All-In-One Identity Management and Cloud Security

Single sign-on does not have a magic bullet; instead, it requires a swiss army knife.  Meaning many different ways to get users authenticated into an application using only one set of credentials.  A German partner of ours calls this eierlegende Wollmilchsau based on one of our customers describing everything that EmpowerID can do.

This ability to perform multiple methods of single sign-on from federation to Web Access Management to password vaulting gives an extraordinary ability to get users authenticated to almost ANY web application using either corporate or social credentials.  EmpowerID lets you authenticate external or internal users, apply a role to them, giving them appropriate access to any resource (on premise or cloud) and, just as importantly, not force you to have AD credentials for the user.

This is where the comparison to Active Directory Federation Services (ADFS) comes in.  Not all of your users should be in AD and they are not always accessing WS* or SAML applications.  In addition, you need to have role based access control (RBAC) determining the level of access for the user.  And you need two factor authentication (TFA) for either highly privileged users or highly secure applications.  ADFS is just too limited.

The below list illustrates some of the advantages of a true SSO/Federation/WAM application like EmpowerID has over ADFS:

1. Directory neutral federation (AD, LDAP, SQL, CUSTOM, etc. etc.)

2. Multifactor authentication (including Smartcard, OATH and identity proofing)

3. Extensive list of out-of-box authentication providers (including AD, Username/Pwd, social credentials like Salesforce, Twitter etc. etc.)

4. Powerful claims generation, transformation and issuing (leverage full power of C#, Web Services)

5. Leverage RBAC and powerful Metadirectory to issue advanced claims (Business Role and Location, Management Roles, Set Groups etc. etc.)

6. Enhanced security for sensitive data with advanced claims level encryption

7. SSO for non-Microsoft applications

8. Complete support for OAuth 2.0

9. Complete support for SAML 2.0 SSO Web Profiles

10. SSO Application Dashboard + powerful features like Persona etc. etc.

There is really no comparison to having a complete eierlegende wollmilchsau swiss army knife SSO platform that can authenticate any of your users, using any credential, performing full RBAC, and connecting to any application on any network.  ADFS just cannot compare.

Imagine having your users empty their pockets at a big security checkpoint as they enter your building.  What kinds of devices would you find?  Tons of tablets, scads of smartphones, the rare Google Glass, and probably one guy who still has a pager.  Make a stack of all of these and it's most likely taller than your building.

This BYOD trend can obviously be a security risk but it is also an identity management opportunity.  The reason is that mobile devices are an integral part of a user's identity; users are very rarely separated from their phone so you can use the device to help identify them.

The best and most immediate use is two factor authentication (TFA).  Software based tokens are free, the OATH server comes with EmpowerID and the client apps (such as Google Authenticator) are free.  The uses for two factor authentication are many and can help balance the security risk that you're facing just allowing these devices.  We recommend three main uses for two factor authentication:

1. Two factor authentication with ALL password resets.  If a user is resetting their passwords, force TFA to ensure they are who they say they are.
2. Step up authentication.  When a user is attempting to access a highly secure resource (folder with 10Q financial documents, the SharePoint site with Coca Cola's secret recipe, etc.) step up their authentication to include two factor authentiation.
3. Role based authentication.  If a user wants to be highly privileged, make them prove who they are when they authenticate.  Often the users with the most privilege have the most clout in the organization and get away with the least security (CxO, domain admins, etc).  That is bad security.

On top of TFA, use your identity management platform for device registration.  If a user is authenticating and accessing resources from a mobile device, know who that user is and what device they are using.  Link the device to the user and have the tools to audit how and when the user is accessing company resources.

And, finally, have a self service portal that users can use from their mobile device.  EmpowerID has an HTML5 interface that works natively on all devices, allowing users to authenticate, reset their passwords, access SharePoint, request access to resources and all other identity actions.

These devices are not going away, take advantage of them in your identity management plans.  We can demo how EmpowerID can make that stack of phones work to your advantage, contact us today to see how!

SharePoint permissions do not have to be managed with SharePoint groups, those lonely unmanaged completely removed from the rest of the enterprise collections of users.  SharePoint has evolved to first accept Active Directory groups for permissions and now to accept roles via a claims provider.

Claims providers created in SharePoint can be used for adding claims to the security tokens of users when configuring permissions on secure objects like lists, sites, items and documents.  When EmpowerID is the claims provider, it provides its dynamic polyarchical roles as a selection in the SharePoint People Picker.

How is this useful?  Well, it's a lot easier to manage EmpowerID role memberships than SharePoint or even AD groups.  EmpowerID roles can be managed dynamically by any attribute in any connected identity store (Active Directory, HR, CRM, ERP).  Role locations as well can be mapped from any connected application so a user in the London OU in Active Directory will be mapped to the London role automatically.

By having management roles (the user's job(s)) and location in separate trees, you can define permissions very granularly.  For example, you may only want IT managers in London to have access to the SharePoint site to review IT tasks in London.  You simply pick from the two trees to get IT Admins in London.

You can even add a runtime decision by incorporating Attribute Based Access Control (ABAC) into the equation if you want to check your timecard system to only allow on-duty IT Admins to have access!

The advantage to all of this is that user's permissions are not static.  Conservative estimates say that internal turnover is about 20% per year, meaning that 1 in 5 users will change jobs.  Think of the last time you updated a SharePoint group....it is certainly not that often.  Roles, however, are dynamic, reading from attributes that flow from within HR or any other authoritative source.  If that IT Admin makes the mistake of starting in sales, she will automatically have her IT admin role revoked and new sales role(s) invoked.  Permissions will change without IT having to lift a finger.

Check out our whitepaper on dynamic roles or schedule a demonstration of EmpowerID and see how it can increase your security in SharePoint without having to mess around with SharePoint groups!

Today, The Dot Net Factory releases EmpowerID 2013 for general availability. Building on its industry leading visual workflow platform, EmpowerID expands Identity & Access Management (IAM) to manage the two hottest trends in the market: mobility and single sign-on.

EmpowerID is innovating with the changes in today’s business climate. More users are using mobile devices, requiring more flexible and secure authentication, and demanding a single username and password. Users no longer means just your employees, you need a way to manage the identities and login experience for customers, partners and other external users. EmpowerID 2013 provides new exciting features to match these changing needs.

New in EmpowerID 2013

• Web Access Management (WAM) to complement Federated SSO
• Virtual directory LDAP server built on Node.js
• HTML5 interface for a complete mobile experience
• Forced device registration for strong authentication
• OATH compliant server for software and hardware Time Based One Time Passwords (for web login, RADIUS login, LDAP and others)
• Full smart card login support
• FIPS compliance

The balance between security and productivity is a challenge for all businesses, EmpowerID provides a critical fulcrum by getting your users the correct access exactly when they need it. From authentication to authorization to actually getting work done, your users need to have the correct permissions, have access to the correct systems, and know how to manage this access. EmpowerID is the only Identity Management platform that maps these needs to your business processes.

These new features give more flexibility in how to manage users identities and how the users can access resources. Coupled with EmpowerID’s already existing extensive collection of identity workflows, full rights based access control, and metadirectory, these new features will allow companies to keep up with the needs of their employees.

Life would be a lot easier if we only had to manage our employees' identities.  But we have customers, partners, and contractors.  These external identities have the same needs for identity management as our internal identities.  In fact, they might have more needs as we know a lot less about them.

The most common scenario that we see is when a customer (the external user) registers for services with our client.  The needs are very simple: self-registration, role based access control, approval workflows, and federated single sign-on (SSO).  I'm kidding, that's not simple.

Let's start with the self-registration.  When your external user first finds your site, you will want their registration to be simple, giving them immediate access to the most public facing resources.  EmpowerID's built in forms designer allows you to have them fill out the important information and create an account in the metadirectory. 

The RBAC engine will give them the most basic of permissions at the same time that it either kicks off an approval workflow to grant more permissions or inventories another identity store (CRM for example) to determine their role and give higher privileges.

So, now you know who they are and can design some provisioning rules for other applications.  With the roles in place, you know that customers that meet certain criteria get access to different applications and resources.  Role based provisioning will automatically create accounts in these applications.

Permissions are managed with these roles too.  Polyarchical roles allow you to protect resources at a very granular level without having to create a role for every single type of external user.

Now we get to the heart of the matter, you know who your external users are, what their roles are and what access you give each role.  Now your users need to access these resources and applications.

Enter single sign-on (SSO).  You have provisioned a user account in the EmpowerID metadirectory.  This metadirectory can act as an identity provider or service provider, meaning that you can authenticate with EmpowerID and federate out to other applications or you can authenticate with other credentials, federate with EmpowerID and then with your other applications.

EmpowerID as an identity provider is incredibly powerful, it is also a Secure Token Service, allowing it to send tokens to the federated applications and giving users immediate access based on their role.  EmpowerID supports federation with SAML, OpenID, OAuth, WS-Trust and WS-Federation.

For applications that aren't federated, EmpowerID can also perform Web Access Management (WAM), sending user credentials securely and giving the same end user experience.

On the flip side, you can also federate with other identity providers such as Facebook or Twitter, giving users the ability to authenticate with credentials they use every day.  EmpowerID is still in the middle and provides role based access to the connected applications.

EmpowerID is one of the only IAM solutions on the market that manages external users' provisioning, authentication and authorization.  EmpowerID supports anonymous provisioning, allowing users to register for the services and be given a baseline of permissions.  EmpowerID can federate with Facebook, Twitter, etc. to authenticat, claim accounts in other applications and manage any attributes.

EmpowerID can then perfrom two factor authentication, device registration or identity proffing to further confirm the user's identity.  This seamless HTML5 interface works on any device allowing mobile usage and a better overall user experience.

Schedule a demonstration and see how you can manage your external identities, giving them more secure and easy access to your resources.

Andras Cser of Forrester writes that XACML is Dead.  The first analyst question I was asked as head of marketing at EmpowerID was, "do you support XACML?"  The easy answer was (and is), "we will when application vendors do."  Andras' first point as the cause of the death of XACML: "Lack of broad adoption."

Andras' second point is the one that really gets to the technical heart of the matter rather than the logistical: XACMML's "inability to serve the federated, extended enterprise."  Identity and Access Management (IAM) has moved way beyond the borders of an Active Directory forest.  Organizations are managing their internal users, partners, customers, and contractors and need a flexible authentication and authorization system that can accomodate the unique needs of each constituency.

Additionally, the applications they are accessing are growing more varied and widespread.  You have legacy applications, cloud applications, web applications, and mobile applications.  Organizations demand an IAM platform that can authenticate and authorize not against the ones that support a specific standard, but all of them.

So, while some analysts have been trumpeting loudly that XACML is going to make authorization easy and standards based, the market and forward thinking analysts like Andras have realized that IAM in today's world is too complicated for it.

Unfortunately, this leaves us at the question: how the heck do we manage authorization in this new complicated world?  We believe that EmpowerID has hit on the best way to manage it, by integrating roles into every single aspect of IAM from provisioning to authentication to password reset to SSO.  Making your roles pervasive in all aspects of IAM gives you flexibility on the who has access to what and when question.

EmpowerID's role engine was designed as part of a purpose-built single codebase IAM platform; roles fit in as an integral part of each IAM function.  Our polyarchical role structure is flexible and intuitive, allowing organizations a tremendous amount of flexibility in how they apply permissions and authorization.

When roles are too static, we combine ABAC with RBAC to give runtime decisions based on attributes in any connected system, giving even more flexibility.

EmpowerID includes an advanced authorization policy engine that allows organizations to define a user’s access to a diverse set of corporate and cloud-hosted resources via flexible RBAC and ABAC rules. This “resultant access” information is then either consumed or “pulled” by systems that support leveraging an external authorization engine to make access decisions or “pushed” down onto systems that don’t.

Read more about EmpowerID's authorization engine, schedule a demo, or request a whitepaper on Best Practices in Enterprise Authorization.  XACML isn't walking through that door ready to save enterprise authorization, take a look at a solution that will.

Cloud SSO is essential for productivity in your organization.  In fact, it also reduces help desk costs and can improve security.  Users can log into applications faster and with fewer obstacles.  No more lost passwords equals fewer help desk calls.  And, for the first time ever, IT has a better understanding of all of the cloud applications and user accounts in their identity ecosystem.

Here is the rub: you cannot federate with all applications.  It would be wonderful if SAML, OpenID, OAuth, et cetera were ubiquitous and you would have quick and easy federation with all of them.  In fact, we have a whitepaper on the Top 5 Federated SSO scenarios for those applications that do support federation.

So, what do you do if it doesn't support federation?  EmpowerID and its webform SSO.  What this does for you is to allow your users to claim accounts, enter their credentials and then future logins are completely single sign-on.  In fact, the user experience is exactly the same for both types of SSO, giving an even simpler user experience for your users.

Here is a demonstration of that user experience:

Now that you have your users single signing on to ALL of their applications, you get into some of the more exciting aspects of Identity and Access Management.  The same platform (EmpowerID) that is providing SSO also provisions users into these cloud applications.  Even going so far as being role based cloud provisioning.  So, only users in a sales role get a SalesForce account.  Only the developer role gets a JIRA account.  And only those accounts that the user has will appear in their SSO dashboard.

So, download the whitepaper and schedule a demonstration to see how you can offer Cloud SSO and provisioning for all of your applications.

EmpowerID is a comprehensive Identity and Access Management (IAM) platform.  It authenticates, authorizes, provisions, federates, resets passwords, audits, attests, and separates duties.  Pretty much soup to nuts Identity Management.

It does all of this for on premise or cloud applications.  Likewise for internal or external identities.  It mixes the two or separates the two.  And it does all of it well, as shown by our over 400 customers using the platform.

But that might not even be the most standout aspect to the platform.  Which is odd because all of the above is what is needed for you to get your job done and keep your identities accurate and secure.

Within the EmpowerID platform is a visual workflow designer.  This designer displays your identity workflows with traditional workflow shapes, decision trees and mimics how you would design it on a whiteboard or on a drafting table.  It allows you to match your identity processes to your business processes, not the other way around.  You simply drag and drop the shapes and the workflow does the work for you.  Each "shape" has an identity action that you can easily configure.  It is simple and easy and immensely powerful.

This is where the title of this blog post comes into play.  Each workflow can be exposed as a web service.  So, from within your application, you can provision a user, set an attribute, reset a password, set a role, authorize a user, or even federate.

This comes into play when you use EmpowerID's metadirectory as your backend identity store for authentication.  You get that full list of functionality with which I opened the blog post (authentication, authorization, RBAC, provisioning, federation, password managemnt, auditing, attestion, separation of duties, soups to nuts).  Without having to build it into your application.

This came up very recently with a customer who was looking for single sign-on into their newly built applications.  As they were talking to several of our SSO competitors, they realized that nobody else had provisioning with SSO.  And they needed this.

This customer had already built the user interface and was planning on using our OAuth server for authentication.  What was missing was that they needed a way to enforce RBAC, to have admins create new users, and to have end users reset their passwords.  Since all EmpowerID workflows are exposed as either a web service or through APIs, this becomes a fairly simple endeavor to build this into their application.

They now have a very robust IAM capability from within their application.  They can manage users, passwords, authentication, and roles from either within their application, the EmpowerID web UI, or the EmpowerID hard client.

One of the key concepts in user provisioning is that not all users are created equal.  An IT admin may need a user account provisioned to JIRA while a sales manager needs a user account provisioned to Microsoft CRM.  All employees get an AD account and Exchange mailbox.  Partners only get a SharePoint profile.  Role based user provisioning solves this.

With EmpowerID's integrated RBAC engine, you have roles assigned either statically or dynamically to each user, most times more than one role.  With a simple role assignment, EmpowerID assigns user accounts to that user and performs the heavy lifting of provisioning them whether on premise or in the cloud.

This video is a very simple demonstration of this process, showing the end result and how we got there.  User account provisioning does not have to be difficult or messy or most importantly manual. 

This was, of course, a very simple example, with only a handful of accounts and a handful of roles.  EmpowerID is installed and managing identities in huge enterprise environments with hundreds of thousands of identities and scores of applications.  Conversely, we have clients with identical problems with a thousand users that EmpowerID solves.

Schedule a demonstration and we will tailor it to your specific use case to see how you can solve the role based user provisioning problem.

Single sign-on (SSO) makes life easier for end users; passwords and user accounts are eliminated and users just log on seamlessly to applications.  The problem is that not all applications are federated so you need one SSO tool that can provide SSO for federated and non-federated applications.  You also need SSO to manage both cloud and on-premise applications.  In other words, you need SSO to be made easier for your end users.

EmpowerID provides this comprehensive view of single sign-on, giving end users an easy, intuitive way to get to all of their applications, whether they are federated or not, on premise or cloud.  Take a look at this demonstration of EmpowerID's intuitive and simple SSO platform for your end users:

If you need SSO for your users, EmpowerID offers the fullest range of single sign-on, provisioning and authorization capabilities around.