Active Directory Integration WHITEPAPER



Similar documents
Active Directory Integration twitter.com/onelogin ONELOGIN WHITEPAPER

The Top 3 Identity Management Considerations When Implementing Google Apps for the Enterprise

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

NCSU SSO. Case Study

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Egnyte Single Sign-On (SSO) Installation for OneLogin

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

OneLogin Integration User Guide

Automating User Management and Single Sign-on for Salesforce.com OKTA WHITE PAPER. Okta Inc nd Street Suite 350 San Francisco CA, 94107

Google Identity Services for work

Top Eight Identity & Access Management Challenges with SaaS Applications. Okta White Paper

Avoid the Hidden Costs of AD FS with Okta

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Flexible Identity Federation

Getting Started with Clearlogin A Guide for Administrators V1.01

User Guide. Version R91. English

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Speeding Office 365 Implementation Using Identity-as-a-Service

White paper Contents

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Single Sign On. SSO & ID Management for Web and Mobile Applications

SAML-Based SSO Solution

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

The Top 5 Federated Single Sign-On Scenarios

Identity & Access Management in the Cloud: Fewer passwords, more productivity

SAML SSO Configuration

Connecting Users with Identity as a Service

Google Apps Deployment Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Authentication Integration

Leveraging SAML for Federated Single Sign-on:

Identity. Provide. ...to Office 365 & Beyond

Getting Started with AD/LDAP SSO

Increase the Security of Your Box Account With Single Sign-On

How To Manage A Plethora Of Identities In A Cloud System (Saas)

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

CA Federation Manager

WHITE PAPER. Active Directory and the Cloud

Protected Trust Directory Sync Guide

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Okta/Dropbox Active Directory Integration Guide

Integrating Active Directory Federation Services (ADFS) with Office 365 through IaaS

An Overview of Samsung KNOX Active Directory and Group Policy Features

The increasing popularity of mobile devices is rapidly changing how and where we

USING FEDERATED AUTHENTICATION WITH M-FILES

STRONGER AUTHENTICATION for CA SiteMinder

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Cloud-Accelerated Hybrid Scenarios with SharePoint and Office 365

Out-of-Band Multi-Factor Authentication Cloud Services Whitepaper

Integrating Remedyforce

Configuration Guide BES12. Version 12.3

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Configuration Guide. BES12 Cloud

nexus Hybrid Access Gateway

Azure Active Directory

Copyright: WhosOnLocation Limited

Contents Jive StreamOnce

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta Inc. 301 Brannan Street San Francisco, CA 94107

Security Overview Enterprise-Class Secure Mobile File Sharing

VMware Identity Manager Administration

Egnyte Cloud File Server. White Paper

WHITE PAPER. Understanding Transporter Concepts

TIBCO Spotfire Platform IT Brief

Security Assertion Markup Language (SAML) Site Manager Setup

How To Use Salesforce Identity Features

Documentation. CloudAnywhere. Page 1

Pick Your Identity Bridge

SAML-Based SSO Solution

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

API-Security Gateway Dirk Krafzig

Introduction to Directory Services

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

Adding Stronger Authentication to your Portal and Cloud Apps

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Configuration Guide BES12. Version 12.2

Securing Content: The Core Currency of Your Business. Brian Davis President, Net Generation

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

How To Get A Single Sign On (Sso)

Transcription:

Active Directory Integration WHITEPAPER

Even as enterprises continue to adopt more cloud applications, Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) still play a critical role in how information security, personal computers and users are managed. This whitepaper describes how OneLogin securely connects your Active Directory infrastructure to OneLogin and your cloud applications. DIRECTORY INTEGRATION ADVANTAGE There are several other advantages to directory integration besides enabling users to sign into applications with the existing network credentials: Eliminate passwords The combination of SAML-based single sign-on and OneLogin s AD integration eliminates passwords for all the applications that support SAML. Fewer passwords mean reduced IT workload and increased security. Unify multiple directories For organizations that have their user base spread over multiple directories, OneLogin can combine and present them as one, unified directory to other applications for federation via SAML. Avoid point-to-point application integration Some applications can delegate authentication to a directory via LDAP; however, as the number of applications increases, the cost of maintaining the integrations increases, and your firewall ends up looking like Swiss cheese. Centralized access control Instead of signing into applications directly, users must authenticate via the identity provider, subject to multiple authentication factors. 2 1

Centralized audit trail All sign-in activity is recorded in a centralized audit trail, which simplifies compliance and enables cross-application analysis. The rest of this white paper goes into more detail about how OneLogin integrates with AD. (Note that a similar white paper exists about OneLogin s LDAP integration.) FIGURE 1. ONELOGIN TO INSTALLATION Integrating internal directories with cloud applications can be an expensive and cumbersome process that frustrates IT administrators and causes maintenance headaches for the entire organization. OneLogin s AD integration sets a new standard for ease-of-use with its no-touch installation process, which can be completed in as little as one minute. ONE-MINUTE INSTALLATION The AD Connector is installed by downloading a Windows executable that deploys the Connector as a Windows service. Because the AD Connector runs as a Windows service, you don t have to worry about manually restarting it after a Windows reboot. OneLogin issues a unique 40-character security token for each directory connected with OneLogin, which must be entered during the connector installation process. OneLogin uses it to identify each directory. 2

NO FIREWALL CHANGES REQUIRED The AD Connector does not require any firewall changes to communicate with OneLogin, as all communication is performed over two separate, outbound SSL connections (see Figure 2). FIGURE 2. OUTBOUND SSL CONNECTIONS TO ONELOGIN The connection for authentication and password updates is a persistent connection that the AD Connector keeps up at all times. If, for some reason, the connection fails, the AD Connector re-establishes it immediately. The Connector for user synchronization communicates with OneLogin s REST API and is only established when there are pending user updates. HIGH-AVAILABILITY The AD Connector also supports high-availability mode, in which there are multiple domain controllers per domain (see Figure 3). You can install multiple AD Connectors per controller, all of which will be connected to OneLogin simultaneously. One Connector is designated as the primary Connector. If OneLogin is unable to reach the primary Connector, one of the secondary Connectors is promoted to primary, automatically. 3

FIGURE 3. ACTIVE DIRECTORY FAIL-OVER Figure 3 shows how multiple connectors can run in parallel. You can even install multiple connectors per AD instance. Administrators can also manually promote AD Connectors or bring them online or offline in OneLogin. BI-DIRECTIONAL USER SYNCHRONIZATION REAL-TIME USER SYNCHRONIZATION When users are created, updated or disabled in AD, the changes are pushed to OneLogin in real-time, which has several key benefits. New users don t have to wait until the next periodic sync before they can sign into OneLogin and start using their applications. When employees or contractors leave the company, the real-time user sync provides an instant kill switch that effectively locks users out of OneLogin, which reduces prevents unauthorized access and data loss. For applications that are being provisioned by OneLogin, the real-time aspect is twice as useful. For example, when a user is created in AD and mapped to the Sales security group, OneLogin provisions a user in the target application within seconds. 4

FULL AD ATTRIBUTE MAPPING As a minimum, OneLogin synchronizes email address, SAM Account, distinguishedname and memberof, i.e. security group memberships. You can also configure OneLogin to synchronize additional fields and map them to custom fields. Note that OneLogin does not synchronize passwords from AD, unless the administrator explicitly enables this feature. AD USER PROVISIONING If you are managing users in OneLogin or Workday, you can configure OneLogin to automatically push user updates to AD. For example, if Workday is the system of record for users, any new user in Workday is automatically created in OneLogin and in AD (see Figure 4). FIGURE 4. WORKDAY PROVISIONING INTO ONELOGIN You can even use Workday provisioning groups to define the user s organizational unit and permission groups. For more information on how OneLogin integrates with Workday, read the OneLogin for Workday whitepaper. AD SECURITY GROUPS OneLogin automatically imports user AD security group memberships, which can be used to automate the assignment of applications to users. This is done via powerful rule-based mappings that make it possible to express rules such as the following: For all users where OU contains Sales and OU does not contain USA Assign the roles Employee and European Sales 6

Roles are the mechanism within OneLogin that assigns applications to users. A user can have multiple roles, and one application can belong to multiple roles. For example: Employee role: Box, Google Apps, Workday, Yammer Marketing role: Marketo, Salesforce, WordPress Sales role: Salesforce, Zendesk Even though both the marketing and sales roles contain Salesforce, assigning both roles to a user will only give the user one Salesforce login. DELEGATED AUTHENTICATION The outbound, persistent connection from the AD Connector enables OneLogin to validate user credentials against AD, without having to store any AD passwords in OneLogin. When a user tries to sign into OneLogin by entering the username and password, OneLogin sends a delegated authentication request to the AD Connector, which in turn validates the user s credentials against AD. Delegated authentication ensures that your AD passwords are not stored anywhere outside the firewall. FIGURE 5. ONELOGIN DELEGATED AUTHENTICATION 7

AD PASSWORD UPDATES When a user with an expired password tries to sign into OneLogin, they are prompted to enter the existing password and select a new password that complies with password requirements as defined by the user s security policy in OneLogin. Security policies define password minimum length, whether the password must contain digits or special characters, how often the password expires and how long to prevent reuse of old passwords. Once the user enters a valid new password, OneLogin updates the user s password in Active Directory and the user is signed into OneLogin. It is possible to disable this password update feature in OneLogin. COMPLEX DIRECTORY INFRASTRUCTURES For organizations with multiple directories, OneLogin is a real life saver, because it allows for the integration of any number of AD and LDAP directories, and presents them as a single directory to to other applications (see Figure 4). Most applications are only able to integrate with one directory per customer, but the combination of OneLogin s directory integration capabilities and SAML overcomes this limitation. FIGURE 6. COMPLEX DIRECTORY INFRASTRUCTURE 8 8

ACTIVE DIRECTORY FEDERATION SERVICES OneLogin can co-exist and seamlessly integrate with your Active Directory Federation Services (AD-FS). Through OneLogin s catalog of thousands of pre-integrated applications, you can use AD-FS to sign users into OneLogin and directly into SAML-capable applications. Rather than investing time and energy learning how to integrate applications into AD-FS, you can simply leverage OneLogin s integration capabilities. For more information about how OneLogin can integrate with AD-FS, please refer to the Trusted IdPs whitepaper. REMOTE MANAGEMENT OneLogin supports key remote management capabilities including ADC auto-update as well as remote log retrieval CONCLUSION OneLogin s cloud identity management platform provides secure single sign-on, multifactor authentication, integration with common directory infrastructures such as Active Directory, LDAP. and various cloud directories, and provides user provisioning and more. Onelogin s turnkey solutions easily and seamlessly connect your Active Directory infrastructure to OneLogin and your cloud applications without compromising security or productivity. 9

ABOUT ONELOGIN OneLogin is the innovator in enterprise identity management and provides the industry s fastest, easiest and most secure solution for managing internal and external users across all devices and applications. The only Challenger in Gartner s IDaaS MQ, considered a Major Player in IAM by IDC, and Ranked #1 in Network World Magazine s review of SSO tools, OneLogin s cloud identity management platform provides secure single sign-on, multi-factor authentication, integration with common directory infrastructures such as Active Directory and LDAP, user provisioning and more. OneLogin is SAML-enabled and pre-integrated with thousands of applications commonly used by today s enterprises, including Microsoft Office 365, Asure Software, BMC Remedyforce, Coupa, Box, Clarizen, DocuSign, Dropbox, Egnyte, EMC Syncplicity, EchoSign, Google Apps, Jive, Innotas, LotusLive, NetSuite, Oracle CRM On- Demand, Parature, Salesforce.com, SuccessFactors, WebEx, Workday, Yammer, ServiceNow, Zscaler and Zendesk. OneLogin, Inc. is backed by CRV and The Social+Capital Partnership.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information