These tools provide the capabilities to safeguard identity and profile information, as well as data governance functions to ensure that only data that is required and appropriate is shared.
IAM systems can be deployed on-premises or provided by a third-party vendor through a cloud-based subscription model or deployed in a hybrid cloud.
Identity and Access Management provides simplicity when it comes to the user experience and enables your organisation to have tighter control over who and what has access to their systems.
At the centre of IAM is a unified sign-on, also referred to as single sign-on or SSO.
This process allows your users to login to different web-based applications with one set of credentials.
One set of credentials improves the user experience as they employees don’t have to remember or manage multiple credentials and passwords.
This is assuming that they follow good security measures by not sharing the same passwords across multiple applications.
SSO reduces the possibility of employee credentials getting exposed or exposing your organisation to risk with the all too common password on a notepad.
Single sign-on is key in alleviating the need for and stress of recalling a multitude of credentials.
Single sign-on is one side of the IAM coin. The other side authentication.
Authentication is the crucial security layer.
Two-factor authentication (2FA) or multi-factor authentication (MFA) requires the user to verify their identity before access is authorised by challenging them with another form of authentication. This is usually done on critical applications. You can set conditions on when to challenge the user, for example, if a user is trying to access the application outside of the organisation’s network or if the user is accessing the application from a new device or new geo-location.
Defining Single Sign-On (SSO)
SSO can be defined in different ways:
Single sign-on. A single point of entry to all web-based applications. In the context of Identity and Access Management, any reference to SSO generally means single sign-on.
Same sign-on. This copies the username and password to other applications. Relevant to on-premise, legacy and Active Directory systems. By synchronising identities, it acts as a link between those systems and the cloud.
Seamless sign-on. The user’s credentials are related to other services, avoiding the need to login to services individually. Typically in the context of Azure Active Directory.
SAML. Security Assertion Markup Language is a common technology used as the link between identity and access management apps and cloud-based apps.
SAML is the standard for exchanging authentication and authorisation data, typically between an identity provider and a service provider.
10 Steps for a successful single sign-on implementation:
1. Define Application Matrix
Identify all the apps that you want to roll out for effective execution in separate phases. Think of fast but real wins.
2. Implementation Architecture
Do you want the delegated master to be the AD or Google apps?
For example, if you decide on Active Directory as the master, all authentication requests will be delegated to your Active directory by the identity provider, allowing users to sign in with their AD credentials. The IAM solution should automatically import the existing group hierarchy from Active Directory, simplifying the deployment.
3. Scope of the Roll-Out
Identify which apps are SWA and which are SAML within the organisation. For some applications, if you want to enable SAML or provisioning, you will need additional licenses.
4. Multi-Factor Authentication
You need to ask questions like; do you have most of your high-risk apps behind two-factor? Has it been enabled for all high-risk apps currently? Will this implementation provide a significant security advantage or more of a user-convenience? Audit your existing applications on what value this single sign-on tool will provide.
5. Shared Accounts
Identify the owners of shared accounts and plan this ahead of the single sign-on roll-out.
6. Response Times, SLA, and Availability
Ensure that the IAM solution can integrate with multiple Active Directory domains/forests and LDAP directories so that in the event of one domain controller being down, your users can still authenticate.
7. Implementation Window
The SAML implementation for other applications is “all or nothing,” this can affect the way people access applications. There can be a significant downtime depending on the application.
Remember to involve all the other service providers and can make the necessary changes on their end during the same time.
For example, they would need to know all employee email IDs and meta-data from your identity provider and enable the application configuration (SAML) at the same time to minimise the downtime.
8. Integration of Logs and Continuous Monitoring
Integrate Single sign-on logs into your log and monitoring system.
You will need to log critical events (login name, source address, geo-location, application access date and time, success or failure, User-Agent, etc). Then forward it to your monitoring system and integrate this process as part of your security operations.
Ensure your security operations team is trained to analyse and respond to intrusions and suspicious events.
9. Temp and Contractor Employees
In most cases, temp and contractor employees are not part of all communication channels employees belong to. In some cases, if contractors access your corporate apps, you will need to make sure they are aware of the roll-out. This will be required especially if you do not have a strict delineation thereby forcing SSO layer to all the apps they access.
10. Testing and Feedback
This part is very important for a successful single sign-on roll-out…
You are changing the routine that users log into different applications. You will be improving the user experience drastically but not everyone will see that way.
In most cases, it’s because users are not comfortable with changing the way they do things. You should include all teams and a few senior management as part of testing for your single sign-on solution. Ensure that every piece of feedback is properly addressed.
A proper identity and access management roadmap is key to successful single sign-on (SSO) implementation.
From the get-go, Single Sign-On is a great concept as it provides end-users with easier access to numerous applications by only using one set of credentials.
But beyond that…
SSO provides better security.
Besides the clear benefits of SSO, it also has some drawbacks…
One of the most obvious will be the high level of complexity as SSO is sort of complicated.
But…by having the right knowledge and patience plus having a clear goal, SSO can be a big advantage if implemented correctly.
Are you ready to find out how mature your company’s IAM program is? Simply click the button below to take our online assessment now ?