Connecting IdM services to SURFconext

Size: px
Start display at page:

Download "Connecting IdM services to SURFconext"

Transcription

1 Connecting IdM services to SURFconext Project : SURFworks Projectyear : 2013 Releasedate : Version : 1.0 Summary This research compares the currently available IdMaaS services and assesses the market opportunities for IdMaaS for the Dutch R&E community. We conclude that Dutch Research & Higher Education institutes are generally not ready for a complete cloud offering of IAM services. By and large they lack a clear policy for adopting cloud services and have a reserved position towards IdMaaS due to the sensitive nature of the data involved and their awareness to comply to privacy regulations. Therefore, IdMaaS will not be an alternative for the on-premise IAM services in the Dutch R&E sector in the short term (1-3 years). Nevertheless, IdMaaS is seen as an attractive option for realising additional IAM functions. Deze publicatie verschijnt onder de Creative Commons licentie Naamsvermelding 3.0 Nederland. Meer informatie over de licentie is te vinden op

2 Colophon Programme line Part Activity Deliverable Access rights External party : SURFworks : SI-SDT : Connecting Services : g Connecting IdMaaS Services : Public : m7, Ludo Gorzeman, Peter Jurg, Ton Verschuren This project was made possible by the support of SURF, the collaborative organisation for higher education institutes and research institutes aimed at breakthrough innovations in ICT. More information on SURF is available on the website 2/38

3 6 Matters one should know about Connecting IdM services to SURFconext. Scenario What is it? Whom is it for? How does it work? What can one do with it? More information With the rise of cloud computing we also see IAM-as-a-Service, i.e. IAM in the cloud, being offered by more and more suppliers. This research compares different IdMaaS vendors and assesses the readiness of the community for adopting this new service model for IAM. A comparative research on IdMaaS suppliers and the readiness of the community for adopting this new service model for IAM. The target audience for this report consists of CIO s, ICT managers, IAM functional application managers, and the members of the SURF Special Interest Group for Identity Management in general. A shortlist of IdMaas suppliers were compared based on a number of criteria (both functional and non-funcitonal). The findings are presented in this report. Get an overview of the IdMaaS supplier landscape Eefje van der Harst 3/38

4 Contents 1. Background Purpose and target audience Approach for this report Disclaimer Identity and Access Management-as-a-Service Customer perspective Results Conclusions Annex: Longlist and shortlist of IdMaas suppliers Annex: CA Technologies Annex: Clavid Annex: CloudID Annex: Covisint Annex: iwelcome Annex: Microsoft Annex: Okta Annex: PingOne Annex: Sailpoint Annex: Traxion /38

5 1. Background Federated Identity & Access Management is in everyday use for the majority of the research and higher education (R&E) community in the Netherlands. Over one hundred institutes with almost one million users can use over one hundred services through the SURFconext federation, resulting in more than federated logins per day. SURFconext is a collaboration infrastructure that connects a number of basic building blocks for online collaboration: federated authentication and authorisation, so that users can securely access all kinds of available services via the same account that they use at their own institution; group management enabling access to content and functionalities, for example for a project team, to be managed centrally. These may be internal groups of the institution or groups from the SURFconext group management application; a standard data interface for exchanging activities, reports, and group information (OpenSocial) with cloud applications; cloud applications of various providers (for example Google Apps, Edugroepen, Sharespace, Liferay Social Office). SURFconext allows institutions to integrate internal and external online services, thus enabling them to offer users a collaboration environment within which they can access the online services that they require. Currently, an on-premise Identity & Access Management (IAM) facility, connected to SURFconext, is a common asset in the Dutch R&E community. With the rise of cloud computing we also see IAM-as-a-Service, i.e. IAM in the cloud, being offered by more and more suppliers. Hence the question arose if this new form of IAM is of interest to the Dutch R&E community and how it relates to SURFconext. Although IAMaaS would be the appropriate abbreviation for IAM-as-a-Service, in this report we will use the term IdMaaS (Identity Management-as-a-Service) since this is the common term used these days. 2. Purpose and target audience Commissioned by SURFnet and in close collaboration with SURFmarket, m7 conducted research into IdMaaS and the readiness of the community for adopting this new service model for IAM. The goal of the research is threefold: describe and compare the currently available IdMaaS services; assess the market opportunities for IdMaaS for the Dutch R&E community; select the most promising top 3 among the IdMaaS vendors and assist SURFmarket to include these vendors in its dynamic procurement system. The first goal concerns this report. The result of the latter goal is to lower the threshold for both the vendor and the customer to reach a favourable agreement to procure an IdMaaS service. As a result of this research SURFnet wants to assess the suitability of IdMaaS for the smaller institutions with little know-how about IAM, that are not yet connected to SURFconext. Is IdMaaS for this type of organisation a suitable solution to connect to SURFconext as an Identity Provider? The target audience for this report consists of CIO s, ICT managers, IAM functional application managers, and the members of the SURF Special Interest Group for Identity Management in general. 5/38

6 3. Approach for this report A small number of organisations connected to SURFconext was visited to learn their interest in and expectations of IdMaaS. Suggested by SURFnet and SURFmarket, we interviewed the responsible persons for either ICT or IAM of the following organisations, two academic hospitals and three universities: Leids Universitair Medisch Centrum (LUMC); VUmc; Hogeschool Utrecht; Universiteit Maastricht; Technische Universiteit Delft. We discussed their view on cloud computing in general, their current IAM service and features lacking, and assessed their willingness to move (part of) their on-premise IAM service to the cloud. In a seminar at the end of November we presented the results of our study and provoked discussion about the usefulness of IdMaaS for the SURF community. Based upon desk research 1 we compiled a longlist of some twenty IdMaaS vendors (refer to Annex: Longlist and shortlist of IdMaas suppliers). We studied their websites to find out what IAM functions they provide (refer also to the next chapter for a description of the IdMaaS services) and posed a number of questions about non-functional features by . Based upon a number of criteria we compiled a shortlist of ten vendors. Next a questionnaire was sent to these vendors, followed by if we got any response a meeting or teleconference to discuss their answers. Finally we filled out a template per vendor (refer to the annexes) and submitted it to them for review. A compilation of our findings is included in the chapter on results. 4. Disclaimer IdMaaS is a young industry, consisting of well-known players with fully developed IAM suites for on-premise use moving to the cloud and newcomers deploying in-house developed solutions or combinations of existing solutions (open source and commercial). Hence this report is a snapshot of a rapidly changing vendor landscape, where a first wave of takeovers and mergers is not unlikely. 5. Identity and Access Management-as-a-Service In the last few years many vendors of IAM suites have decomposed their offer into several smaller modules that offer particular IAM services. This trend obviously follows the trend of the last 5-10 years of performing IAM projects step by step. In the last 2 years the decomposition of IAM into several services has led to cloud offers for some demarcated IAM services. For example federation, single sign-on and provisioning to public cloud applications are services that are offered from the cloud. However, in the last year we see that more sophisticated services, especially self-service, access governance, and risk-based access, are also offered from the cloud. In this document we use a decomposition model for IAM that is depicted in Figure 1. 1 The Forrester Wave report on Enterprise Cloud Identity And Access Management, Q3 2012, proved an inspiring document for our research. 6/38

7 At the bottom of this picture we start with the underlying processes for registration, change and exit for identities that are already in place in the majority of organisations, Dutch higher education and research included. Therefore, we exclude the registration functionality for staff and students in our comparison assuming this is already in place as an on-premise process. For smaller organisations looking for a solution to connect as identity provider to SURFconext however, this functionality would be required as part of the IdMaaS offering. Usually though, their registration needs will be met by the guest registration functionality of the IdMaaS supplier. In larger organisations guest registration is sometimes a more diffuse process, where different parts of the organisation have their own process for it. So guest registration often can be improved by a central software solution that enforces one way of doing this. Below we discuss the other services in the picture and their role in IAM. We distinguish services that have a 10 year or more history, which we call classical IAM services, and IAM services that became popular in the last 2-3 years, which we call modern IAM services Classical IAM services Identity Vault / life cycle management An identity vault is a central user repository that contains the information necessary for account and role provisioning. So from here users get their account and basic access rights in different systems. On top of the identity vault the processes for life cycle management can be implemented. This defines existence of accounts and access rights for users depending on the state of their identity. Whether or not to implement a central Identity Vault mostly depends on the number of users and expected changes. Generally it is cost effective to implement a central Identity Vault for a couple of thousands identities User provisioning This service provides the provisioning of account information to all applications and authentication databases (see below) that need a user account in order to provide access to a user Role and group assignment Figure 1 Decomposition of IAM functions Which systems are appropriate for a user is defined by the roles a person has or to which groups a person belongs. Roles can be job description, department, location or other information, often provided by HR. Groups often have a more ad hoc character, like a project group. Life cycle management also handles changes in roles and groups and translates them into changes in access (if needed). Other approaches for access management like access request management and identity and access governance are described below. 7/38

8 Delegated admin Delegated admin can be used for distributed user account management within an organisation. Admin users can for example create and remove users, change access rights or perform self-service tasks on behalf of users Single sign-on (SSO) Single sign-on is a mechanism that allows the user to log in only once to have access to several services without logging in again. This service is mainly a technical implementation. The biggest challenge is to integrate desktop and web-sso Strong authentication This provides a central service for 2-factor authentication or otherwise stronger authentication methods than username and password that can be applied to several applications Self-service This is a central service by which end users can change or reset their password and maybe also change some personal information (this might be viewed upon as part of delegated admin, with delegation to the users themselves) Access request management Besides the information in HR (job description, department, location, etc.) users within an organisation will have specific tasks for which they need specific access. This can be established by so-called access request workflows. Line managers and application owners will have to approve requests by employees. It is utopian to think that such workflows can be used to manage all access rights in all applications. A lot of rights will still be entered in the applications without any workflow. In that case, Identity & Access Governance (see below) can help Reporting and auditing Reporting and auditing is useful for obtaining insight in access rights, delegated admin activity, self-service activity, provisioning, etc Modern IAM services Federation Federation can be used to enable web-sso, i.e. SSO for web-based services. It may also serve to let people from another organisation login to your services with the account from their own organisation and vice versa Identity and Access Governance (IAG) This is a service that will retrieve access rights from several applications, gather them and present the consolidated rights for review. Access rights can be labelled as low, medium or high risk and a manager can get an overview of what type of access their employees have (risk, license costs, etc.). He can then approve, change or withdraw access rights. With this approach access rights can still be entered in the applications themselves, but managers are alerted when new employees come in or access rights are changed. IAG can also help to detect violation of segregation of duty Cloud provisioning Cloud provisioning is not much different from account and role provisioning, but uses API s of Cloud Providers and open standards to provision and deprovision accounts and roles. 8/38

9 Identity-based device management Linking device management to identity management ensures that life cycle management is effective for personal devices and enables an organisation to define personal access rights for devices. It may also be used for risk-based access Risk-based access Risk-based access enables organisations to make access decisions on the behaviour of users. For example the location of a user should not suddenly change when a user is accessing services or a user should not access systems at unusual hours Social logon Social logon helps organisations to diminish user account management for individual users. They can login with a social media account. Since trust and security are not at a high level here, this mechanism is mostly used for providing customers access to (semi-) public information. For example for marketing purposes: an organisation wants to provide information to potential customers and at the same time wants to keep track of the activity and profile of those customers. Most IdMaaS cloud providers currently have a main focus on the modern IAM services, forming the biggest opportunity as most organisations have the classical IAM services already in place. Most of them are able to offer the classical IAM services from the cloud as well, though. Device management turned out to be an exception. Though device management is offered as a cloud service by many service providers, these services are quite often not part of the IdMaaS offering, but available as a separate service from the same supplier or from specialised suppliers. We will use the picture above in the annexes to this document to indicate what services are offered by the different IdMaaS providers. Furthermore, we will describe how the IdMaaS offering relates to the SURFconext service. Apart from a functional comparison of the IdMaaS suppliers, we looked at a number of non-functional aspects 2 : What privacy (data protection) regulations apply to the IdMaaS service? The EU Directive, the Safe Harbor Principles, or otherwise? Will the supplier comply with the International Standard for Assurance Engagements (ISAE) 3402 or Statement on Standards for Attestation Engagements (SSAE) 16 for their service auditor's statements 3? 2 For more information (in Dutch) refer to the checklist for contracts with cloud providers (http://www.surfsites.nl/cloud/download/checklistcontractueleafspraken.pdf) and the best practises on privacy for cloud providers (http://www.surfsites.nl/cloud/download/cloudbpg.pdf). The latter explains the standards for the certifications mentioned. 3 ISAE 3402 provides an international assurance standard for allowing public accountants (an independent third party) to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization s system of internal control over financial reporting. Hence ISAE 3402 provides assurance over outsourced business processes. ISAE 3402 includes the IT environment of the service organization and its security. SSAE 16 resembles ISAE 3402 and differs only for the specific case of US customers of service organizations. Hence it is not relevant for Dutch higher education institutes. Note that ISAE 3402 reports can be of type I or type II, the first being a snapshot, the latter reporting over a longer period with a minimum of 6 months. 9/38

10 ISO certificate 4? This will ensure that the service is secure and will be audited regularly. What SLA is offered? For a service that enables users to log on a good uptime of the service, short response times when a disruption occurs and a globally acceptable performance are important SLA parameters. Is data escrow supported? If so, an exit or migration to another supplier will be easier, because such a service can make sure that the customer s data will be available, even if the supplier is bankrupt or suffers from a large calamity. We did not include the costs of the IdMaaS offerings in our research. But we did ask the vendors for their cost models. On what parameters are their tariffs based? Apart from an one-time set-up fee, the license costs can be based upon the following parameters: number and type (internal or external) of users; number of authentications per period of time; number of connected cloud applications; number of administrators in the cloud platform; the two-factor authentication methods used; support level. 6. Customer perspective None of the organisations interviewed has defined a policy for the cloud yet, although some are in the process of defining one. And some collaborate in the SURF Cloud Taskforce, hence the topic has their interest. Main reasons for adopting cloud services in general are an improvement of the quality of the services offered, increased agility, and a change from a capital expenditures to an operational expenditures cost model including reduced manpower for application management and support. But due to the sensitive nature of IAM (accounts, personal data, access to licensed content and services) the migration to a completely cloud-based IAM service is unlikely in the short term. All organisations claim to hold on to a local registration process for employees and students, a local identity store including lifecycle management, and due to the sometimes very extensive on-premise application landscape to a mainly local provisioning process. The academic hospitals interviewed even claimed that they cannot move their identity store to the cloud because of the data protection regulations in force. But the authors of this report do not think this is true, because IdMaaS can be considered to be a technical solution for IAM that has to adhere to the same legislation as on-premise IAM. To summarise the viewpoint of the organisations interviewed, IdMaaS is not considered to be an alternative for the basic, classical IAM functions. At the seminar, however, the majority of the institutions indicated an interest in IdMaaS because their current onpremise IAM solution is bound for replacement in the near future. Nevertheless, IdMaaS is seen as an attractive option for realising additional IAM functions, such as strong authentication, improved self-service, guest registration (especially in the context of virtual organisations or collaboration teams), provisioning to cloud applications, and possibly in the longer term social logon and identity-based (mobile) device management. This was confirmed during the seminar, where two third of the attendants showed their interest in IdMaaS within a three-year term. On the other hand, a quarter of the audience thinks that IdMaaS may not be a solution for them, 4 Though ISAE 3402 covers IT security, it is not very specific about the security measures and its relevance for IT security depends on the third party who issues the report and the auditor of the customer who verifies it. ISO is a pragmatic certification that ensures that certain measurements are taken and therefore may offer additional assurance. 10/38

11 because their business processes are not generic enough and they are unwilling or unable to adjust to more generic processes. A remarkable finding was the fact that the modern Identity & Access Governance approach does not have the attention of Dutch Research & Higher Education at the moment, so a cloud offer for this functionality is currently not on their wish list. 7. Results This chapter contains the results of our research of the IdMaaS vendors on the shortlist. We describe the current state of affairs in the IdMaaS landscape in the context of the Dutch situation. Not all suppliers responded to our questionnaire or to our request to review our findings. If so, it will be mentioned in the annex concerned. The IdMaaS market is young, but rapidly developing. During our research we came across several suppliers that were not on our initial longlist. Some suppliers build their offering based upon their own intellectual property; some use products from the wellknown classical IAM vendors. Some suppliers offer their service since a number of years, but the majority introduced their IdMaaS offering in the last two years. Not surprisingly, the set of IAM functions offered and their maturity strongly varies per supplier. A number of suppliers mainly focus on offering as many out-of-the-box connections to cloud applications as possible, usually presented through a user or admin dashboard. Choose your cloud application, click and go is the adagio here. Others try to cover as many IAM functions as possible, trying to compete with onpremise IAM suites. Still others offer a wide variety of two-factor authentication options. Whereas the IAM functions offered are easy to find on the suppliers website, the nonfunctionals are harder to obtain. But where an SLA is important for any cloud application ( *-as-a-service ), for IAM a number of specific non-functional requirements are critical, due to the nature of the data concerned. Here information security standards, like ISO 27001, and third-party audit formats like ISAE 3402 and SSAE 16 come in. Together they provide an indication how safe your user s data and privacy are in the suppliers cloud platform. Of course, the suppliers are aware of these issues and some are in the process of regionalising their cloud (data centres) in order to adhere better to the Dutch and EU data protection regulations. When it comes to the positioning of the IdMaaS offering with respect to SURFconext there is a varying degree in overlap of functions offered. Actually the majority of IdMaaS suppliers offer technical services that can be used to build a federation like SURFconext. They offer authentication using SAML (and OpenID connect), web SSO for cloud applications and social logon, just like SURFconext offers. However, they only provide technical solutions, whereas SURFconext offers a complete federation with central facilities that make connecting to a large number of services a breeze and a trust framework that helps to diminish the burden of arranging agreements with many service providers. Using an IdMaaS supplier, institutions will have the technical possibilities of a federation, but will not have the federation itself. In general this makes the IdMaaS services less attractive because the added value is limited. However, there are still some areas where SURFconext does not offer functionality and IdMaaS providers do. Some examples: Two-factor authentication; SSO to cloud applications not included in SURFconext; Guest registration; Device management; Provisioning to cloud applications; On-premise provisioning, identity vault and SSO. 11/38

12 A general observation across all suppliers is that support for the group API of SURFconext is lacking. The consequence is that group information used in the SURFconext connected cloud applications will not be available in the cloud applications connected to the IdMaaS supplier s platform. SSO, however, between the supplier s and SURFconext domains won t be a problem. One of the non-functional aspects that will be of interest to a prospective customer of an IdMaaS service is the supplier s ability to execute: how many comparable organisations are among the supplier s customers; how easy is it to set up the service and how long does it take for the service to be operational; how well is support organised; is the supplier already active or not on the Dutch market, etc. And with respect to the latter aspect: is the supplier inclined to connect to SURFconext? Note however, that the ability to execute is beyond the scope of our research, partly due to the lack of response on the subject from a number of vendors. In the annexes a short description of the supplier and its offering is given. The table below summarises our findings for the functional and non-functional aspects. The table shows that not surprisingly federation techniques and SSO are supported by all suppliers. Identity & Access Governance, device management and to a lesser extent access request management are still rather rare. Auditing and reporting are generally implemented in a basic form. Those suppliers rated mature (blue) for this function usually provide an interface for a Security Information and Event Management system. A remark about provisioning needs to be made. Although the table shows that user and cloud provisioning is generally well supported, suppliers indicated that in practise provisioning is far from trivial. Some suppliers claim to provide provisioning to cloud applications only if they support standards like SPML and SCIM, for which support in applications is not very common at the moment. And some interpret provisioning as justin-time provisioning 5, while generally ahead-of-time provisioning 6 is required. For the latter usually custom interfaces need to be implemented. Overall, the classical IAM functions show better support than the modern ones. Discussions with suppliers showed that many of them are still developing their solutions and have support for many of the modern IAM functions on their roadmap. On the non-functional side, the fact that not all suppliers indicate to adhere to the EU privacy regulations shows their sometimes limited interest in de Dutch (European) market. Support for data escrow is provided by the majority of the suppliers, which should ease a (periodic) change of IdMaaS supplier, e.g. after a tender. The approach taken and the sometimes meagre response from the vendors prevent us from appointing a top 3 of best suppliers. Moreover, the choice for a suitable IdMaaS solution strongly depends on the specific IAM functions required by an organisation. 5 Just-in-time (JIT) provisioning creates a profile for the user in the application at the time of first login. 6 Ahead-of-time (AOT) provisioning creates a profile for the user in the application before the first login. 12/38

13 The legend reads: Traxion Sailpoint Ping Okta Microsoft iwelcom e Covisint CloudID Clavid CA Modern IAM device mgmt risk-based xs social logon federation IAG cloud provisioning Classical IAM SSO 2FA selfservice access req mgmt reporting & auditing LCM user provisioning roles & groups DA guest registration 13/38

14 Non-functionals Adhere to privacy regulations Third-party audit conformity ISO SLA Escrow support Table 1 Comparison of IdMaaS suppliers Some more background information: All providers offer good functionality for cloud provisioning, federated login and SSO for cloud applications. Additionally they all offer good functionality for onpremise SSO. Clavid is an exception, they only provide authentication, not provisioning. Covisint is the most experienced IdMaaS provider as they were an IdMaaS provider avant la lettre in the automotive industry. Their offer is highly standardized though, so customizations may be expensive. In terms of overall functionality they have the best score. Okta and CA seem not very interested in the Dutch educational market. That is what we deduce from the fact that they were not very responsive. Traxion indicated that their focus is not on education anymore. For specific types of functionality we would recommend the following suppliers: o Two-factor authentication: Clavid and iwelcome. o SSO to cloud applications not included in SURFconext: all. o Guest registration: Covisint and iwelcome. o Device management: Covisint. o Provisioning to cloud applications: all but Clavid. On-premise provisioning and identity vault are functions that most suppliers do not offer (yet) in a way that can meet the rather complex business rules of the Dutch higher education community, but that appears to be a matter of time. Instead, at the moment, most suppliers do provide simple provisioning tools. If an institution plans to make provisioning simpler though, most suppliers are able to help out. 14/38

15 8. Conclusions Dutch Research & Higher Education institutes are generally not ready for a complete cloud offering of IAM services. By and large they lack a clear policy for adopting cloud services and have a reserved position towards IdMaaS due to the sensitive nature of the data involved and their awareness to comply to privacy regulations. Therefore, IdMaaS will not be an alternative for the on-premise IAM services in the Dutch R&E sector in the short term (1-3 years). For federation and SSO the institutes mainly use SURFconext. SURFconext might also offer strong and step-up authentication in the near future. Thus the overlap between the IAM functions offered by SURFconext and IdMaaS suppliers will likely grow. On the other hand some IdMaaS vendors try to connect as many cloud applications to their platform as possible, whereas SURFconext generally connects (niche) applications for the R&E community. Depending on the need for cloud applications, the SSO domain of the IdMaaS solution may be of interest. On the other hand several cloud IAM providers support the modern IAM functionalities the institutes are looking for. However, the core business of the providers lies mostly in functionality that is offered by SURFconext. Furthermore Dutch cloud IAM providers are inclined to provide additional features outside of the regular cloud spectrum, like guest registration and improved self-service. One of the modern IAM functions, identity-based device management, is rarely part of the IdMaaS offering today. This function is mainly the domain of specialised suppliers. That may change in the near future, though, since this feature is on some IdMaaS suppliers roadmap. Support for the group functions supported by SURFconext seems entirely lacking among the current IdMaaS suppliers. Moreover also within SURFconext not many applications support this yet. On the SURFconext side it would be worth investigating the future of this function. The approach taken and the sometimes meagre response from the vendors prevent us from appointing a top 3 of best suppliers. Moreover, the choice for a suitable IdMaaS solution strongly depends on the specific IAM functions required by an organisation. The factors mentioned above make the Dutch R&E market less attractive for the IdMaaS vendors. They could try to target the smaller institutions and sell them the whole IdMaaS package (including the connection to SURFconext as an identity provider), but the volumes will be low. Dutch R&E institutes adopting IdMaaS must be aware that cost effectiveness will only be achieved if they are willing to adjust actually simplify their business processes so that technical implementation becomes less complex. Institutes will probably only do this in the context of a cloud-based strategy, where increasingly on-premise applications are replaced by cloud-based or SaaS solutions. Such a strategy will eventually take away the necessity for on-premise IAM anyway. Because IdMaaS is a young and rapidly developing industry, a reiteration of this research in one or two years is recommended. Then the current mismatch between the demand and supply side of IdMaaS for Dutch R&E may be reassessed. 15/38

16 Annex: Longlist and shortlist of IdMaas suppliers The following suppliers were included on the longlist and shortlist for this project, based on the criteria below: Supplier Shortlist Explanation (if not on shortlist) (y/n) Capitar n Not ready in time for this report CA Technologies y Clavid y CloudID y Covisint y Gluu n Did not satisfy shortlist criteria iwelcome y Lighthousegateway n Did not satisfy shortlist criteria Microsoft y Okta y Ping y Sailpoint y Salford Software n Not a general-purpose IdMaaS solution Simeio n Did not satisfy shortlist criteria Symantec n Did not satisfy shortlist criteria Symplified n Did not satisfy shortlist criteria Traxion y Vasco Data Security n Not a general-purpose IdMaaS solution Verizon n Did not satisfy shortlist criteria Criteria for the shortlist 7 : Functional criteria: Is provisioning supported? Is SSO supported, both for on-premise and cloud applications? Is strong (two-factor) authentication supported? Is guest registration supported? Is self-service and access request management supported? Is access governance provided? Non-functional criteria: Does the vendor adhere to the EU privacy or Safe Harbor principles? Did the vendor respond to our questions? Applying these criteria resulted in omitting vendors with a single or very few IAM functions. Hence organisations seeking only a very limited set of IAM functions in the cloud should evaluate the IdMaaS landscape based on their own criteria. 7 Note: because there is a federation in place (SURFconext), the list of criteria is not a generally applicable list for IdMaaS, but tailored to the situation in the Netherlands. 16/38

17 Annex: CA Technologies Supplier CA Technologies, USA, is a well-known company with a wide range of software and SaaS solutions. Their SiteMinder product was one of the first IAM products. Review of this annex received: no. Product: CloudMinder URL: CloudMinder is as the name suggests the SaaS version of CA s existing IAM products like IdentityMinder and SiteMinder. In fact it is a suite of products just like the onpremise versions. It provides an interface to an on-premise AD or LDAP user store and does provisioning to both on-premise and cloud applications (using SCIM). An overview is given in the picture below. Figure 2 Overview of CloudMinder Guest registration is part of the offering as is role management. A complete set of self service and delegated administration functions is available, including access request management. SSO includes on-premise and cloud applications. Various two-factor authentication options are offered as part of CloudMinder Advanced Authentication. Social login is supported. No information about our non-functional requirements could be obtained. 17/38

18 The picture below summarises the main features of CloudMinder: Legend: Figure 3 CA's IdMaaS functional decomposition Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? With its track record in IAM CA offers a robust and mature cloud-based service that could add value for an organisation in addition to SURFconext. 18/38

19 Annex: Clavid Supplier Clavid AG is a privately-owned Swiss company with IAM services based on in-house developed software as its core product. Since 2007 Clavid runs an OpenID identity provider with users from over 50 countries. The company s main focus is on two-factor authentication and SSO. Review of this annex received: yes. Product: Clavid URL: Clavid runs its IdMaaS service since Three operational models are offered: pure cloud, on-premise maintained by Clavid, or on-premise maintained by customer. For this report we only take the cloud mode into consideration. Their architecture is depicted in the following figure: Figure 4 Overview of Clavid Clavid features two main elements: the Internet Identity Provider and Authentication as a Service. The Internet Identity Provider connects to an on-premise user store (AD, LDAP, HR system). It offers provisioning to on-premise but not to cloud applications. Guests can be registered in the Internet Identity Provider. Roles are not supported. Selfservice for selection of two-factor methods, login settings, password reset, usage history is supported. Delegated administration is not supported. SSO is one of the main distinctive services of Clavid, covering both on-premise and cloud applications, even with the possibility of protocol translations between e.g. SAML and OAuth. 19/38

20 Two-factor authentication is Clavid s main focus, so an extensive set of protocols, tokens, and methods is supported. Even SURFnet s tiqr! The required authentication strength (using NIST levels 8 ) and corresponding method can be configured per application. On the non-functional side the following applies to Clavid: Clavid runs in a Swiss data center and adheres to the Swiss privacy regulations, which pose less restrictions upon data processing than the EU Directive. Clavid is certified for ISAE No SLA details are available. Third-party data escrow is supported. The picture below summarises the main features of Clavid: Legend: Figure 5 Clavid's IdMaaS functional decomposition Colour Meaning Not known or absent Yes or basic functionality Mature or advanced functionality How does it compare to SURFconext? Clavid s main strength lies in their support for strong authentication and is rather unique in the extent of their features. The number of out-of-the-box interfaces with cloud applications is rather limited. But any standards-based application can be coupled rapidly. Clavid has realised a (test) connection to SURFconext already. A demo showed a federated login with username and password through SURFconext for a test application connected to Clavid s SSO platform. And subsequently a second-factor authentication through Clavid to gain access to the test application. A nice example of step-up authentication. 8 U.S. National Institute of Standards and Technology. The levels are specified in their standard SP /38

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning. PingFederate We went with PingFederate because it s based on standards like SAML, which are important for a secure implementation. John Davidson Senior Product Manager, Opower PingFederate is the leading

More information

Extend and Enhance AD FS

Extend and Enhance AD FS Extend and Enhance AD FS December 2013 Sponsored By Contents Extend and Enhance AD FS By Sean Deuby Introduction...2 Web Service SSO Architecture...3 AD FS Overview...5 Ping Identity Solutions...7 Synergy

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

STRONGER AUTHENTICATION for CA SiteMinder

STRONGER AUTHENTICATION for CA SiteMinder STRONGER AUTHENTICATION for CA SiteMinder Adding Stronger Authentication for CA SiteMinder Access Control 1 STRONGER AUTHENTICATION for CA SiteMinder Access Control CA SITEMINDER provides a comprehensive

More information

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications SOLUTION BRIEF: PROTECTING ACCESS TO THE CLOUD........................................ How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications Who should read this

More information

1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 4 4 Copyright... 5

1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 4 4 Copyright... 5 This document is licensed to iwelcome KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger April 2015 iwelcome Identity & Access Management as a Service iwelcome delivers Identity and Access Management

More information

The Top 5 Federated Single Sign-On Scenarios

The Top 5 Federated Single Sign-On Scenarios The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3

More information

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service? solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service? provides identity and access management capabilities as a hosted cloud service. This allows you to quickly

More information

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology SaaS at Pfizer Challenges, Solutions, Recommendations Agenda How are Cloud and SaaS different in practice? What does Pfizer s SaaS footprint look like? Identity is the Issue: Federation (SSO) and Provisioning/De-provisioning

More information

Adding Stronger Authentication to your Portal and Cloud Apps

Adding Stronger Authentication to your Portal and Cloud Apps SOLUTION BRIEF Cyphercor Inc. Adding Stronger Authentication to your Portal and Cloud Apps Using the logintc April 2012 Adding Stronger Authentication to Portals Corporate and consumer portals, as well

More information

Identity. Provide. ...to Office 365 & Beyond

Identity. Provide. ...to Office 365 & Beyond Provide Identity...to Office 365 & Beyond Sponsored by shops around the world are increasingly turning to Office 365 Microsoft s cloud-based offering for email, instant messaging, and collaboration. A

More information

nexus Hybrid Access Gateway

nexus Hybrid Access Gateway Product Sheet nexus Hybrid Access Gateway nexus Hybrid Access Gateway nexus Hybrid Access Gateway uses the inherent simplicity of virtual appliances to create matchless security, even beyond the boundaries

More information

Integrating Single Sign-on Across the Cloud By David Strom

Integrating Single Sign-on Across the Cloud By David Strom Integrating Single Sign-on Across the Cloud By David Strom TABLE OF CONTENTS Introduction 1 Access Control: Web and SSO Gateways 2 Web Gateway Key Features 2 SSO Key Features 3 Conclusion 5 Author Bio

More information

Agenda. Enterprise challenges. Hybrid identity. Mobile device management. Data protection. Offering details

Agenda. Enterprise challenges. Hybrid identity. Mobile device management. Data protection. Offering details Agenda Enterprise challenges Hybrid identity Mobile device management Data protection Offering details 2 The time to address enterprise mobility is now 29% of today s global workforce use 3+ devices, work

More information

White Paper: Cloud Identity is Different. World Leading Directory Technology. Three approaches to identity management for cloud services

White Paper: Cloud Identity is Different. World Leading Directory Technology. Three approaches to identity management for cloud services World Leading Directory Technology White Paper: Cloud Identity is Different Three approaches to identity management for cloud services Published: March 2015 ViewDS Identity Solutions A Changing Landscape

More information

Connecting Users with Identity as a Service

Connecting Users with Identity as a Service Ping Identity has demonstrated support for multiple workforce and external identity use cases, as well as strong service provider support. Gregg Kreizman Gartner 1 Connecting Users with Identity as a Service

More information

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

White Paper. McAfee Cloud Single Sign On Reviewer s Guide White Paper McAfee Cloud Single Sign On Reviewer s Guide Table of Contents Introducing McAfee Cloud Single Sign On 3 Use Cases 3 Key Features 3 Provisioning and De-Provisioning 4 Single Sign On and Authentication

More information

Microsoft Enterprise Mobility and Client Futures

Microsoft Enterprise Mobility and Client Futures Microsoft Enterprise Mobility and Client Futures Steve Newby& Andy Taylor Device & Mobility TSPs Microsoft UK 66% 18% 33% of employees use personal devices for work purposes.* of all software spending

More information

EXECUTIVE VIEW. EmpowerID 2013. KuppingerCole Report. By Peter Cummings October 2013. By Peter Cummings pc@kuppingercole.

EXECUTIVE VIEW. EmpowerID 2013. KuppingerCole Report. By Peter Cummings October 2013. By Peter Cummings pc@kuppingercole. KuppingerCole Report EXECUTIVE VIEW By Peter Cummings October 2013 EmpowerID 2013 By Peter Cummings pc@kuppingercole.com October 2013 Content 1 Vendor Profile... 3 2 Product Description... 4 2.1 Single

More information

Identity and Access Management for the Hybrid Enterprise

Identity and Access Management for the Hybrid Enterprise Identity and Access Management for the Hybrid Enterprise Redmond Identity Summit 2014 Directories Devices Identity Keith Brintzenhofe Microsoft Corporation Thank You to our Sponsors Gold Silver Plus Silver

More information

White Pages Managed Service Solution Rapid Global Directory Implementation. White Paper

White Pages Managed Service Solution Rapid Global Directory Implementation. White Paper White Pages Managed Service Solution Rapid Global Directory Implementation White Paper December 2014 Author: Tom Eggleston Version: 1.0 Status: FINAL Reference: DA-WP01 Creation Date: 03/12/14 Revision

More information

Interoperate in Cloud with Federation

Interoperate in Cloud with Federation Interoperate in Cloud with Federation - Leveraging federation standards can accelerate Cloud computing adoption by resolving vendor lock-in issues and facilitate On Demand business requirements Neha Mehrotra

More information

Increase the Security of Your Box Account With Single Sign-On

Increase the Security of Your Box Account With Single Sign-On A Box White Paper Increase the Security of Your Box Account With Single Sign-On Box s high level of security, 24x7 support and 99.9% uptime are critical for us. The biggest benefits are the reliability

More information

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report KuppingerCole Report EXECUTIVE VIEW by Dave Kearns March 2015 SecureAuth IdP SecureAuth IdP combines cloud single sign-on capabilities with strong authentication and risk-based access control while focusing

More information

An Overview of Samsung KNOX Active Directory-based Single Sign-On

An Overview of Samsung KNOX Active Directory-based Single Sign-On C E N T R I F Y W H I T E P A P E R. S E P T E M B E R 2013 An Overview of Samsung KNOX Active Directory-based Single Sign-On Abstract Samsung KNOX is a set of business-focused enhancements to the Android

More information

Enterprise Mobility Suite (EMS) Sean Lewis Principal Partner Technology Strategist

Enterprise Mobility Suite (EMS) Sean Lewis Principal Partner Technology Strategist Enterprise Mobility Suite (EMS) Sean Lewis Principal Partner Technology Strategist Industry trends driving IT pressures Devices Apps Big data Cloud 52% of information workers across 17 countries report

More information

Enterprise Mobility Services

Enterprise Mobility Services Learn. Connect. Explore. Enterprise Mobility Services MS Anand Technical Architect Evangelist Anirudh Singh Rautela Enterprise Mobility Business lead - India The challenges we face today in keeping users

More information

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management 1 Product Roadmap Disclaimer Any forward-looking indication of plans for products is preliminary and all future release

More information

USING FEDERATED AUTHENTICATION WITH M-FILES

USING FEDERATED AUTHENTICATION WITH M-FILES M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication

More information

NCSU SSO. Case Study

NCSU SSO. Case Study NCSU SSO Case Study 2 2 NCSU Project Requirements and Goals NCSU Operating Environment Provide support for a number Apps and Programs Different vendors have their authentication databases End users must

More information

Google Identity Services for work

Google Identity Services for work INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new

More information

SAP Cloud Identity Service Document Version: 1.0 2014-09-01. SAP Cloud Identity Service

SAP Cloud Identity Service Document Version: 1.0 2014-09-01. SAP Cloud Identity Service Document Version: 1.0 2014-09-01 Content 1....4 1.1 Release s....4 1.2 Product Overview....8 Product Details.... 9 Supported Browser Versions....10 Supported Languages....12 1.3 Getting Started....13 1.4

More information

Introductions. KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management

Introductions. KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management Introductions KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management Agenda 1. Introduction 2. What is Cloud Computing? 3. The Identity Management

More information

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM, the only all-in-one open source access management solution, provides the

More information

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps MY1LOGIN SOLUTION BRIEF: PROVISIONING Automated Provisioning of Users Access to Apps MY1LOGIN SOLUTION BRIEF: PROVISIONING Automated Provisioning of Users Access to Apps The ability to centrally provision

More information

How Intel Cloud SSO Works

How Intel Cloud SSO Works TECHNICAL WHITE PAPER Intel Cloud SSO How Intel Cloud SSO Works Just as security professionals have done for ages, we must continue to evolve our processes, methods, and techniques in light of the opportunities

More information

White Paper. Getting ahead in the cloud. the need for better identity and access controls

White Paper. Getting ahead in the cloud. the need for better identity and access controls White Paper Getting ahead in the cloud A White Paper by Bloor Research Author : Fran Howarth Publish date : March 2013 Users are demanding access to applications and services from wherever they are, whenever

More information

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible IT transformation and evolving identities A number of technology trends, including cloud, mobility,

More information

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Ensuring Enterprise Data Security with Secure Mobile File Sharing. A c c e l l i o n S e c u r i t y O v e r v i e w Ensuring Enterprise Data Security with Secure Mobile File Sharing. Accellion, Inc. Tel +1 650 485-4300 1804 Embarcadero Road Fax +1 650 485-4308 Suite

More information

Six Best Practices for Cloud-Based IAM

Six Best Practices for Cloud-Based IAM a best practices guide Six Best Practices for Cloud-Based IAM Making Identities Work Securely in the Cloud Symplified 1600 Pearl Street, Suite 200» Boulder, CO, 80302» www.symplified.com» @Symplified Executive

More information

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition Find out what organizations need to know to compare two-factor vendors and check

More information

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper Okta White paper Top 8 Identity and Access Management Challenges with Your SaaS Applications Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 info@okta.com 1-888-722-7871 wp-top8-113012

More information

Microsoft Enterprise Mobility Suite

Microsoft Enterprise Mobility Suite Microsoft Enterprise Mobility Suite March 25, 2015 Colm Whelan VP of Cloud Solutions cwhelan@lighthousecs.com @colmw https://www.linkedin.com/in/colmwhelan Lighthouse Computer Services, All rights reserved

More information

a best practices guide Six Best Practices for Cloud-Based Identity Management Services Making Identities Work Securely in the Cloud

a best practices guide Six Best Practices for Cloud-Based Identity Management Services Making Identities Work Securely in the Cloud a best practices guide Six Best Practices for Cloud-Based Identity Management Services Making Identities Work Securely in the Cloud Figure 1 Cloud-based applications you might be using Identity and access

More information

Identity in the Cloud

Identity in the Cloud White Paper Identity in the Cloud Use the cloud without compromising enterprise security Table of Contents The Cloud Conundrum 3 Managing Cloud Identity 3 The Identity Lifecycle 4 SaaS Single Sign-On 4

More information

Security Overview Enterprise-Class Secure Mobile File Sharing

Security Overview Enterprise-Class Secure Mobile File Sharing Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud

More information

A Standards-based Mobile Application IdM Architecture

A Standards-based Mobile Application IdM Architecture A Standards-based Mobile Application IdM Architecture Abstract Mobile clients are an increasingly important channel for consumers accessing Web 2.0 and enterprise employees accessing on-premise and cloud-hosted

More information

Azure Active Directory

Azure Active Directory Azure Active Directory Your Cloud Identity Brian Mansure Azure Specialist bmansure@enpointe.com Agenda What Azure Active Directory is What Azure Active Directory is not Hybrid Identity Features Roadmap

More information

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce SafeNet Authentication Service Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information

More information

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES CONTENTS About Tools4ever... 3 About Deloitte Risk Services... 3 HelloID... 4 Microsoft Azure... 5 HelloID Security Architecture... 6 Scenarios... 8 SAML Identity Provider (IDP)... 8 Service Provider SAML

More information

Identity Implementation Guide

Identity Implementation Guide Identity Implementation Guide Version 35.0, Winter 16 @salesforcedocs Last updated: October 27, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of

More information

Cloud User and Access Management

Cloud User and Access Management KuppingerCole Report LEADERSHIP COMPASS Leaders in innovation, product features, and market reach for Cloud User and Access Management. Manage access of employees, business partners, and customers to Cloud

More information

WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM) www.wipro.com

WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM) www.wipro.com WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM) www.wipro.com Table of Contents 03...Introduction 04...Wipro Cloud (WIC) as a Service Type 05...Wipro Cloud Capabilities

More information

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon

More information

Managing Access for External Users with ARMS

Managing Access for External Users with ARMS Managing Access for External Users with ARMS White Paper 27 th September 2015 ProofID Limited 1 Author: Version: Status: Reference: Creation Date: Revision Date: Reviewed by: Approved by: Tom Eggleston

More information

SECUREAUTH IDP AND OFFICE 365

SECUREAUTH IDP AND OFFICE 365 WHITEPAPER SECUREAUTH IDP AND OFFICE 365 STRONG AUTHENTICATION AND SINGLE SIGN-ON FOR THE CLOUD-BASED OFFICE SUITE EXECUTIVE OVERVIEW As more and more enterprises move to the cloud, it makes sense that

More information

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015 Identity & Management The Cloud Perspective Andrea Themistou 08 October 2015 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud

More information

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102 Cloud Standards Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102 2011 IBM Corporation Agenda Overview on Cloud Standards Identity and Access Management Discussion 2 Overview on Cloud

More information

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication

More information

Aurora Hosted Services Hosted AD, Identity Management & ADFS

Aurora Hosted Services Hosted AD, Identity Management & ADFS 22/09/2013 Aurora Hosted Services Hosted AD, Identity Management & ADFS 1 Service Overview - Hosted Identity Management Core provides a fully managed solution hosted in Azure and connected directly to

More information

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value IDM, 12 th November 2014 Colin Miles Chief Technology Officer, Pirean Copyright 2014 Pirean Limited. All rights reserved. Safe Harbor All

More information

CA Single Sign-On Migration Guide

CA Single Sign-On Migration Guide CA Single Sign-On Migration Guide Web access management (WAM) systems have been a part of enterprises for decades. It is critical to control access and audit applications while reducing the friction for

More information

Pick Your Identity Bridge

Pick Your Identity Bridge Pick Your Identity Bridge Options for connecting users and resources across the hybrid cloud Executive Overview Enterprises are increasing their use of software as a service (SaaS) for two principal reasons:

More information

Integrating Active Directory Federation Services (ADFS) with Office 365 through IaaS

Integrating Active Directory Federation Services (ADFS) with Office 365 through IaaS www.thecloudmouth.com Integrating Active Directory Federation Services (ADFS) with Office 365 through IaaS A White Paper Loryan Strant Office 365 MVP Introduction This purpose of this whitepaper is to

More information

Office 365 deployment checklists

Office 365 deployment checklists Chapter 128 Office 365 deployment checklists This document provides some checklists to help you make sure that you install and configure your Office 365 deployment correctly and with a minimum of issues.

More information

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA 94107. info@okta.

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA 94107. info@okta. Directory Integration with Okta An Architectural Overview Okta Inc. 301 Brannan Street San Francisco, CA 94107 info@okta.com 1-888-722-7871 Contents 1 User Directories and the Cloud: An Overview 3 Okta

More information

SAML Authentication Quick Start Guide

SAML Authentication Quick Start Guide SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.

More information

Creating a Single Sign on Web Portal using Azure. Robert Crane Office 365 MVP @directorcia

Creating a Single Sign on Web Portal using Azure. Robert Crane Office 365 MVP @directorcia Creating a Single Sign on Web Portal using Azure Robert Crane Office 365 MVP @directorcia Agenda What is Office 365? What is Azure? What is Single Sign on (SSO)? What is WAAD? Accessing your free WAAD

More information

Top Eight Identity & Access Management Challenges with SaaS Applications. Okta White Paper

Top Eight Identity & Access Management Challenges with SaaS Applications. Okta White Paper Top Eight Identity & Access Management Challenges with SaaS Applications Okta White Paper Table of Contents The Importance of Identity for SaaS Applications... 2 1. End User Password Fatigue... 2 2. Failure-Prone

More information

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS

More information

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS WHITEPAPER SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS EXECUTIVE OVERVIEW 2-Factor as a Service (2FaaS) is a 100% cloud-hosted authentication solution that offers flexible security without compromising user

More information

Hybrid Cloud Identity and Access Management Challenges

Hybrid Cloud Identity and Access Management Challenges Hybrid Cloud Identity and Access Management Challenges Intro: Timothy P. McAliley timothy.mcaliley@microsoft.com Microsoft Premier Field Engineer, SQL Server, Washington, DC CISA, CISM, CISSP, ITIL V3,

More information

ADDING STRONGER AUTHENTICATION for VPN Access Control

ADDING STRONGER AUTHENTICATION for VPN Access Control ADDING STRONGER AUTHENTICATION for VPN Access Control Adding Stronger Authentication for VPN Access Control 1 ADDING STRONGER AUTHENTICATION for VPN Access Control A VIRTUAL PRIVATE NETWORK (VPN) allows

More information

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control agility made possible Enterprises Are Leveraging Both On-premise and Off-premise

More information

Advanced Configuration Steps

Advanced Configuration Steps Advanced Configuration Steps After you have downloaded a trial, you can perform the following from the Setup menu in the MaaS360 portal: Configure additional services Configure device enrollment settings

More information

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Identity & Access Management in the Cloud: Fewer passwords, more productivity WHITE PAPER Strategic Marketing Services Identity & Access Management in the Cloud: Fewer passwords, more productivity Cloud services are a natural for small and midsize businesses, with their ability

More information

Customer Identity and Access Management (CIAM) Buyer s Guide

Customer Identity and Access Management (CIAM) Buyer s Guide Customer Identity and Access Management (CIAM) Buyer s Guide Shifting Marketplace Over the last five years, there has been a major shift in how enterprises need to look at and secure customer identities

More information

Office 365 deploym. ployment checklists. Chapter 27

Office 365 deploym. ployment checklists. Chapter 27 Chapter 27 Office 365 deploym ployment checklists This document provides some checklists to help you make sure that you install and configure your Office 365 deployment correctly and with a minimum of

More information

SINGLE & SAME SIGN-ON ASPECTS

SINGLE & SAME SIGN-ON ASPECTS SINGLE & SAME SIGN-ON ASPECTS OF AZURE ACTIVE DIRECTORY Harold Baele Senior ICT Trainer JULY 2, 2015 SLIDE 1 TRAINER INFO Harold Baele MCT at RealDolmen Education Harold.baele@realdolmen.com - @hbaele

More information

Cisco Mobile Collaboration Management Service

Cisco Mobile Collaboration Management Service Cisco Mobile Collaboration Management Service Cisco Collaboration Services Business is increasingly taking place on both personal and company-provided smartphones and tablets. As a result, IT leaders are

More information

Ondřej Výšek Sales Lead, Microsoft MVP. vysek@kpcs.cz

Ondřej Výšek Sales Lead, Microsoft MVP. vysek@kpcs.cz Ondřej Výšek Sales Lead, Microsoft MVP vysek@kpcs.cz Azure Active Directory Features Free edition Basic edition Premium edition Directory as a service User and group management using UI or Windows PowerShell

More information

EXECUTIVE VIEW. Centrify Identity Service. KuppingerCole Report. by Martin Kuppinger January 2015

EXECUTIVE VIEW. Centrify Identity Service. KuppingerCole Report. by Martin Kuppinger January 2015 KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger January 2015 by Martin Kuppinger mk@kuppingercole.com January 2015 Content 1 Introduction... 3 2 Product Description... 4 3 Strengths and Challenges...

More information

CLAIMS-BASED IDENTITY FOR WINDOWS

CLAIMS-BASED IDENTITY FOR WINDOWS CLAIMS-BASED IDENTITY FOR WINDOWS TECHNOLOGIES AND SCENARIOS DAVID CHAPPELL FEBRUARY 2011 SPONSORED BY MICROSOFT CORPORATION CONTENTS Understanding Claims-Based Identity... 3 The Problem: Working with

More information

Avoid the Hidden Costs of AD FS with Okta

Avoid the Hidden Costs of AD FS with Okta Okta White paper Avoid the Hidden Costs of AD FS with Okta Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 info@okta.com 1-888-722-7871 wp-adfs-031413 Table of Contents 1 Challenges of

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Administration guide version 1.0.1 Publication history Date Description Revision 2015.09.24 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

CRM Buyers Guide CRM Buyers Guide

CRM Buyers Guide CRM Buyers Guide CRM Buyers Guide If you have any questions, please call +46 8 59038010 where one of our analysts will be happy to help you understand your options and find a good solution. Introduction CRM solutions provide

More information

Protect Everything: Networks, Applications and Cloud Services

Protect Everything: Networks, Applications and Cloud Services Protect Everything: Networks, Applications and Cloud Services Tokens & Users Cloud Applications Private Networks Corporate Network API LDAP / Active Directory SAML RADIUS Corporate Network LDAP / Active

More information

CA Technologies Strategy and Vision for Cloud Identity and Access Management

CA Technologies Strategy and Vision for Cloud Identity and Access Management WHITE PAPER CLOUD IDENTITY AND ACCESS MANAGEMENT CA TECHNOLOGIES STRATEGY AND VISION FEBRUARY 2013 CA Technologies Strategy and Vision for Cloud Identity and Access Management Sumner Blount Merritt Maxim

More information

Microsoft Enterprise Mobility Suite

Microsoft Enterprise Mobility Suite Microsoft Enterprise Mobility Suite Standalone - overview Peter Daalmans http://configmgrblog.com, peter@daalmans.com IT-Concern John Marcum Enterprise Client Management Architect / johnmarcum@outlook.com

More information

TrustedX - PKI Authentication. Whitepaper

TrustedX - PKI Authentication. Whitepaper TrustedX - PKI Authentication Whitepaper CONTENTS Introduction... 3 1... 4 Use Scenarios... 5 Operation... 5 Architecture and Integration... 6 SAML and OAuth 7 RESTful Web Services 8 Monitoring and Auditing...

More information

People-Focused Access Management. Software Consulting Support Services

People-Focused Access Management. Software Consulting Support Services People-Focused Access Management Software Consulting Support Services A beautiful experience. Anytime, anywhere. Access: One is an industry-leading Access Management platform that provides you with versatile

More information

Google Apps Deployment Guide

Google Apps Deployment Guide CENTRIFY DEPLOYMENT GUIDE Google Apps Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of your corporate

More information

WHITEPAPER. Identity Access Management: Beyond Convenience

WHITEPAPER. Identity Access Management: Beyond Convenience WHITEPAPER Identity Access Management: Beyond Convenience INTRODUCTION Identity and Access Management (IAM) is the official description of the space in which OneLogin operates in but most people who are

More information

Swivel Secure and the Cloud

Swivel Secure and the Cloud Swivel Secure and the Cloud Authentication for Cloud Application Abstract This document describes the issues relating to authenticating to cloud applications and how the Swivel authentication platform

More information

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 Okta White paper Directory Integration with Okta An Architectural Overview Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 info@okta.com 1-888-722-7871 wp-dint-053013 Table of Contents

More information