All-In-One Identity Management and Cloud Security

Microsoft makes Office 365 pretty easy when you are already managing Active Directory with its DirSync utility.  However, this doesn't always work if your users are not in AD or if you have multiple forests.  So, how do you manage provisioning, group management and SSO to Office 365 without AD?

EmpowerID.

Let's take the first use case, users that are not in AD but that need an O365 account.  This happens often in franchises, education, manufacturing or when offering accounts to non-employees.  EmpowerID's metadirectory stores a "person" object that is completely independent of AD, this user account can then be provisioned to O365 and updated through EmpowerID's HTML5 user interface.

Users have the ability to manage group membership, passwords (including self service password reset) and single sign-on to O365 with the EmpowerID credentials.  All of these changes are made in the metadirectory which is synchronized directly to Office 365 without AD in between as well as direct Identity Administration where the workflows make live changes directly to Office 365 like we do to AD. Not all has to go through sync like FIM.

You can automate all of the provisioning/deprovisioning to the metadirectory based on a connector to any other system (student database for example).  The EmpowerID Office 365 connector does all of the heavy lifting that DirSync does but adds the complete workflow and RBAC capability of EmpowerID.  Without AD in the mix.

The other use case is one that a few customers have brought to us: Office 365 does not work with multiple AD forests unless you want to deal with FIM and the army of consultants / developers necessary to manage that.  Again, the EmpowerID metadirectory solves this, easily connecting and synchronizing each AD forest into the metadirectory, creating a person object that joins user accounts in each forest.

The EmpowerID Office 365 connector then does all of the heavy lifting, provisioning accounts, offering password management, single sign-on and group management.  Any changes you make can flow out to each AD forest as well.

The customers that have come to us for this scenario always point out the obvious, if they used FIM they are not future proofed, not only do they pay more for the initial deployment, but if there is another acquisition and another forest added, they have to start the whole process again with FIM.  With EmpowerID, it is a matter of connecting another AD forest with the connector already in place.  Easy peasy.

Office 365 is a great product (we use it internally) but there are limitations to deploying it with DirSync and some very specific use cases where it doesn't work.  EmpowerID fixes those use cases while giving a huge number of other IAM platform advantages.  Take the time for a demo of how we can manage O365 without AD and see how much more you can do with a robust single codebase IAM platform.

Single sign-on does not exist in a vacuum.  Especially in an extranet environment, you need to know who those users are, what access they should have, and give them a way to manage their identity.  Essentially, identity management cannot be separated from SSO.

When SSO projects come our way, the initial conversations are always around SAML federation, Web Access Management (WAM), or password vaulting.  We talk about identity providers, service providers, SharePoint claims, and multi-factor authentication.  Customers talk about their applications and user experience in SSO.  What they don't bring up is how to manage those external users because other SSO vendors avoid that conversation like the plague.

If all applications were federated (they aren't), then this might not be as big of a deal but in truth, most of our customers have a mix of SSO technologies and you need to know who those users are.  You will need to have self-registration for external users, automated provisioning for internal users, self service password reset for IdP credentials, attestation and certification of user accounts and access, and step up authentication for secure access.

EmpowerID's platform comes with base functionality for all of its modules.  The base platform contains the metadirectory, RBAC engine, and visual workflow studio.  All identity management workflows (create user, change password, etc) are part of the platform to manage the external user.  Your users will have all of the abilities for SSO and you will know who they are and have extensive identity management capabilities.

But, remember, the customer is coming to us for SSO so the platform still needs to be able to offer single sign-on in the most comprehensive way.  Many applications are federated (SAML, OAuth, OpenID, WS-Trust and WS-Federation) but for those that aren't the SSO platform needs to have multiple ways to handle that application.

SSO Manager offers a few options:

• Web Access Management (WAM): either using reverse proxy or an agent, SSO Manager can intercept access attempts to an application, send them over to EmpowerID for authentication and return them authenticated to the application without any interaction on their part
• Federated SSO: EmpowerID can act as either the identity provider or service provider using any federated protocol (SAML, OAuth, OpenID, WS-Trust, WS-Federation)
• Password vaulting: as a last resort, users can claim accounts, provide the username and password which will be vaulted securely on the EmpowerID server and provide the same seamless SSO experience for the user
• Shared accounts: for many applications such as Twitter or Facebook, corporate accounts need to be shared without giving out the password, the owner can share the account and revoke access when needed
• Virtual Directory: the EmpowerID metadirectory is exposed as a virtual LDAP directory that can be used as the back end identity store for any application

By offering this comprehensive solution, your users will authenticate and be presented with a dashboard of SSO applications; they don't need to know how you got them the SSO access, it is seamless.  You can manage their access and user accounts all from one platform, on a single code base with the easiest and most efficient management in the industry. 

Let us demonstrate these capabilities and you will see why the comprehensive platform is your best method to providing single sign-on.

Whether you are building a new application or trying to retire the old legacy directory for an old application, having a virtual directory directly tied to your identity directory gives you great flexibility.

EmpowerID maintains a metadirectory that inventories and updates all of your various identity stores on a continuous basis, keeping a single unified "person view" of each user, whether they be internal or external.  This metadirectory can be used for a lot more than Identity and Access Management (IAM), however.

But rather than synchronize all of this identity information to yet another directory, EmpowerID's Virtual Directory allows you to present this metadirectory identity information as LDAP.  EmpowerID roles are presented as LDAP groups and you can maintain the exact schema required for the application without having to manage another directory.

This virtual directory is especially useful for applications that require internal and external users to both have access, replacing the need to have external users inside of your corporate directory.  As LDAP, users on any OS can access, authenticate and authorize against the directory.

By using this virtual directory as your application directory, you no longer have to worry about separate provisioning and de-provisioning as all of the workflows around user management are included in your IAM, you simply create a role based provisioning workflow to create accounts in the virtual directory based on user attributes.  You can offer self registration, password management, single sign-on, and RBAC policies to apply to what your user can and cannot do in the application.

Since all of EmpowerID is workflow based and can be managed with APIs and web services, you can even build the management of these users into your application, lessening the learning curve for administration of the application

Virtual directories that are separate from your IAM have many of the same challenges as legacy directories, take a look at what you would need to integrate the two and take advantage of all of the IAM capabilities for your application.

Imagine having your users empty their pockets at a big security checkpoint as they enter your building.  What kinds of devices would you find?  Tons of tablets, scads of smartphones, the rare Google Glass, and probably one guy who still has a pager.  Make a stack of all of these and it's most likely taller than your building.

This BYOD trend can obviously be a security risk but it is also an identity management opportunity.  The reason is that mobile devices are an integral part of a user's identity; users are very rarely separated from their phone so you can use the device to help identify them.

The best and most immediate use is two factor authentication (TFA).  Software based tokens are free, the OATH server comes with EmpowerID and the client apps (such as Google Authenticator) are free.  The uses for two factor authentication are many and can help balance the security risk that you're facing just allowing these devices.  We recommend three main uses for two factor authentication:

1. Two factor authentication with ALL password resets.  If a user is resetting their passwords, force TFA to ensure they are who they say they are.
2. Step up authentication.  When a user is attempting to access a highly secure resource (folder with 10Q financial documents, the SharePoint site with Coca Cola's secret recipe, etc.) step up their authentication to include two factor authentiation.
3. Role based authentication.  If a user wants to be highly privileged, make them prove who they are when they authenticate.  Often the users with the most privilege have the most clout in the organization and get away with the least security (CxO, domain admins, etc).  That is bad security.

On top of TFA, use your identity management platform for device registration.  If a user is authenticating and accessing resources from a mobile device, know who that user is and what device they are using.  Link the device to the user and have the tools to audit how and when the user is accessing company resources.

And, finally, have a self service portal that users can use from their mobile device.  EmpowerID has an HTML5 interface that works natively on all devices, allowing users to authenticate, reset their passwords, access SharePoint, request access to resources and all other identity actions.

These devices are not going away, take advantage of them in your identity management plans.  We can demo how EmpowerID can make that stack of phones work to your advantage, contact us today to see how!

Today, The Dot Net Factory releases EmpowerID 2013 for general availability. Building on its industry leading visual workflow platform, EmpowerID expands Identity & Access Management (IAM) to manage the two hottest trends in the market: mobility and single sign-on.

EmpowerID is innovating with the changes in today’s business climate. More users are using mobile devices, requiring more flexible and secure authentication, and demanding a single username and password. Users no longer means just your employees, you need a way to manage the identities and login experience for customers, partners and other external users. EmpowerID 2013 provides new exciting features to match these changing needs.

New in EmpowerID 2013

• Web Access Management (WAM) to complement Federated SSO
• Virtual directory LDAP server built on Node.js
• HTML5 interface for a complete mobile experience
• Forced device registration for strong authentication
• OATH compliant server for software and hardware Time Based One Time Passwords (for web login, RADIUS login, LDAP and others)
• Full smart card login support
• FIPS compliance

The balance between security and productivity is a challenge for all businesses, EmpowerID provides a critical fulcrum by getting your users the correct access exactly when they need it. From authentication to authorization to actually getting work done, your users need to have the correct permissions, have access to the correct systems, and know how to manage this access. EmpowerID is the only Identity Management platform that maps these needs to your business processes.

These new features give more flexibility in how to manage users identities and how the users can access resources. Coupled with EmpowerID’s already existing extensive collection of identity workflows, full rights based access control, and metadirectory, these new features will allow companies to keep up with the needs of their employees.

Life would be a lot easier if we only had to manage our employees' identities.  But we have customers, partners, and contractors.  These external identities have the same needs for identity management as our internal identities.  In fact, they might have more needs as we know a lot less about them.

The most common scenario that we see is when a customer (the external user) registers for services with our client.  The needs are very simple: self-registration, role based access control, approval workflows, and federated single sign-on (SSO).  I'm kidding, that's not simple.

Let's start with the self-registration.  When your external user first finds your site, you will want their registration to be simple, giving them immediate access to the most public facing resources.  EmpowerID's built in forms designer allows you to have them fill out the important information and create an account in the metadirectory. 

The RBAC engine will give them the most basic of permissions at the same time that it either kicks off an approval workflow to grant more permissions or inventories another identity store (CRM for example) to determine their role and give higher privileges.

So, now you know who they are and can design some provisioning rules for other applications.  With the roles in place, you know that customers that meet certain criteria get access to different applications and resources.  Role based provisioning will automatically create accounts in these applications.

Permissions are managed with these roles too.  Polyarchical roles allow you to protect resources at a very granular level without having to create a role for every single type of external user.

Now we get to the heart of the matter, you know who your external users are, what their roles are and what access you give each role.  Now your users need to access these resources and applications.

Enter single sign-on (SSO).  You have provisioned a user account in the EmpowerID metadirectory.  This metadirectory can act as an identity provider or service provider, meaning that you can authenticate with EmpowerID and federate out to other applications or you can authenticate with other credentials, federate with EmpowerID and then with your other applications.

EmpowerID as an identity provider is incredibly powerful, it is also a Secure Token Service, allowing it to send tokens to the federated applications and giving users immediate access based on their role.  EmpowerID supports federation with SAML, OpenID, OAuth, WS-Trust and WS-Federation.

For applications that aren't federated, EmpowerID can also perform Web Access Management (WAM), sending user credentials securely and giving the same end user experience.

On the flip side, you can also federate with other identity providers such as Facebook or Twitter, giving users the ability to authenticate with credentials they use every day.  EmpowerID is still in the middle and provides role based access to the connected applications.

EmpowerID is one of the only IAM solutions on the market that manages external users' provisioning, authentication and authorization.  EmpowerID supports anonymous provisioning, allowing users to register for the services and be given a baseline of permissions.  EmpowerID can federate with Facebook, Twitter, etc. to authenticat, claim accounts in other applications and manage any attributes.

EmpowerID can then perfrom two factor authentication, device registration or identity proffing to further confirm the user's identity.  This seamless HTML5 interface works on any device allowing mobile usage and a better overall user experience.

Schedule a demonstration and see how you can manage your external identities, giving them more secure and easy access to your resources.

EmpowerID is a comprehensive Identity and Access Management (IAM) platform.  It authenticates, authorizes, provisions, federates, resets passwords, audits, attests, and separates duties.  Pretty much soup to nuts Identity Management.

It does all of this for on premise or cloud applications.  Likewise for internal or external identities.  It mixes the two or separates the two.  And it does all of it well, as shown by our over 400 customers using the platform.

But that might not even be the most standout aspect to the platform.  Which is odd because all of the above is what is needed for you to get your job done and keep your identities accurate and secure.

Within the EmpowerID platform is a visual workflow designer.  This designer displays your identity workflows with traditional workflow shapes, decision trees and mimics how you would design it on a whiteboard or on a drafting table.  It allows you to match your identity processes to your business processes, not the other way around.  You simply drag and drop the shapes and the workflow does the work for you.  Each "shape" has an identity action that you can easily configure.  It is simple and easy and immensely powerful.

This is where the title of this blog post comes into play.  Each workflow can be exposed as a web service.  So, from within your application, you can provision a user, set an attribute, reset a password, set a role, authorize a user, or even federate.

This comes into play when you use EmpowerID's metadirectory as your backend identity store for authentication.  You get that full list of functionality with which I opened the blog post (authentication, authorization, RBAC, provisioning, federation, password managemnt, auditing, attestion, separation of duties, soups to nuts).  Without having to build it into your application.

This came up very recently with a customer who was looking for single sign-on into their newly built applications.  As they were talking to several of our SSO competitors, they realized that nobody else had provisioning with SSO.  And they needed this.

This customer had already built the user interface and was planning on using our OAuth server for authentication.  What was missing was that they needed a way to enforce RBAC, to have admins create new users, and to have end users reset their passwords.  Since all EmpowerID workflows are exposed as either a web service or through APIs, this becomes a fairly simple endeavor to build this into their application.

They now have a very robust IAM capability from within their application.  They can manage users, passwords, authentication, and roles from either within their application, the EmpowerID web UI, or the EmpowerID hard client.

Simple attribute sync is not difficult.  Take a key (user's alias or email address or employee ID) and decide which identity store is authoritative and synchronize the attribute(s).  What is difficult is when you have dozens or scores of identity stores.

If you tried to synchronize all of these attributes without a central identity store like a metadirectory, you would end up with a confusing lattice of synchronization scripts that could easily conflict with each other.  I'm not saying it's impossible, it's just impractical.

Having a hub and spoke solution allows you to easily flow attributes from the authoritative source to the metadirectory and back out to the appropriate identity stores.  An example would be that HR is authoritative for a user's title, then empowerID metadirectory would inventory HR, see the change and update the user's "person" account in the metadirectory.  With that change, it will need to be flowed out to the LDAP identity store and Active Directory.

If some rogue admin changes the title in Active Directory using ADUC, empowerID would inventory that change, see that HR is authoritative and roll back the change in AD.  Having the central metadirectory is incredibly powerful for keeping attributes in all identity stores accurate.

But metadirectories are complicated, right?  I saw my first metadirectory in 1999/2000 when Critical Path bought Isocor.  If you asked me that question then, I would have said, "yes, very complicated."  Ask me today and I'll say that even I can manage connectors and attribute flow. 

Consider this:

It is as simple as configuring the arrow to indicate the authoritative source.  It can be authoritative from either identity store (arrow facing one way), last change wins (arrows facing both ways), or don't sync (big red dot).  "Big red dot" is a technical term in the world of UI, trust me.

You have these attribute flow rules for every connected system in the identity ecosystem.  From the example of the hub and spoke diagram above, you would have four attribute flow rules to fill out, with empowerID doing the heavy lifting of schema detection from its connectors.  You just decide what maps and what wins.

This is just for simple attribute flow, sometimes it does get more complicated.  You may need advanced attribute transformations, more than 1 to 1 attribute flow, 1 to many, calculated values.  You may need to extend the attribute flow for complex transformations.  EmpowerID's UI allows you to easily extend the flow with these transformation, some right out of the box (for example first name & last name from HR transforming to an alias like first initial last name {Edward Killeen becoming ekilleen}) and some with custom code.  It is all built into the empowerID platform.

Having a metadirectory in place also extends attribute sync to the cloud.  Many of our customers have 20%+ of their applications in the cloud now.  You need to be able to synchronize these attributes out to the cloud identity stores.  You rarely have access to the backend database or directory, rendering scripts and simple synchronization tools obsolete and ineffective.

EmpowerID's connector framework can map synchronization actions to its API layer, allowing synchronization from the metadirectory to the cloud applications.  With this capability, you now have all of your identity stores synchronized and accurate.  Contact us for a personalized demonstration of empowerID and we can show you how to synchronize attributes and all of the other capabilities of the most complete and flexible IAM platform on the market.

Users and their access are inextricably linked.  The National Institute of Standards & Technology (NIST) estimates that users are only 58% productive without their proper access.  So, why are provisioning processes often separate from access governance processes?

It should be an identity ecosystem.  When a user is initially provisioned from HR (or a contractor database or a customer self-registration), you apply an initial role to that user dynamically based on what you know about them.  That role (or roles) determine in which systems the user needs to be provisioned.  An example is: sales rep in Toledo will need an Active Directory account, an Exchange mailbox, an ERP account and a salesforce.com account.

Once that user has these accounts, the user will need to have roles within these applications.  The ability to modify groups, access SharePoint sites, place customer orders, modify CRM records and anything else that is role based.  This is the idea that you are provisioning access and accounts.

Some systems, like your VPN or shared folders or Business Intelligence app, may use AD groups to grant these roles.  And this is why provisioning access goes beyond just the application role based access control listed above to group based access control.  No organization can manually keep up with all of the group membership requirements that is required; you need to provision group membership dynamically based on rules and roles. 

Groups are intertwined in your everyday corporate life, from distribution lists to printer access.  However, role based access control is arguably the more modern approach to access governance, reaching outside of the Microsoft ecosystem better and being generally more flexible.  Having group membership controlled by your role makes this easy.

This can all happen dynamically in the first minutes of a user's employment, but users don't sit still for much longer than that.  Estimate vary, but on average, there is a 20% internal turnover per year.  These are employees that are still with the company, but have some sort of job change whether it be a redeployment, promotion, move, or restructuring.  Then the whole identity and access provisioning scenario starts again.

Having a metadirectory sitting in the middle of this identity ecosystem gives you flexibility to inventory HR or AD or any other authoritative source or sources to detect these changes.  Once the change to a user happens, all of the application provisioning can be re-evaluated, de-provisioning accounts they no longer need, provisioning new accounts and changing roles within the applications.

Group memberships get re-evaluated, removing access to old and granting access to new.  EmpowerID can generate reports to show new resultant access for the new roles for auditors or new managers to review.

Then if an offboarding event does happen, all accounts and access are linked to an EmpowerID person object and can be removed in one fell swoop, with accounts de-activated and an audit trail to show access has been removed from everything except their 401K account.

Too often, provisioning is looked at as a way to create an account without considering that access is as important as the user accounts.  Then the lifecycle of the user needs to be considered, again not just as an account but the role and access level required.

EmpowerID's unique visual workflow component, metadirectory and RBAC engine work together as part of the IAM platform to keep privisioning, evaluating and re-provisioning user accounts and access throughout a user's lifecycle.

Identity and Access Management is all about the authoritative system.  The identity source of truth.  Most often it is the HR system, but for some very important information it is your users.

What you can't automate, you delegate.  And this is especially true for user identity information such as mobile phone, home address, or other personal identity information.  Your end users know this information, you and HR probably don't.

The solution is to give them Active Directory self service.  Delegate the ability to update pertinent identity information in AD but only the pertinent information.  You will need role based access control to determine what the end user can and cannot update.  Let them view title but not edit it.  Allow them to update their office phone but put an approval workflow in place for their manager or the help desk to confirm it. 

But this information belongs in more places than Active Directory.  If your user updates her home address, that information should flow to your payroll application.  If mobile phone is updated, that should flow to your emergency contact list.  Identity is a lot more far reaching than Active Directory, but AD is the place that your users understand; it's the global address list, they see it all the time.

Some information goes the other way.  Your user gets a promotion and the new title is put into the HR system, that information needs to flow to Active Directory.  That same promotion prompts the user to need access to the customer portal and that information flows directly to that portal, provisioning an account if necessary.

Having a metadirectory functioning in a hub and spoke model allows you to configure these attribute flows easily and efficiently.  The EmpowerID metadirectory gives a visual attribute flow to determine which identity store is authoritative and which is a recipient.  You can also have a "first wins" scenario, taking the last change regardless of which system is the originator.

The metadirectory "hub" keeps a record of all changes, allowing you to audit which system recorded the change, when where and how.  You can roll back changes, apply additional workflow actions to any change, and audit these changes periodically.

The idea of adding a workflow to an automated change might seem counterintuitive but the idea is to have identity controls in place for applications that don't necessarily have controls.  Active Directory is a great example.  If you have ADUC access, you have ADUC access.  You want to have role based access where users can manage some attributes, managers can manage more, the help desk even more, and the admins to have more access.

Having a check and balance on each of those powers is important.  Think about this, the users with the most privilege (domain admins and senior executives) also have the most ability to bypass your security.  If you ran an audit on users with passwords set to never expire, the list would most likely be littered with names from those two sets.  And, they are the users you need the most secure.

So if a change comes from ADUC into the metadirectory on a particularly important attribute (say, relating to password policy), put a control in place.  Have another domain admin approve it even though it was an automated feed.  Same thing for title, kick off a workflow when someone's title change from HR contains VP or "Chief".  This is simple checks and balances just like we all learned in the 5th grade.

The metadirectory gives you an easily managed model to flow identity information to the correct identity stores.  It allows you to automate AND delegate.  And, it enables auditing to a level that native application access won't.