Article

Simplifying Identity Management in a SaaS World

Since Salesforce launched almost two decades ago, Software-as-a-Service (SaaS) has been taking enterprises by storm. With vendors like Microsoft and Adobe moving their core applications to subscription-based models, and vendors like Box and ServiceNow replacing on-premises solutions with cloud-based solutions, SaaS has become the preferred way to consume core business software.

The proliferation of cloud-based applications poses an identity management challenge to many IT organizations. On-premises applications are usually integrated with Active Directory, providing users with some form of single sign-on. Cloud applications, by their very nature, can’t reach the on-premises Active Directory environment. This requires individual user accounts on each system, and it can lengthen the user onboarding and offboarding process.

This identity diaspora can also pose security risks for today’s enterprise. When an employee leaves, someone from the enterprise (HR, IT Administration, Security) needs to log into each cloud-based system authorized for the departing employee and disable the user account. Without some form of central management, IT may not know which systems have active user accounts, and the user may retain access to sensitive business data while IT tries to locate their accounts.  

The Evolution of Identity Management Technologies

Identity management technologies have evolved to address these challenges and to provide a bridge between on-premises Active Directory environments and cloud-based services. Formats like WS-Federation and Security Assertion Markup Language, or SAML, allow systems to securely pass authentication and authorization data between systems without having to pass usernames and passwords. Early versions of identity management systems would use WS-Federation, SAML, and other formats to bridge Active Directory to cloud applications, but user rights and licenses still had to be managed in the SaaS application itself.

Today, modern identity management does more than just bridge Active Directory to cloud applications. Services like Okta and vRealize Identity Manager can also provision users, manage permissions and assign licenses in cloud applications. These services have APIs that enable IT to integrate the identity management system with self-service catalogs in ServiceNow.

The benefit of this is twofold. One is that integration with a Service Catalog can allow for self-service application management. Users with permission from managers when required, can request and provision their own cloud applications. This can reduce the amount of unauthorized cloud services that are used in the enterprise. The other benefit is that disabling access to cloud applications is as simple as disabling their user account in Active Directory (AD). Once the AD account is disabled, the user will be unable to log into their cloud applications.

Many clients have questions on how to manage identities as they adopt cloud applications like Office365, ServiceNow, and Box. AHEAD partners with leading vendors in the identity management space, offering solutions that help enterprises transition from on-premises applications to cloud-hosted applications and services.

At Knowledge17 in Orlando last month, AHEAD provided a demonstration on how an Enterprise can leverage the ServiceNow platform on the front end of the user ID creation process. This process can certainly be extended beyond basic User ID creation and deletion to leverage and reference all SaaS authorized systems. You can see the demo here as one example of what AHEAD is doing in this space.

Real World Use Cases

AHEAD has adopted the Software-as-a-Service model for all of our core business applications. This includes Google apps for business productivity and email, Salesforce for CRM, and Slack for collaboration. In order to manage the accounts for these systems and simplify operations, AHEAD has adopted Okta as the primary identity management platform. New users are provisioned into Active Directory, and application access and role can be determined by membership in specific Active Directory groups. IT only has to touch one system, Active Directory, to grant users access to the various SaaS applications. Onboarding new applications is easy too. Okta’s pre-built integrations allow IT to easily integrate the new application into the corporate application landscape.

For more examples, and to learn about AHEAD’s identity management offerings, schedule a briefing in the AHEAD Executive Briefing Center. AHEAD’s End-User Computing and Cloud Computing experts will discuss the details around identity management and how it fits into your end-user computing and cloud strategy.