EmpowerID Inserts Intelligence into 2013 SharePoint People Picker

Posted by Chris Hayes on Wed, Jun 24, 2015

EID SP

The SharePoint 2013 People Picker is the tool you use to find and select users, groups and claims to grant someone a permission to a site in SharePoint.  The SharePoint 2013 People Picker is heavily dependent on how authentication is configured for your site so you need to ensure your SAML or claim provider is intelligent.

Don't let this happen to you

All claim providers created equally!

Today the most common issue SharePoint administrators find with an authentication claim provider is that any name you type in the People Picker, SharePoint will accept.  Even worse, with a typical claims provider you can type nonsense and you will see two results, neither of them valid!

Not Valid

Credit:Kirk Evans Microsoft Blog

This is not because the SharePoint People Picker needs to be fixed, it's working as designed, it is a result of the claim provider.

The EmpowerID SharePoint Manager solves this problem, we have created the most intelligent claim provider in the market today.  In doing so we set out to do 4 things which will have a huge impact on the day to day operations of your SharePoint site.


1. Create the most intelligent claim provider in the world.  We didn't stop at providing intelligent responses to the query, we also segregate the data so that delegated administrators can only view results for data that they can see.  This is a very important point, if a business partner administrator wants to grant someone rights to a site the EmpowerID data filtering and masking is still maintained.

Screen Shot 06 24 15 at 10.18 AM

2. Provide SharePoint "web parts".  This is technology that allows users to find new sites and request access to it.  It also allows site administrators to approve site access, all directly within SharePoint.Screen Shot 06 24 15 at 10.09 AM
3. Fully support federated or claims based authentication into SharePoint.  Users can authenticate with EmpowerID, bring their own social identity or use another.

Screen Shot 06 24 15 at 10.03 AM


4. Answer the "Why" question.  Why does someone have access and when was it granted?  The other side a SharePoint claim provider is tracking these finer details.  EmpowerID includes full certification and attestation for SharePoint access, this provides your enterprise with a host of risk controls not previously available.

Screen Shot 06 24 15 at 10.25 AM

Want to know more?

Watch a previously recorded webinar that discusses these points here

click the button to request more information.

Request a Demo
EID SPFull resized 600


Tags: Single Sign-on (SSO), authentication, Governance and Regulatory Compliance, Federation, User provisioning, Data Governance, Attestation, consumers, SAML, SharePoint, Access Governance, SSO

SSO and Delegated Management Module for Office 365 Released

Posted by Patrick Parker on Fri, Sep 12, 2014

365 banner resized 600

Yesterday we announced the release of Office 365 Manager, a new module that enables organizations to extend their existing on-premise security and audit control model to the Microsoft Office 365 and Azure Active Directory Cloud. We have also released a new web site dedicated to information on Office 365 Manager. The new site is located at http://office365.empowerID.com.

We are seeing rapid adoption of Office 365 to reduce the cost of IT operations. Office 365, however, is presenting our customers with some security and management challenges because it offers only basic audit controls and a limited ability to delegate administrative tasks. Our new Office 365 Manager provides organizations with the first and only Identity and Access Management solution that applies existing security practices for on-premise Active Directory and Exchange to the management of Office 365 in the Cloud.

Office 365 Manager allows organizations to leverage the same secure delegation and flexible administration model that they use for their behind the firewall systems. It addresses a key shortcoming of Office 365 which runs on Azure Active Directory and lacks a hierarchical structure that forces the placement of all users, groups, mailboxes and contacts in a single location. By extending the existing structure of a customer’s on-premise Active Directory, LDAP, or HR system to Office 365, Office 365 Manager can securely delegate responsibilities by role, department, business unit and location.

With Office 365 Manager's Single Sign-On capabilities, your internal users can continue to use their existing Active Directory username and password when logging in to Outlook, OWA, Lync, and SharePoint after they have been migrated to the Office 365 cloud. External partners or customers can leverage Social Media logins, your own branded EmpowerID login, or even their remote corporate AD credentials.

Top 10 features and benefits of the new Office 365 Manager:

1.    Role-Based Delegated Administration to Reduce IT Staff Workload 
2.    Automated Provisioning and Sync for Better Productivity and Security 
3.    Dynamic Group Management for Improved Group Security 
4.    Single Sign-On for Ease of Use 
5.    Multi-Factor Authentication for Improved Access Security 
6.    Mobile Device Security (BYOD) To Properly Secure Mobile Device Access 
7.    Self-Service Password Management to Reduce Help Desk Workload 
8.    Shopping Cart Style Self-Service to Automate Request Fulfillment and Audit Tracking 
9.    Access Recertification and Audit Reporting For Better Access Governance 
10.     Mailbox and Folder Permission Audit, Management, and Self-Service for Improved Productivity and Governance

 

                                               Secure  Office 365  Today!

Tags: Single Sign-on (SSO), Role Based Access Control (RBAC), User provisioning, Office 365

Innovation and Productivity Gains From Identity and Access Management

Posted by Bradford Mandell on Tue, Jul 15, 2014

IAM Innovation

 

Security for identities.  Managing user access to applications.  Auditing user access.

“Ugh”, you might think, “That sounds like more cost, more time, and more responsibility for IT”.

But a platform approach to Identity and Access Management (IAM) that is rich in innovation can result in lower costs, better productivity, and reduced demands for IT resources, while providing managers with better and more timely information.

Take for example a home healthcare provider with $2 billion in revenue and 40,000 employees in 40 states facing constant pressure to reduce costs as a result of declining government reimbursements for their services.  This organization had already used their considerable size advantage to create efficiencies and reduce costs wherever possible.  Then their Chief Security Officer (CSO) conducted a review of IAM technology and presented his management with a plan that would improve the productivity of their employees, reduce the workload on IT, improve the security for patient data and assist their organization in continuing to be a leader in the quality of patient services.

Built from a series of acquisitions in an industry that experiences high turnover, this organization lacked an efficient process for provisioning home healthcare workers into the many web applications they need to perform their work.  The process began with HR creating a manual request for IT to provision a new user into the apps they require, and once this was completed, the new user had to register themselves and create a password in each application. This process was complex and required too much effort for the home healthcare employees to learn and to maintain.

The CSO’s experience with several of the oldest and most installed IAM platforms made him wary of starting a new project with one of them because of their high licensing costs and the difficulty in customizing them to meet an enterprise’s specific needs.  He wanted a solution that would be easier to implement and easier to mantain.

After evaluating multiple products, he chose the EmpowerID platform for its different and innovative approach to Identity and Access Management.  Built on a single codebase with a workflow core and shipping with hundreds of ready to deploy workflows, the CSO was impressed with EmpowerID's broad functionality and its ability to easily design and to automate complex IAM processes with its visual Workflow Designer. 

The CSO determined during a software trial that EmpowerID’s powerful Role-Based Access Control (RBAC) engine could create effective roles based on both an employee’s place in the organizational hierarchy and their location, and it could scale easily for the size of their staff. EmpowerID proved itself to be flexible in also offering Attribute-Based Access Control (ABAC) for their scenarios where the use of contextual policies to govern access is more appropriate. 

He also discovered that EmpowerID’s integrated Single Sign-On (SSO) module federates not only with more recent web applications that natively support SAML authentication, but also with legacy applications that lack SAML capabilities.  Thus he could accommodate all of his user scenarios end to end, from provisioning to access, using EmpowerID, rather than having to integrate two or more applications. 

The CSO concluded that EmpowerID’s “all in one” approach could create the solution they needed in a shorter timeframe with fewer professional services and less risk to their project timeline and budget. The ability to show his management faster ROI helped him to obtain funding for the project. 

EmpowerID’s User, Group and SSO Manager modules were then deployed to provision and to manage federated identity for the application portal, allowing new users to be added within hours, instead of days, and enabling the use of one login by a healthcare provider to access all of their applications. 

New user onboarding was further simplified by creating a feed from the organization’s PeopleSoft HR application to EmpowerID, which in turn creates all the user accounts and access privileges in the applications they need, based on their business role. New users require less training and are ready to go to work as soon as they claim their identity upon first logging into the application portal.

The home healthcare staff appreciate EmpowerID's friendly HTML5 user interfaces that adapt to the screen size of any device they use, whether a tablet or a smartphone, and the reduction in effort to get to their clinical applications, while patients are pleased that less time is consumed by administrative tasks during their scheduled visits. 

EmpowerID’s multi-factor authentication capability (using an OATH token and SMS one time password) was implemented to strengthen system access security and to better protect the privacy of patient data, which is important in meeting regulatory and audit requirements.

EmpowerID also assists the organization’s auditors with data governance – the discipline of ensuring that access to corporate and patient data is secure and is subject to the proper controls. EmpowerID not only improves the quality of data, is also supports configurable Separation of Duties (SOD) policies, attestation procedures and system dashboards for quick visibility of pending tasks and system statistics. EmpowerID provides dozens of reports out of the box and it supports Microsoft’s SQL Reporting Services to quickly provide the information that different users need.

As a result of successfully automating their new user provisioning process and providing a seamless single-sign on experience for its home healthcare staff, this organization is realizing substantial productivity savings that will pay for EmpowerID in a period of just eighteen to twenty-four months. 

The CSO’s vision for a single, flexible platform that could be implemented on-time and within budget to automate and to securely manage multiple aspects of the enterprise, creating new efficiencies and cost-savings, has been fully realized with EmpowerID's deployment.

Ranked by KuppingerCole as a Product Leader, Innovation Leader and Overall Leader in their recent Leadership Compass for Identity Provisioning, EmpowerID helps diverse organizations across the globe improve identity security and access governance, increase productivity, lower costs, and improve service delivery through its innovative and cost-effective approach to IAM. 

 

Learn More about IAM Cost Savings with EmpowerID

Tags: Single Sign-on (SSO), Active Directory, GRC, Group Management, Governance and Regulatory Compliance, Identity Management, User provisioning, Data Governance, Attestation, Separation of Duties, Password management, Identity and Access Management (IAM), Access Governance

Cloud SSO from mobile devices and your desktop

Posted by Edward Killeen on Thu, Oct 31, 2013

cloud SSO doctorWe have a very large home healthcare client with a very common problem: most of their employees are on the road needing access to corporate and cloud applications using a tablet.  These users have numerous critical applications they need to access for medical history, prescriptions, scheduling and all of the traditional cloud applications.  If they couldn't authenticate and log on, they certainly could not call the helpdesk while sitting with their patients.

The solution to the problem consisted of three parts:

  1. Single sign-on using a combination of Federation, Web Access Management (WAM), and password vaulting.
  2. Role based access control to give the mobile user the correct access within applications.
  3. Two Factor Authentication using OATH tokens for high security applications.

Single Sign-on to these corporate and cloud applications was the first priority.  Because EmpowerID has a metadirectory that inventories and synchronizes identities with all of the applications, we know who the users are.  We configured EmpowerID to authenticate the user and present a unified dashboard regardless of the method used for single sign-on.  Several of the applications were federated using SAML, Web Access Managent (WAM) was used for most, and one lone legacy app was handled with secure password vaulting.

With a mixture of on-premise and cloud applications, this unified interface is essential for the user experience.  EmpowerID's user interface is HTML5 so it configures for the device, giving a modern clean appearance regardless of the screen dimensions (smartphone, tablet, laptop).  Device registration adds another layer of security as IT can keep track of the devices used in the field, even limiting access to corporate issued devices in some divisions.

Cloud SSO

Of course you need to add RBAC to the mix.  A nurse doesn't have the same access needs as a doctor or technician or delivery manager.  Not only are the SSO dashboards security trimmed based on role(s) but EmpowerID's connectors can project roles into the applications whether they be cloud or on-premise to give the correct access within the application.

These same roles are then used to determine when to demand two factor authentication.  Based on a combination of the user's role and the security level of the application being accessed, EmpowerID will demand a second factor using its OATH server.  Issuing this OATH token gives a layer of security for both the CISO and the auditors.

Accessing today's complex mix of on-premise and cloud applications from a complex mix of mobile and desktop devices is, in a word, complex.  EmpowerID's mix of SSO methods, RBAC workflows and metadirectory simplifies it not only for your users but for IT as well.  Schedule a demo and see how Cloud SSO can be made less complex.

Schedule a cloudy demo!

Tags: Single Sign-on (SSO)

Web and cloud single sign on in the modern world

Posted by Edward Killeen on Fri, Oct 25, 2013

The average corporate user has to access over 16 applications in the course of their jobs, that can be up to 16 sets of credentials (username and password).  Assuming 30 seconds of extra time per credential, that's about 40 minutes per week wasted on usernames and passwords.  Factor in a forgotten or locked password per week and you are up to almost an hour spent per week dealing with this wholly un-neccessary routine of passwords.

Why?  Single sign on.  It is better, it's easier, it's more secure.

Your user has to authenticate at least once, usually with their Windows credentials.  Now you know who they are.  You know what applications they have access to, both on premise and cloud.  So why are they having to continually prove their identities to each application?

Web and cloud single sign onOf those, 16 web and cloud applications, probably half of them support federation, usually SAML or OAuth.  Note: EmpowerID supports SAML, OAuth, OpenID, WS-Trust, and WS-Federation.  You can federate with those applications, knowing that it trusts that you know who you users are.  Your Identity Provider (EmpowerID) will simply send a token to that application verifying who your user is and the access they have.  No username or password typed.

For those web applications that are not federated, Web Access Management (WAM) is the way to go.  For these applications, EmpowerID either uses an agent in the application or a reverse proxy to secure the URL and pass a secure header variable with your user's credentials.  This tried and true method can usually cover a quarter of applications.

For those remaining applications that cannot federate or use WAM, secure password vaulting can keep the exact same SSO experience for your users.  Your user will claim the account, enter their username and password ONCE, and EmpowerID will encrypt and pass these credentials as your user signs in.

Your users will have a single SSO dashboard for all of these applications and never have to type another set of credentials for any web applications, on premise or the cloud.

That being said, making it too easy can be an issue sometimes as well.  Say one of those web applications stores all of the company secrets, like the Colonel's secret recipe or the location of the exhaust vent on the Death Star.  You have to secure that, right? 

That's when you add a second factor authentication to that specific application.  Incorporate an OATH token into the authentication process for that application, send it to a known device for the user and be doubly sure that they are who they say they are.  With EmpowerID, this two factor authentication can be added into any SSO workflow and even be based on the user's role.

Save your users time while increasing your security seems like a win-win situation with single sign on.  Schedule a demonstration of EmpowerID's complete SSO capabilities and/or download our whitepaper on the Top 5 Federated Single Sign On Scenarios.

Click me

Tags: Single Sign-on (SSO)

Automated provisioning of cloud identities

Posted by Edward Killeen on Mon, Oct 14, 2013

 

Gartner says that while only 38% of businesses use cloud applications today, 80% plan to deploy cloud services in the coming 12 months.

That is astounding.  If you are one of the 55% of businesses planning on deploying cloud services for the first time in the next 12 months, you have some planning to do for your users and Identity Management (IdM).

automated provisioning for cloud applicationsThe first two Identity Management hurdles you have to overcome are provisioning and Single Sign-on.  Without proper IdM planning you could very easily end up back in the dark ages of manual provisioning for your cloud applications.

Say, for example, you are a personal fitness firm deploying Office 365 service to your personal trainers.  these trainers don't necessarily have Active Directory accounts so you cannot rely on Dir Sync (even if there weren't other limiting factors like multiple forests).  Same thing with Google Apps and GADS (Google Active Directory Synch).

You can either manually add all of these accounts and commit a metric ton of resources to updating their accounts on an ongoing basis, write a script, or invest in an IdM platform that combines on-premise and cloud provisioning.

Very few cloud applications get deployed to everybody, so you need to offer role based provisioning.  In our example, if role=trainer, it should kick off the workflow to provision an O365 account.  If role no longer equals trainer, de-provision the account.

EmpowerID manages these automated provisioning workflows with its metadirectory.  It populates "person" accounts in the metadirectory based on the authoritative source or sources, determines the user's role based on identity information we know about them (department, title, et cetera), and then uses a connector to natively speak to the cloud application, provisioning an account and giving the proper permissions within the cloud application.

The exact same platform and workflows and roles are used for both on-premise AND cloud applications.  Just a different connector and different role based provisioning rules.

I used an easy example, but any cloud application works this way.  Even when the authoritative source is a cloud application (for example, Workday or NetSuite).

So, there is half the battle, you have user accounts but how do your users get there?  Nothing like having half a dozen URLs, half a dozen passwords, and a deluge of help desk calls!  You need single sign-on, most likely federated single sign-on!

Most of these cloud applications support Federation using one of the standard protocols: SAML, OAuth, OpenID, WS-Trust, or WS-Fed.  For those that don't, you still need a method for secure password vaulting.

EmpowerID offers a single unified SSO dashboard for both on-premise and cloud applications.  It includes applications that are federated, using Web Access Management (WAM), password vaulting, or even authenticating with EmpowerID's virtual directory.

Given the increased need for security around cloud applications, EmpowerID provides an OATH server for two factor authentication (TFA), device registration and a full auditing capability.  TFA can be employed based on the role of the user, the security level of the application or a combination of these two.  If you are giving users access to your business applications when outside the network, make sure you know who they are.

Having the integrated metadirectory and automated cloud provisioning, you do away with the messy Active Directory requirements of some SSO providers.  Being a complete integrated single codebase IdM platform adds more functionality to the cloud equation than you can possibly get with piecemeal solutions.

Schedule a demonstration of automated provisioning or just read our whitepaper on Federated Single Sign-on and see how EmpowerID can solve the identity problems you will encounter as you move to the cloud.

Schedule a cloudy demo!

Tags: Single Sign-on (SSO), User provisioning

Single Sign-on (SSO) as part of an Identity Management platform

Posted by Edward Killeen on Wed, Aug 07, 2013

Single sign-on does not exist in a vacuum.  Especially in an extranet environment, you need to know who those users are, what access they should have, and give them a way to manage their identity.  Essentially, identity management cannot be separated from SSO.

SSO as part of an identity management platformWhen SSO projects come our way, the initial conversations are always around SAML federation, Web Access Management (WAM), or password vaulting.  We talk about identity providers, service providers, SharePoint claims, and multi-factor authentication.  Customers talk about their applications and user experience in SSO.  What they don't bring up is how to manage those external users because other SSO vendors avoid that conversation like the plague.

If all applications were federated (they aren't), then this might not be as big of a deal but in truth, most of our customers have a mix of SSO technologies and you need to know who those users are.  You will need to have self-registration for external users, automated provisioning for internal users, self service password reset for IdP credentials, attestation and certification of user accounts and access, and step up authentication for secure access.

EmpowerID's platform comes with base functionality for all of its modules.  The base platform contains the metadirectory, RBAC engine, and visual workflow studio.  All identity management workflows (create user, change password, etc) are part of the platform to manage the external user.  Your users will have all of the abilities for SSO and you will know who they are and have extensive identity management capabilities.

But, remember, the customer is coming to us for SSO so the platform still needs to be able to offer single sign-on in the most comprehensive way.  Many applications are federated (SAML, OAuth, OpenID, WS-Trust and WS-Federation) but for those that aren't the SSO platform needs to have multiple ways to handle that application.

SSO Manager offers a few options:

  • Web Access Management (WAM): either using reverse proxy or an agent, SSO Manager can intercept access attempts to an application, send them over to EmpowerID for authentication and return them authenticated to the application without any interaction on their part
  • Federated SSO: EmpowerID can act as either the identity provider or service provider using any federated protocol (SAML, OAuth, OpenID, WS-Trust, WS-Federation)
  • Password vaulting: as a last resort, users can claim accounts, provide the username and password which will be vaulted securely on the EmpowerID server and provide the same seamless SSO experience for the user
  • Shared accounts: for many applications such as Twitter or Facebook, corporate accounts need to be shared without giving out the password, the owner can share the account and revoke access when needed
  • Virtual Directory: the EmpowerID metadirectory is exposed as a virtual LDAP directory that can be used as the back end identity store for any application

By offering this comprehensive solution, your users will authenticate and be presented with a dashboard of SSO applications; they don't need to know how you got them the SSO access, it is seamless.  You can manage their access and user accounts all from one platform, on a single code base with the easiest and most efficient management in the industry. 

Let us demonstrate these capabilities and you will see why the comprehensive platform is your best method to providing single sign-on.

Schedule a demo of a comprehensive SSO platform!

Tags: Single Sign-on (SSO), Identity and Access Management (IAM)

Comparison of ADFS to EmpowerID SSO Manager

Posted by Edward Killeen on Thu, Jul 11, 2013

EmpowerID comparison to ADFSSingle sign-on does not have a magic bullet; instead, it requires a swiss army knife.  Meaning many different ways to get users authenticated into an application using only one set of credentials.  A German partner of ours calls this eierlegende Wollmilchsau based on one of our customers describing everything that EmpowerID can do.

This ability to perform multiple methods of single sign-on from federation to Web Access Management to password vaulting gives an extraordinary ability to get users authenticated to almost ANY web application using either corporate or social credentials.  EmpowerID lets you authenticate external or internal users, apply a role to them, giving them appropriate access to any resource (on premise or cloud) and, just as importantly, not force you to have AD credentials for the user.

This is where the comparison to Active Directory Federation Services (ADFS) comes in.  Not all of your users should be in AD and they are not always accessing WS* or SAML applications.  In addition, you need to have role based access control (RBAC) determining the level of access for the user.  And you need two factor authentication (TFA) for either highly privileged users or highly secure applications.  ADFS is just too limited.

The below list illustrates some of the advantages of a true SSO/Federation/WAM application like EmpowerID has over ADFS:

  1. Directory neutral federation (AD, LDAP, SQL, CUSTOM, etc. etc.)

  2. Multifactor authentication (including Smartcard, OATH and identity proofing)

  3. Extensive list of out-of-box authentication providers (including AD, Username/Pwd, social credentials like Salesforce, Twitter etc. etc.)

  4. Powerful claims generation, transformation and issuing (leverage full power of C#, Web Services)

  5. Leverage RBAC and powerful Metadirectory to issue advanced claims (Business Role and Location, Management Roles, Set Groups etc. etc.)

  6. Enhanced security for sensitive data with advanced claims level encryption

  7. SSO for non-Microsoft applications

  8. Complete support for OAuth 2.0

  9. Complete support for SAML 2.0 SSO Web Profiles

  10. SSO Application Dashboard + powerful features like Persona etc. etc.

There is really no comparison to having a complete eierlegende wollmilchsau swiss army knife SSO platform that can authenticate any of your users, using any credential, performing full RBAC, and connecting to any application on any network.  ADFS just cannot compare.

Click me

Tags: Single Sign-on (SSO)

Managing external identity: Provisioning, RBAC and SSO

Posted by Edward Killeen on Mon, May 13, 2013

Life would be a lot easier if we only had to manage our employees' identities.  But we have customers, partners, and contractors.  These external identities have the same needs for identity management as our internal identities.  In fact, they might have more needs as we know a lot less about them.

managing external identityThe most common scenario that we see is when a customer (the external user) registers for services with our client.  The needs are very simple: self-registration, role based access control, approval workflows, and federated single sign-on (SSO).  I'm kidding, that's not simple.

Let's start with the self-registration.  When your external user first finds your site, you will want their registration to be simple, giving them immediate access to the most public facing resources.  EmpowerID's built in forms designer allows you to have them fill out the important information and create an account in the metadirectory. 

The RBAC engine will give them the most basic of permissions at the same time that it either kicks off an approval workflow to grant more permissions or inventories another identity store (CRM for example) to determine their role and give higher privileges.

So, now you know who they are and can design some provisioning rules for other applications.  With the roles in place, you know that customers that meet certain criteria get access to different applications and resources.  Role based provisioning will automatically create accounts in these applications.

Permissions are managed with these roles too.  Polyarchical roles allow you to protect resources at a very granular level without having to create a role for every single type of external user.

Now we get to the heart of the matter, you know who your external users are, what their roles are and what access you give each role.  Now your users need to access these resources and applications.

Enter single sign-on (SSO).  You have provisioned a user account in the EmpowerID metadirectory.  This metadirectory can act as an identity provider or service provider, meaning that you can authenticate with EmpowerID and federate out to other applications or you can authenticate with other credentials, federate with EmpowerID and then with your other applications.

EmpowerID as an identity provider is incredibly powerful, it is also a Secure Token Service, allowing it to send tokens to the federated applications and giving users immediate access based on their role.  EmpowerID supports federation with SAML, OpenID, OAuth, WS-Trust and WS-Federation.

For applications that aren't federated, EmpowerID can also perform Web Access Management (WAM), sending user credentials securely and giving the same end user experience.

On the flip side, you can also federate with other identity providers such as Facebook or Twitter, giving users the ability to authenticate with credentials they use every day.  EmpowerID is still in the middle and provides role based access to the connected applications.

EmpowerID is one of the only IAM solutions on the market that manages external users' provisioning, authentication and authorization.  EmpowerID supports anonymous provisioning, allowing users to register for the services and be given a baseline of permissions.  EmpowerID can federate with Facebook, Twitter, etc. to authenticat, claim accounts in other applications and manage any attributes.

EmpowerID can then perfrom two factor authentication, device registration or identity proffing to further confirm the user's identity.  This seamless HTML5 interface works on any device allowing mobile usage and a better overall user experience.

Schedule a demonstration and see how you can manage your external identities, giving them more secure and easy access to your resources.

 

Click me

Tags: Single Sign-on (SSO), Role Based Access Control (RBAC), User provisioning, Identity and Access Management (IAM)

Cloud SSO for Federated and non-Federated applications

Posted by Edward Killeen on Thu, May 02, 2013

Cloud SSO is essential for productivity in your organization.  In fact, it also reduces help desk costs and can improve security.  Users can log into applications faster and with fewer obstacles.  No more lost passwords equals fewer help desk calls.  And, for the first time ever, IT has a better understanding of all of the cloud applications and user accounts in their identity ecosystem.

Here is the rub: you cannot federate with all applications.  It would be wonderful if SAML, OpenID, OAuth, et cetera were ubiquitous and you would have quick and easy federation with all of them.  In fact, we have a whitepaper on the Top 5 Federated SSO scenarios for those applications that do support federation.

So, what do you do if it doesn't support federation?  EmpowerID and its webform SSO.  What this does for you is to allow your users to claim accounts, enter their credentials and then future logins are completely single sign-on.  In fact, the user experience is exactly the same for both types of SSO, giving an even simpler user experience for your users.

Here is a demonstration of that user experience:

Now that you have your users single signing on to ALL of their applications, you get into some of the more exciting aspects of Identity and Access Management.  The same platform (EmpowerID) that is providing SSO also provisions users into these cloud applications.  Even going so far as being role based cloud provisioning.  So, only users in a sales role get a SalesForce account.  Only the developer role gets a JIRA account.  And only those accounts that the user has will appear in their SSO dashboard.

So, download the whitepaper and schedule a demonstration to see how you can offer Cloud SSO and provisioning for all of your applications.

Click for Cloud provisioning and SSO demo

Tags: Single Sign-on (SSO)