EmpowerID Inserts Intelligence into 2013 SharePoint People Picker

Posted by Chris Hayes on Wed, Jun 24, 2015


The SharePoint 2013 People Picker is the tool you use to find and select users, groups and claims to grant someone a permission to a site in SharePoint.  The SharePoint 2013 People Picker is heavily dependent on how authentication is configured for your site so you need to ensure your SAML or claim provider is intelligent.

Don't let this happen to you

All claim providers created equally!

Today the most common issue SharePoint administrators find with an authentication claim provider is that any name you type in the People Picker, SharePoint will accept.  Even worse, with a typical claims provider you can type nonsense and you will see two results, neither of them valid!

Not Valid

Credit:Kirk Evans Microsoft Blog

This is not because the SharePoint People Picker needs to be fixed, it's working as designed, it is a result of the claim provider.

The EmpowerID SharePoint Manager solves this problem, we have created the most intelligent claim provider in the market today.  In doing so we set out to do 4 things which will have a huge impact on the day to day operations of your SharePoint site.

1. Create the most intelligent claim provider in the world.  We didn't stop at providing intelligent responses to the query, we also segregate the data so that delegated administrators can only view results for data that they can see.  This is a very important point, if a business partner administrator wants to grant someone rights to a site the EmpowerID data filtering and masking is still maintained.

Screen Shot 06 24 15 at 10.18 AM

2. Provide SharePoint "web parts".  This is technology that allows users to find new sites and request access to it.  It also allows site administrators to approve site access, all directly within SharePoint.Screen Shot 06 24 15 at 10.09 AM
3. Fully support federated or claims based authentication into SharePoint.  Users can authenticate with EmpowerID, bring their own social identity or use another.

Screen Shot 06 24 15 at 10.03 AM

4. Answer the "Why" question.  Why does someone have access and when was it granted?  The other side a SharePoint claim provider is tracking these finer details.  EmpowerID includes full certification and attestation for SharePoint access, this provides your enterprise with a host of risk controls not previously available.

Screen Shot 06 24 15 at 10.25 AM

Want to know more?

Watch a previously recorded webinar that discusses these points here

click the button to request more information.

Request a Demo
EID SPFull resized 600

Tags: Single Sign-on (SSO), authentication, Governance and Regulatory Compliance, Federation, User provisioning, Data Governance, Attestation, consumers, SAML, SharePoint, Access Governance, SSO

EmpowerID Named Overall Leader in IAM / IAG Suites

Posted by Patrick Parker on Thu, Feb 05, 2015

Rating graph

EmpowerID has been recognized as a three time leader in a recent KuppingerCole report evaluating Identity and Access Management (IAM) / Identity Access Governance (IAG) Product Suites.

The IAM/IAG Leadership Compass “focuses on complete IAM/IAG (Identity Access Management/Governance) suites that ideally cover all major areas of IAM/IAG as a fully integrated offering,” Martin Kuppinger wrote in the report.

KuppingerCole, a respected global analyst focused on Information Security, examined Identity and Access Management / Governance Suites for this report. They specifically evaluated products that are integrated solutions with a broader scope than single-purpose products. Martin Kuppinger concluded in the report, “With their Windows-based product they [EmpowerID] offer one of the best integrated IAM Suites. All components have been built by EmpowerID, allowing for tight integration into a well thought-out architecture. This integrated approach is a clear strength of EmpowerID."

To request an unabridged copy of the the KuppingerCole report on IAM/IAG Suites, please visit http://info.empowerid.com/download-the-free-kuppingercole-iam-suites-leadership-compass.

Tags: Role Based Access Control (RBAC), GRC, authentication, IAG, IAM, Group Management, Governance and Regulatory Compliance, Identity Management, Federation, User provisioning, Attestation, Separation of Duties, Identity and Access Management (IAM), Access Governance

SSO and Delegated Management Module for Office 365 Released

Posted by Patrick Parker on Fri, Sep 12, 2014

365 banner resized 600

Yesterday we announced the release of Office 365 Manager, a new module that enables organizations to extend their existing on-premise security and audit control model to the Microsoft Office 365 and Azure Active Directory Cloud. We have also released a new web site dedicated to information on Office 365 Manager. The new site is located at http://office365.empowerID.com.

We are seeing rapid adoption of Office 365 to reduce the cost of IT operations. Office 365, however, is presenting our customers with some security and management challenges because it offers only basic audit controls and a limited ability to delegate administrative tasks. Our new Office 365 Manager provides organizations with the first and only Identity and Access Management solution that applies existing security practices for on-premise Active Directory and Exchange to the management of Office 365 in the Cloud.

Office 365 Manager allows organizations to leverage the same secure delegation and flexible administration model that they use for their behind the firewall systems. It addresses a key shortcoming of Office 365 which runs on Azure Active Directory and lacks a hierarchical structure that forces the placement of all users, groups, mailboxes and contacts in a single location. By extending the existing structure of a customer’s on-premise Active Directory, LDAP, or HR system to Office 365, Office 365 Manager can securely delegate responsibilities by role, department, business unit and location.

With Office 365 Manager's Single Sign-On capabilities, your internal users can continue to use their existing Active Directory username and password when logging in to Outlook, OWA, Lync, and SharePoint after they have been migrated to the Office 365 cloud. External partners or customers can leverage Social Media logins, your own branded EmpowerID login, or even their remote corporate AD credentials.

Top 10 features and benefits of the new Office 365 Manager:

1.    Role-Based Delegated Administration to Reduce IT Staff Workload 
2.    Automated Provisioning and Sync for Better Productivity and Security 
3.    Dynamic Group Management for Improved Group Security 
4.    Single Sign-On for Ease of Use 
5.    Multi-Factor Authentication for Improved Access Security 
6.    Mobile Device Security (BYOD) To Properly Secure Mobile Device Access 
7.    Self-Service Password Management to Reduce Help Desk Workload 
8.    Shopping Cart Style Self-Service to Automate Request Fulfillment and Audit Tracking 
9.    Access Recertification and Audit Reporting For Better Access Governance 
10.     Mailbox and Folder Permission Audit, Management, and Self-Service for Improved Productivity and Governance


                                               Secure  Office 365  Today!

Tags: Single Sign-on (SSO), Role Based Access Control (RBAC), User provisioning, Office 365

Innovation and Productivity Gains From Identity and Access Management

Posted by Bradford Mandell on Tue, Jul 15, 2014

IAM Innovation


Security for identities.  Managing user access to applications.  Auditing user access.

“Ugh”, you might think, “That sounds like more cost, more time, and more responsibility for IT”.

But a platform approach to Identity and Access Management (IAM) that is rich in innovation can result in lower costs, better productivity, and reduced demands for IT resources, while providing managers with better and more timely information.

Take for example a home healthcare provider with $2 billion in revenue and 40,000 employees in 40 states facing constant pressure to reduce costs as a result of declining government reimbursements for their services.  This organization had already used their considerable size advantage to create efficiencies and reduce costs wherever possible.  Then their Chief Security Officer (CSO) conducted a review of IAM technology and presented his management with a plan that would improve the productivity of their employees, reduce the workload on IT, improve the security for patient data and assist their organization in continuing to be a leader in the quality of patient services.

Built from a series of acquisitions in an industry that experiences high turnover, this organization lacked an efficient process for provisioning home healthcare workers into the many web applications they need to perform their work.  The process began with HR creating a manual request for IT to provision a new user into the apps they require, and once this was completed, the new user had to register themselves and create a password in each application. This process was complex and required too much effort for the home healthcare employees to learn and to maintain.

The CSO’s experience with several of the oldest and most installed IAM platforms made him wary of starting a new project with one of them because of their high licensing costs and the difficulty in customizing them to meet an enterprise’s specific needs.  He wanted a solution that would be easier to implement and easier to mantain.

After evaluating multiple products, he chose the EmpowerID platform for its different and innovative approach to Identity and Access Management.  Built on a single codebase with a workflow core and shipping with hundreds of ready to deploy workflows, the CSO was impressed with EmpowerID's broad functionality and its ability to easily design and to automate complex IAM processes with its visual Workflow Designer. 

The CSO determined during a software trial that EmpowerID’s powerful Role-Based Access Control (RBAC) engine could create effective roles based on both an employee’s place in the organizational hierarchy and their location, and it could scale easily for the size of their staff. EmpowerID proved itself to be flexible in also offering Attribute-Based Access Control (ABAC) for their scenarios where the use of contextual policies to govern access is more appropriate. 

He also discovered that EmpowerID’s integrated Single Sign-On (SSO) module federates not only with more recent web applications that natively support SAML authentication, but also with legacy applications that lack SAML capabilities.  Thus he could accommodate all of his user scenarios end to end, from provisioning to access, using EmpowerID, rather than having to integrate two or more applications. 

The CSO concluded that EmpowerID’s “all in one” approach could create the solution they needed in a shorter timeframe with fewer professional services and less risk to their project timeline and budget. The ability to show his management faster ROI helped him to obtain funding for the project. 

EmpowerID’s User, Group and SSO Manager modules were then deployed to provision and to manage federated identity for the application portal, allowing new users to be added within hours, instead of days, and enabling the use of one login by a healthcare provider to access all of their applications. 

New user onboarding was further simplified by creating a feed from the organization’s PeopleSoft HR application to EmpowerID, which in turn creates all the user accounts and access privileges in the applications they need, based on their business role. New users require less training and are ready to go to work as soon as they claim their identity upon first logging into the application portal.

The home healthcare staff appreciate EmpowerID's friendly HTML5 user interfaces that adapt to the screen size of any device they use, whether a tablet or a smartphone, and the reduction in effort to get to their clinical applications, while patients are pleased that less time is consumed by administrative tasks during their scheduled visits. 

EmpowerID’s multi-factor authentication capability (using an OATH token and SMS one time password) was implemented to strengthen system access security and to better protect the privacy of patient data, which is important in meeting regulatory and audit requirements.

EmpowerID also assists the organization’s auditors with data governance – the discipline of ensuring that access to corporate and patient data is secure and is subject to the proper controls. EmpowerID not only improves the quality of data, is also supports configurable Separation of Duties (SOD) policies, attestation procedures and system dashboards for quick visibility of pending tasks and system statistics. EmpowerID provides dozens of reports out of the box and it supports Microsoft’s SQL Reporting Services to quickly provide the information that different users need.

As a result of successfully automating their new user provisioning process and providing a seamless single-sign on experience for its home healthcare staff, this organization is realizing substantial productivity savings that will pay for EmpowerID in a period of just eighteen to twenty-four months. 

The CSO’s vision for a single, flexible platform that could be implemented on-time and within budget to automate and to securely manage multiple aspects of the enterprise, creating new efficiencies and cost-savings, has been fully realized with EmpowerID's deployment.

Ranked by KuppingerCole as a Product Leader, Innovation Leader and Overall Leader in their recent Leadership Compass for Identity Provisioning, EmpowerID helps diverse organizations across the globe improve identity security and access governance, increase productivity, lower costs, and improve service delivery through its innovative and cost-effective approach to IAM. 


Learn More about IAM Cost Savings with EmpowerID

Tags: Single Sign-on (SSO), Active Directory, GRC, Group Management, Governance and Regulatory Compliance, Identity Management, User provisioning, Data Governance, Attestation, Separation of Duties, Password management, Identity and Access Management (IAM), Access Governance

Delegated User Provisioning Best Practices

Posted by Edward Killeen on Wed, Nov 27, 2013

Sometimes there is no authoritative source.  Sometimes you just have to say, "Bob, provision me a user."  These are the cases where you will need a very flexible user interface to control user provisioning workflows.

delegated provisioningSee, that's the cool part, the UI is just what initiates the workflows in EmpowerID, the exact same workflows that are used when it detects a new employee in the HR system.  The same series of events are kicked off: assignment of roles, membership in groups, new accounts in the cloud, notification to the party planning committee, a single sign on dashboard.  It's all there, you are just starting it differently.

Of course, authoritative sources are called that because they have authority.  You can trust them.  With delegated user provisioning, you need to have some additional controls.  The simplest and most efficient is to have an approval workflow shape where somebody in authority has to approve the new user.  Or approve any role with a security level over XYZ.  These approvals can be serial or parallel, they can go to someone in IT or HR or anywhere in between.  They can be decided based on who the new user is.  The important part is that one rogue employee won't be creating any domain admins named Joe Derp.

Another consideration is the complexity of the user interface.  EmpowerID ships with over 400 usable out of the box identity management workflow templates.  About ten of these include user provisioning forms, ranging from what we call "super simple user provisioning" to "user provisioning". 

The difference is what fields are required.  In super simple, the user puts in the name, department, title, and location of the user and EmpowerID dynamically assigns roles.  In simple, there is a dropdown of available roles depending on the attributes already defined and who the requester is (help desk can create X roles and HR can create Y roles for example).  There is also an IT based form where a sys admin who understands things like OU structures and the such can granularly define any attribute.

Just my own personal opinion is that delegated user provisioning should always have an initial lifecycle.  This is easily accomplished by adding an expiration date dropdown on the form or creating a business rule in the workflow that it needs to be certified and renewed within that date period to continue its existence.  This is basically adding attestation to any user provisioning that happens outside of automated processes.

The reason I believe this attestation and lifecycle are important is the use cases for delegated user provisioning.  The most obvious ones are:

  • temporary employees or contractors
  • task based highly privileged accounts
  • additional accounts for an existing user
  • partners and suppliers accounts

None of these types of accounts should be subject to having perpetual access and permissions within your network.  With a strong IAM platform like EmpowerID, these security concerns can be alleviated even on users provisioned outside of normal channels.

Take a look at this video demonstrating EmpowerID's role-based user provisioning; you can see some examples of the delegated user provisioning forms (because showing automated user provisioning makes for a boring demo :) ).  Then schedule a personalized demonstration where we can help you start designing your own user provisioning processes.

Schedule a demo of Delegated User Provisioning

Tags: User provisioning, Identity and Access Management (IAM)

User provisioning software needs roles

Posted by Edward Killeen on Thu, Oct 17, 2013

user provisioning softwareI like to think that I am unique.  However, to my IT, security and identity teams, I am just a mix of sales, marketing, management and location roles.  Knowing those four things about me can generally define what system access I will need.

A properly built Identity & Access Management (IAM) infrastructure can determine which of these roles I am in dynamically based on attributes in my HRIS, Active Directory, and other identity stores.  For external users, the source of truth might be CRM or your supply chain identity store.  These attributes are everywhere and can easily be synchronized into a metadirectory like EmpowerID's that utilizes a hub and spoke model, giving you a full 360 degree view of all of your users' information.

Once you know everything about your users and the role(s) that they have, what are you going to do about it?  Provision user accounts!  Remember those four roles that define me?  Those also define what user accounts that I should have. 

My "person object" or "identity" in the metadirectory includes the role definitions and role based provisioning rules to provision these accounts.  It sees "sales manager in California" and knows that I need SalesForce, GoToMeeting, a soft phone and Dynamics AX accounts.  EmpowerID will provision these accounts and then link them to my "person object".  Once I no longer satisfy the conditions for having that role, my user accounts (not my identity) are de-provisioned.

Having a connector to each application allows the metadirectory to also inventory that application to determine if any changes are made natively.  If it finds a new GoToMeeting account that is not linked to an person object, it will evaluate "join rules" to join this account (or de-activate it if you want to discourage or deny native access).  If there is no person object to join it to, it will become an orphaned account and the appropriate admin will be notified.

This role based provisioning is exceptionally important for external users such as contractors or suppliers or customers.  All of these users are more temporal, coming and going more frequently.  If a supplier needs access to your Ariba procurement network, you want to give a lifecycle to that account, ensuring that somebody certifies or attests to the account.  Let's say for example that the procurement role needs to attest, perhaps you want to do a runtime check to see who the supplier's account manager is and only have them responsible.  This Attribute Based Access Control (ABAC) method keeps you from having too many roles while still giving fine grained permissions around either the initial approval or attestation of a new account.

user provisioning workflowAs you are designing these role based user provisioning rules, you are probably mapping them on a whiteboard.  EmpowerID's visual workflow platform actually allows you to drag and drop shapes (identity actions such as provision account, go for approval, etc) exactly as you are drawing it.  Though it is most likely more colorful and exciting in EmpowerID!

Don't get stuck with user provisioning that doesn't take into account who your users are.  And certainly don't get stuck with a limited level of roles and identity sources.  Because even though every user can be defined by their roles, they are still most likely a unique blend of multiple roles.  Your user provisioning process should reflect that.

Read how EmpowerID's unique RBAC and ABAC hybrid model gives you more finely grained control over all things roles: from authorization to authentication to provisioning.

Click me

Tags: Role Based Access Control (RBAC), User provisioning

Automated provisioning of cloud identities

Posted by Edward Killeen on Mon, Oct 14, 2013


Gartner says that while only 38% of businesses use cloud applications today, 80% plan to deploy cloud services in the coming 12 months.

That is astounding.  If you are one of the 55% of businesses planning on deploying cloud services for the first time in the next 12 months, you have some planning to do for your users and Identity Management (IdM).

automated provisioning for cloud applicationsThe first two Identity Management hurdles you have to overcome are provisioning and Single Sign-on.  Without proper IdM planning you could very easily end up back in the dark ages of manual provisioning for your cloud applications.

Say, for example, you are a personal fitness firm deploying Office 365 service to your personal trainers.  these trainers don't necessarily have Active Directory accounts so you cannot rely on Dir Sync (even if there weren't other limiting factors like multiple forests).  Same thing with Google Apps and GADS (Google Active Directory Synch).

You can either manually add all of these accounts and commit a metric ton of resources to updating their accounts on an ongoing basis, write a script, or invest in an IdM platform that combines on-premise and cloud provisioning.

Very few cloud applications get deployed to everybody, so you need to offer role based provisioning.  In our example, if role=trainer, it should kick off the workflow to provision an O365 account.  If role no longer equals trainer, de-provision the account.

EmpowerID manages these automated provisioning workflows with its metadirectory.  It populates "person" accounts in the metadirectory based on the authoritative source or sources, determines the user's role based on identity information we know about them (department, title, et cetera), and then uses a connector to natively speak to the cloud application, provisioning an account and giving the proper permissions within the cloud application.

The exact same platform and workflows and roles are used for both on-premise AND cloud applications.  Just a different connector and different role based provisioning rules.

I used an easy example, but any cloud application works this way.  Even when the authoritative source is a cloud application (for example, Workday or NetSuite).

So, there is half the battle, you have user accounts but how do your users get there?  Nothing like having half a dozen URLs, half a dozen passwords, and a deluge of help desk calls!  You need single sign-on, most likely federated single sign-on!

Most of these cloud applications support Federation using one of the standard protocols: SAML, OAuth, OpenID, WS-Trust, or WS-Fed.  For those that don't, you still need a method for secure password vaulting.

EmpowerID offers a single unified SSO dashboard for both on-premise and cloud applications.  It includes applications that are federated, using Web Access Management (WAM), password vaulting, or even authenticating with EmpowerID's virtual directory.

Given the increased need for security around cloud applications, EmpowerID provides an OATH server for two factor authentication (TFA), device registration and a full auditing capability.  TFA can be employed based on the role of the user, the security level of the application or a combination of these two.  If you are giving users access to your business applications when outside the network, make sure you know who they are.

Having the integrated metadirectory and automated cloud provisioning, you do away with the messy Active Directory requirements of some SSO providers.  Being a complete integrated single codebase IdM platform adds more functionality to the cloud equation than you can possibly get with piecemeal solutions.

Schedule a demonstration of automated provisioning or just read our whitepaper on Federated Single Sign-on and see how EmpowerID can solve the identity problems you will encounter as you move to the cloud.

Schedule a cloudy demo!

Tags: Single Sign-on (SSO), User provisioning

Provisioning users and identities from SAP HCM

Posted by Edward Killeen on Wed, Oct 02, 2013

I had an interesting customer call last night discussing using SAP HCM as the source of truth for provisioning users and updating attributes.  He made a great distinction between provisioning users and provisioning identities, especially as it pertains to his current IAM solution which "daisy chains" provisioning and updates.  An update happens in SAP which updates AD which updates app number 1 which updates app number 2 and so on.  This can take forever and often prompts a help desk call before the daisy chain is complete.

Vassar Daisy ChainThis problem is exacerbated due to SAP HCM's e-recruitment capabilities and the need to create accounts and identities for job applicants.  They can't be expected to wait for such a long time to have access to systems that they need for their job application.

This is where the distinction comes between user accounts and identities.  If you go to a hub and spoke model with a metadirectory in the middle, you can create an identity, what EmpowerID calls a "person object".  This identity has a role and can determine which user accounts the identity needs in the appropriate systems.  Role base provisioning creates the user accounts at the same time, reducing the lag between the identity being created and the user accounts being active.

A few benefits from this approach are that you have an identity repository outside of Active Directory for applicants, external users, contractors, etc.  You don't need to create AD accounts and can still give access to important systems, specific to that identity's role and needs.  You also can update user accounts more quickly, applying provisioning and update rules directly to the affected system from the metadirectory without running through a gauntlet of systems to get to the one you want.

The customer in question had an issue with the length of time it takes to affect all of these changes with their current mix of scripts and legacy IAM solutions.  EmpowerID's metadirectory is often set at a default inventorying interval of 5-10 minutes even for the largest organizations due to the unique way in which it polls changes.  This makes the changes happen well before a user can get frustrated and call the help desk.

EmpowerID has a very feature rich SAP connector that can read and write directly to SAP, giving extensive control over this process.  However, this particular customer only wanted to read from SAP and cost is an issue.  EmpowerID gives you options outside of the connector if you can have a flat file dump from SAP, allowing the metadirectory to inventory that file and still affect the changes on whatever schedule is worked out with the SAP dump.

EmpowerID uses its flexible visual workflow platform to make your identity processes match your business process, creating situations like the one described where the customer can achieve their identity goals and reduce costs in IT.  Take a look at the user provisioning video or schedule a personalized demonstration and get your identities AND users provisioned.

Click for a demo of a complete IAM solution

Tags: User provisioning, Identity and Access Management (IAM)

How to choose your IAM platform: Think Big Start Smart

Posted by Edward Killeen on Fri, Sep 13, 2013

Identity & Access Management (IAM) is a big undertaking.  I always joke that the successor to the CIO who purchases a legacy IAM platform is the one that gets all of the credit for the project.  But it doesn't have to be that way; an IAM platform that is easy to install, customize and configure AND that is modular can give ROI along the way.

A partner of ours calls that Think Big, Start Smart.

Take a look at the way EmpowerID segments an IAM project:

IAM Platform

Some of these functions can be done standalone, some have a faster ROI than others, some have business owners that can fund the project.  But you have to choose a platform that first off can accomplish all of them and second off doesn't force you to buy all of it if you want to "start smart".

A great example of this is a customer who started by managing users and their access within SharePoint using EmpowerID's built-in claims functionality.  We were able to define a whole slew of dynamic roles and assign those to different SharePoint sites.  Once they had this functionality done, the roles and HR inventorying processes were already defined so a VERY easy next step was role based provisioning into all of the applicable systems.  Once accounts are defined, why not add single sign-on into those applications. 

This project was broken into three phases, all of the platform functionality was installed during the first phase (metadirectory, GRC functions, RBAC engine, visual workflow studio) and the customer just needed to purchase the appropriate module to unlock the functionality for each phase.  They were able to accomplish their main initial goal and future proof for the rest of their IAM needs.

EmpowerID's single code-base platform is what makes this work; we ship with over 400 out of the box workflow templates and all of the capabilities of the metadirectory, RBAC engine, audit/SOD capabilities and visual workflow studio.  This is out of the box regardless of the module.

The sections in green below are the functions that come with the platform:

EmpowerID IAM platform

When you are choosing a platform for IAM, think of these factors.  Can you start smart, get an initial positive ROI, and future proof for future needs?  IAM is big, never forget to think big.  And that means thinking EmpowerID.  Schedule a demo today!

Schedule an IAM demo that Starts Smart!

Tags: User provisioning, Identity and Access Management (IAM)

Managing external identity: Provisioning, RBAC and SSO

Posted by Edward Killeen on Mon, May 13, 2013

Life would be a lot easier if we only had to manage our employees' identities.  But we have customers, partners, and contractors.  These external identities have the same needs for identity management as our internal identities.  In fact, they might have more needs as we know a lot less about them.

managing external identityThe most common scenario that we see is when a customer (the external user) registers for services with our client.  The needs are very simple: self-registration, role based access control, approval workflows, and federated single sign-on (SSO).  I'm kidding, that's not simple.

Let's start with the self-registration.  When your external user first finds your site, you will want their registration to be simple, giving them immediate access to the most public facing resources.  EmpowerID's built in forms designer allows you to have them fill out the important information and create an account in the metadirectory. 

The RBAC engine will give them the most basic of permissions at the same time that it either kicks off an approval workflow to grant more permissions or inventories another identity store (CRM for example) to determine their role and give higher privileges.

So, now you know who they are and can design some provisioning rules for other applications.  With the roles in place, you know that customers that meet certain criteria get access to different applications and resources.  Role based provisioning will automatically create accounts in these applications.

Permissions are managed with these roles too.  Polyarchical roles allow you to protect resources at a very granular level without having to create a role for every single type of external user.

Now we get to the heart of the matter, you know who your external users are, what their roles are and what access you give each role.  Now your users need to access these resources and applications.

Enter single sign-on (SSO).  You have provisioned a user account in the EmpowerID metadirectory.  This metadirectory can act as an identity provider or service provider, meaning that you can authenticate with EmpowerID and federate out to other applications or you can authenticate with other credentials, federate with EmpowerID and then with your other applications.

EmpowerID as an identity provider is incredibly powerful, it is also a Secure Token Service, allowing it to send tokens to the federated applications and giving users immediate access based on their role.  EmpowerID supports federation with SAML, OpenID, OAuth, WS-Trust and WS-Federation.

For applications that aren't federated, EmpowerID can also perform Web Access Management (WAM), sending user credentials securely and giving the same end user experience.

On the flip side, you can also federate with other identity providers such as Facebook or Twitter, giving users the ability to authenticate with credentials they use every day.  EmpowerID is still in the middle and provides role based access to the connected applications.

EmpowerID is one of the only IAM solutions on the market that manages external users' provisioning, authentication and authorization.  EmpowerID supports anonymous provisioning, allowing users to register for the services and be given a baseline of permissions.  EmpowerID can federate with Facebook, Twitter, etc. to authenticat, claim accounts in other applications and manage any attributes.

EmpowerID can then perfrom two factor authentication, device registration or identity proffing to further confirm the user's identity.  This seamless HTML5 interface works on any device allowing mobile usage and a better overall user experience.

Schedule a demonstration and see how you can manage your external identities, giving them more secure and easy access to your resources.


Click me

Tags: Single Sign-on (SSO), Role Based Access Control (RBAC), User provisioning, Identity and Access Management (IAM)