After sharing war stories about passwords, we’re going to take a look at another important part of your internal IT security: identity management. This is the process of maintaining your user database, including who is added to your corporate directory, what happens if they change their name or change their role, how you handle their account if they go on extended leave, and what you do when they leave your organization. There’s a good chance that your organization has some pretty good policies and procedures around all of this already (or should have), and will rely on some input from your HR department.
Access to SaaS applications in the cloud also requires the establishment and management of corporate identities, so this is a really good thing to have sorted out BEFORE you create your first lot of cloud accounts. Note: my options are mostly Microsoft-centric because that’s what I know. Feel free to leave a comment and tell me what else works.
The worst case is that your SaaS application is a completely isolated user directory from your organization. And while there are some cases where that separation might be beneficial, it means that you are going to have to run TWO processes and change things in two systems (in your corporate directory and in the cloud) when identities change. It’s possible, but also annoying. It means your users will have two logins and two passwords to maintain. Last time in the comments, we touched on the pain of different password lengths/qualities and expirations across different systems. The other problem is the risk of things getting out of sync. If your new process is not followed to the letter, you could end up with a disabled account for an ex-employee, who still has access to your corporate information in the SaaS application. I hope they left on good terms.
At the other end of the scale, we have directory integration. In the Microsoft world, that’s either Federation or Directory Synchronization. The concept of Federation is pretty cool. My favorite analogy is a theme park pass. With Federation, the San Diego Zoo AND Knott’s Berry Farm will both let you in with a SoCal Theme Park Pass ticket, even though that ticket wasn’t issued by them. You can continue to do your own identity management internally, and when you suspend an account, it’s not getting access to your SaaS application. Your users enjoy single sign on, passwords never leave your organization, and multi-factor authentication is supported. Azure Active Directory even talks to 3rd-party identity providers like PingFederate and Okta.
The gotcha with Federation is that it requires some resilient infrastructure. If your ADFS server is unavailable, people can’t authenticate. For this reason, it’s generally discouraged for smaller businesses.
Directory Synchronization is another option. This connector manages updates between your on-premises Active Directory and Azure Active Directory, and also lets you filter which internal accounts sync up to the cloud.
You can then use Azure Active Directory Premium to provide single sign-on to many compatible SaaS applications. You can also hide the password to those systems, so, for example, your marketing team can access your corporate social media account and never know the password. In that case, if they leave, they can’t log in because they know the generic account, and you haven’t changed the password, yet.
See Simon May’s extensive list of resources for Active Directory Federation Services (ADFS) and Azure Active Directory Sync (DirSync).
Outside of the Microsoft world, maybe you’ll take a look at one of the many Identity-as-a-Service players. If you’re interested, Gartner even has a magic quadrant for it. My favorite has to be OneLogin for it’s ease of use and powerful features.
Of course, all of this is useless if the SaaS application you are considering doesn’t support any kind of directory integration. Then you’re back to that manual process. But better to find out during your discovery and pilot process as opposed to after you’ve been asked to provision 300 users.
Share your thoughts on the following: Is identity management a show stopper for SaaS adoption? Is it easy with your current infrastructure? Or do you shudder just thinking about it?