in effort to get to their clinical applications, while patients are pleased that less time is consumed by administrative tasks during their scheduled visits. 

    EmpowerID’s multi-factor authentication capability (using an OATH token and SMS one time password) was implemented to strengthen system access security and to better protect the privacy of patient data, which is important in meeting regulatory and audit requirements.

    EmpowerID also assists the organization’s auditors with data governance – the discipline of ensuring that access to corporate and patient data is secure and is subject to the proper controls. EmpowerID not only improves the quality of data, is also supports configurable Separation of Duties (SOD) policies, attestation procedures and system dashboards for quick visibility of pending tasks and system statistics. EmpowerID provides dozens of reports out of the box and it supports Microsoft’s SQL Reporting Services to quickly provide the information that different users need.

    As a result of successfully automating their new user provisioning process and providing a seamless single-sign on experience for its home healthcare staff, this organization is realizing substantial productivity savings that will pay for EmpowerID in a period of just eighteen to twenty-four months. 

    The CSO’s vision for a single, flexible platform that could be implemented on-time and within budget to automate and to securely manage multiple aspects of the enterprise, creating new efficiencies and cost-savings, has been fully realized with EmpowerID's deployment.

    Ranked by KuppingerCole as a Product Leader, Innovation Leader and Overall Leader in their recent Leadership Compass for Identity Provisioning, EmpowerID helps diverse organizations across the globe improve identity security and access governance, increase productivity, lower costs, and improve service delivery through its innovative and cost-effective approach to IAM. 

     

    Learn More about IAM Cost Savings with EmpowerID

    Tags: Single Sign-on (SSO), Active Directory, GRC, Group Management, Governance and Regulatory Compliance, Identity Management, User provisioning, Data Governance, Attestation, Separation of Duties, Password management, Identity and Access Management (IAM), Access Governance

    Delegated User Provisioning Best Practices

    Posted by Edward Killeen on Wed, Nov 27, 2013

    Sometimes there is no authoritative source.  Sometimes you just have to say, "Bob, provision me a user."  These are the cases where you will need a very flexible user interface to control user provisioning workflows.

    delegated provisioningSee, that's the cool part, the UI is just what initiates the workflows in EmpowerID, the exact same workflows that are used when it detects a new employee in the HR system.  The same series of events are kicked off: assignment of roles, membership in groups, new accounts in the cloud, notification to the party planning committee, a single sign on dashboard.  It's all there, you are just starting it differently.

    Of course, authoritative sources are called that because they have authority.  You can trust them.  With delegated user provisioning, you need to have some additional controls.  The simplest and most efficient is to have an approval workflow shape where somebody in authority has to approve the new user.  Or approve any role with a security level over XYZ.  These approvals can be serial or parallel, they can go to someone in IT or HR or anywhere in between.  They can be decided based on who the new user is.  The important part is that one rogue employee won't be creating any domain admins named Joe Derp.

    Another consideration is the complexity of the user interface.  EmpowerID ships with over 400 usable out of the box identity management workflow templates.  About ten of these include user provisioning forms, ranging from what we call "super simple user provisioning" to "user provisioning". 

    The difference is what fields are required.  In super simple, the user puts in the name, department, title, and location of the user and EmpowerID dynamically assigns roles.  In simple, there is a dropdown of available roles depending on the attributes already defined and who the requester is (help desk can create X roles and HR can create Y roles for example).  There is also an IT based form where a sys admin who understands things like OU structures and the such can granularly define any attribute.

    Just my own personal opinion is that delegated user provisioning should always have an initial lifecycle.  This is easily accomplished by adding an expiration date dropdown on the form or creating a business rule in the workflow that it needs to be certified and renewed within that date period to continue its existence.  This is basically adding attestation to any user provisioning that happens outside of automated processes.

    The reason I believe this attestation and lifecycle are important is the use cases for delegated user provisioning.  The most obvious ones are:

    • temporary employees or contractors
    • task based highly privileged accounts
    • additional accounts for an existing user
    • partners and suppliers accounts

    None of these types of accounts should be subject to having perpetual access and permissions within your network.  With a strong IAM platform like EmpowerID, these security concerns can be alleviated even on users provisioned outside of normal channels.

    Take a look at this video demonstrating EmpowerID's role-based user provisioning; you can see some examples of the delegated user provisioning forms (because showing automated user provisioning makes for a boring demo :) ).  Then schedule a personalized demonstration where we can help you start designing your own user provisioning processes.

    Schedule a demo of Delegated User Provisioning

    Tags: User provisioning, Identity and Access Management (IAM)

    Content not found