MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

Transcription

1 MY1LOGIN SOLUTION BRIEF: PROVISIONING Automated Provisioning of Users Access to Apps

2 MY1LOGIN SOLUTION BRIEF: PROVISIONING Automated Provisioning of Users Access to Apps The ability to centrally provision and de-provision users for application access has both security and productivity benefits for your organisation. My1Login enables your organisation to: Employ a unified approach to identity governance and administration Centralise control over provisioning and de-provisioning of user access Rapidly onboard new employees Instantly cease ex-employee access to all applications Integrate with existing directory services, e.g. MS Active Directory, Oracle Directory Service Integrate with identity standards, e.g. SAML, SCIM Provision using the My1Login API when Identity Standards are not supported by Service Providers. My1Login s Provisioning Engine ensures the right people have access to the right applications at the right time. my1login.com 1

3 IDENTITY STANDARDS Provisioning (and de-provisioning) utilises a number of protocols and identity standards. A few of the most-relevant standards, protocols and terms you ll come across are below - an explanation of what they do can be found in the Provisioning Glossary. Standards, Protocols & Terms SAML SCIM CRUD IdP SP API LDAP DSML Security Assertion Markup Language System for Cross-domain Identity Management Create, Read, Update, Delete Identity Provider Service Provider Application Program Interface Lightweight Directory Access Protocol Directory Services Markup Language DIRECTORY SERVICES My1Login integrates with all popular directory services, including Microsoft Active Directory, IBM Directory Server, Oracle s Directory Service, CA Directory, Apple Open Directory and a multitude of generic user directory services. Additionally, My1Login can also integrate with bespoke user directories. No matter what directory service you currently use, My1Login can work with it to provision your users for applications across cloud, mobile and legacy platforms. The My1Login Provisioning Engine ensures user access to all applications can be ceased centrally when required. my1login.com 2

4 APPLICATION PROVISIONING Service Providers (SPs) host target applications. My1Login can provision users on SPs using identity standards, such as SAML. Additionally, even where SPs do not offer common identity standard compatibility, My1Login can use SCIM-to-API or a customised API to enable provisioning for these applications. My1Login can be used to provision users in 3 ways: Standard Provisioning With Standard provisioning an administrator creates the user identity within the Identity Provider (My1Login). Each Service Provider (SP) has specific provisioning requirements that My1Login is pre-configured to provide. The admin carries out the provisioning via the My1Login application by adding the details for the new user that is to be provisioned My1Login ensures this information is in line with the requirements of the SP, and then transmits it to the SP using SCIM. Once successfully created, the user provisioning is complete. Just-in-Time Provisioning With JiT provisioning, the user identity is created (provisioned) with the Service Provider (SP) at the moment the user first tries to access the target application. To enable JiT, an admin simply authorises a user for a particular target application within My1Login. No identity provisioning activity between the identity provider and the SP takes place at this stage. When a user attempts to access an SP application, it is first checked whether the user s unique identifier is already provisioned. If no matches are found, the user has an account created for them on the SP. This happens seamlessly for the user. JiT provisioning reduces admin effort as there s no need to provision the user manually, the user simply has to be authorised to access a particular SP s target application. Organisational Provisioning With Organisational Provisioning, the user identity is created automatically using the Active Directory details. My1Login utilises Active Directory Groups to automate the provisioning process, providing permission-based access to the Service Provider (SP) for users. Whenever a user s Active Directory (AD) details are changed the user s corresponding SP application access is updated as well. The benefit of organisational provisioning is that it s synchronised with the directory service (e.g. Active Directory) vastly reducing administration effort. An example would be where an employee moves departments within the business - simply by changing the user s group in the directory service, My1Login will automatically de-provision and provision their access rights to applications relevant to their role. my1login.com 3

5 MIGRATING IdPs Migrating from an existing Identity Provider (IdP) to My1Login is straightforward and seamless. Within the target application settings on the Service Provider (SP), an admin simply changes the relationship from the incumbent IdP to My1Login by updating the configuration information. This creates a new relationship between the SP and My1Login - all existing user provisioning remains in place without the need to re-provision existing users for applications. WHY MY1LOGIN PROVISIONING The My1Login Provisioning Engine provides security and productivity benefits for your organisation. Proactive and Just-In-Time user provisioning, updating and de-provisioning Integration with the directory service of your choice SCIM support for full SCRUD user directory operations Organisation Directory group provisioning for rapid onboarding Custom APIs and SCIM-to-API bridging enabling provisioning on any target application. my1login.com 4

6 PROVISIONING GLOSSARY SAML: Security Assertion Markup Language SAML is an XML-based, open standard, data format for exchanging authentication and authorisation between parties, in particular, between an Identity Provider (e.g. My1Login) and a Service Provider (e.g. Salesforce). SCIM: System for Cross-domain Identity Management SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. CRUD / SCRUD: Create, Read, Update, Delete In computer programming, Create, Read, Update and Delete (Sometimes called SCRUD with an S for Search) are the four basic functions of persistent storage. IdP: Identity Provider An Identity Provider (e.g. My1Login) creates, maintains, and manages identity information for users, services, or systems and provides authentication to other service providers (applications) within a federation or distributed network. SP: Service Provider A Service Provider (e.g. SalesForce) is an entity that hosts target applications and provides services to users. API: Application Program Interface A set of functions and procedures that allow the creation of applications which access the features or data of an operating system, application, or other service. LDAP: Lightweight Directory Access Protocol LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP. DSML: Directory Services Markup Language DSML (Directory Services Markup Language) is a representation of directory service information in an XML syntax. my1login.com 5

7 ABOUT MY1LOGIN Founded in 2007, My1Login is a European leader in protecting against enterprise cyber security threats through its Identity and Access Management solutions. The trend towards SAAS has moved Enterprise identities outside the traditional corporate infrastructure, exacerbating the challenges of identity sprawl, password fatigue, resets and compliance adherence. My1Login s next generation Identity and Access Management solution enables organisations to overcome these challenges by providing a single user identity for employees, improving productivity and eliminating security threats. My1Login s IAM solution supports identity standards such as SAML, SCIM, OAuth 2.0 and OpenID Connect, but crucially can also integrate with target applications that don t have connectors, ensuring there are no gaps. My1Login works across cloud, mobile and legacy desktop applications enabling control of user identity and access while delivering a return on investment. The service can be deployed rapidly, even in the most complex enterprise environments. PARTNERS My1Login protects over 1,000+ organisations worldwide. 10,000+ APPS My1Login works with all common directory structures, legacy desktop apps and today s Enterprise applications including Microsoft Office 365, BMC Remedyforce, Zendesk, DocuSign, LinkedIn, LivePerson, Netsuite, GotoMeeting, Dropbox, Yammer, Atlassian, Hootsuite, GotoMeeting, Workday, Box, Google Apps, Prezi, Salesforce, Pardot, Stripe, AWS, Zendesk and Cisco. HAVE A QUESTION? SPEAK TO OUR IDENITY EXPERTS Call Visit contact@my1login.com My1Login Limited, Office 404, 324 Regent Street, London, W1B 3HH My1Login. All rights reserved.