One of the fundamental shifts in how IT services are delivered to end users, is the concept of Software as a Service, or SaaS applications. These applications are very easy to pilot, test, deploy, and support, and the business is able to simply subscribe for a nominal monthly cost without engaging the corporate IT organization.
With the increasing use of SaaS applications, organizations have to start taking a deeper look at how users are authenticating to these applications. Without diving into the user and bad password habits, organizations are needing a bridge between their on-premise directories, such as Active Directory, and their off-premise applications. This post will discuss some of the challenges inherent with authentication and the user experience.
Where does Federation fit in?
Federation encompasses several public standards, with the end result of enabling off-premise and disconnected applications to trust and leverage your on-premise directory for authentication, and optionally, role and authorization information. In other words, federation is used to provide a single sign on experience for your users, leveraging their already known username and password stored in Active Directory. A federation solution takes the user credentials, authenticates them against the directory, and then creates a claim for the user and the application.
To overcome some of the complexity associated with using federation with SaaS applications, Identity as a Service (IDaaS) providers have entered the market to provide a relatively low cost approach to enabling single sign on. These services are typically per user subscription models, and can scale up or down as needed. Once the IDaaS provider has enabled federation for one application, they can replicate that amongst their customer base, leveraging the scale of economy (do once, repeat infinitely).
IDaaS vs On-Premises Federation
The question then is, why should companies implement an on-premise federation solution? This is a great question, and ultimately, it depends on several security and risk factors. According to Randall Gamby, Information Security Officer from CMA consulting, “Identity is the first component of regulatory compliance. Before you can ensure the right people have the right access to the right data, you have to make sure you have the right people.”
One of the most obvious concerns is that you have to trust the IDaaS provider’s security and organizational trust. When using an IDaaS solution, the subscribing organization has to synchronize their Active Directory (or another directory) to their IDaaS portal. This means that your user’s identity information, including password information, is replicated and stored outside of your control. You are then accepting the risk, and bound by the IDaaS provider’s trust, security, and notification processes. If they experience a breach, are you notified? What about who has access to the data? Who does the IDaaS hire, and what is their vetting process? These are fundamental questions that need to be answered.
Another issue is the governmental, regulatory, and compliance (GRC) aspect. How is auditing performed? Do you have access to not only your user audit activity, but the provider accessing your user information? How is non-repudiation handled? Can you validate that the user is who they say they are? If these are concerns for your organization, it may be better to leverage an on-premise federation solution.
Ultimately, the relationship between the IDaaS providers and customers is an evolving one. However, companies that are looking to implement federation need to look at the risk side of the equation, and ensure that they still own and manage the identities throughout the chain and lifecycle, from initial provisioning to termination, and ensuring that breaches are handled correctly, appropriate administrators can make changes, and only authorized users are allowed to view sensitive data.
To learn how Celestix ADFS Bridge solution can help you overcome these challenges, while allowing you to retain your user credentials at one place in the Active Directory, visit here. You can also drop us a note at firstname.lastname@example.org or talk to one of our sales representatives on 510.668.0700.