The document discusses identity and access management solutions using VASCO's IDENTIKEY Federation Server, including single sign-on capabilities, reducing costs of managing user identities and authentication across multiple applications and systems, and securing access for internal employee and external business partners. It provides an overview of key features and benefits of the IDENTIKEY Federation Server for centralized user authentication, identity federation, and single sign-on across various applications.
The IT security problem of today:Password Fatigation
This is a classic login screen on your intranet, a way of getting access using a username and password.
Besides the intranet your company is also offering other internalapplications that require an additional login.
Applications with the main purpose of offering a service to a select user group and therefor storing identities, in the form of a username and password.
“Provider” is a generic way of referring to both IdP’s (Identity Providers) and SP’s (Service Providers). There are overlaps when it comes to defining Identity providers vs. Service Providers. According to the OASIS (organization) that created SAML an Identity provider is defined as “A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.” A Service provider is “A role donned by a system entity where the system entity provides services to principals or other system entities” and a Federation is “An association comprising any number of service providers and identity providers.”
In simple terms and as they relate to identity management an Identity provider can be described as a Service Provider for storing identity profiles and offering incentives to other SP’s with the aim of federating user identities. It should be noted however that Identity Providers can also provide services beyond those related to the storage of identity profiles. This way reducing the cost for identity management.
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, Single sign-off is the property whereby a single action of signing out terminates access to multiple software systems. As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication. Single sign-on requires that users literally sign in once to establish their credentials. Systems which require the user to log in multiple times to the same identity are inherently not single sign-on. For example, an environment where users are prompted to log in to their desktop, then log in to their email using the same credentials, is not single sign-on.
As single sign-on provides access to many resources once the user is initially authenticated ("keys to the castle") it increases the negative impact in case the credentials are available to other persons and misused. Therefore, single sign-on requires an increased focus on the protection of the user credentials, and should ideally be combined with strong authentication methods like smart cards and one-time password tokens.
FIdM, or the "federation" of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Identity federation comes in many flavors, including "user-controlled" or "user-centric" scenarios, as well as enterprise controlled or B2B scenarios.
Digital identity platforms that allow users to log onto third-party websites, applications, mobile devices and gaming systems with their existing identity, i.e. enable social login.Social login, allows public access for your application, without the need of managing their Identity.
Hello everybody. Let’s give you some help to sell the IDENTIKEY Federation Server.
We will go through 3 case studies.First one:An existing customer who has a security concernSecond one:A new customer who has some issues with User ManagementAnd the last one:A customer who likes to decrease the helpdesk costs.Fasten your seatbelts, let’s start with the first case.
Let’s say hi to Catherine Falcke. She is the CEO of “Beyond the door”.This company is situated in selling and placing doors, garage doors, skylights, window security,…More than 100 employees are working for this company.
Good to know is that the company already uses the VASCO IDENTIKEY Authentication Server to protect the remote access for the Sales PeopleAlready customer of VASCO?Yes. 3 years ago a VASCO reseller sold and installedan IDENTIKEY Authentication Server.Reason: Protection of the remote access for the complete Sales team (25 persons)Protection of the OWA for the complete Sales teamQ: Which edition of IDENTIKEY Authentication Server did the reseller sold?IK Gold, for the web filters
She remembers, during a previous contact, that it’s no problem to protect also all the web based applications with a OTP.So she setup a meeting with Brent Kehl from Easysis, her dedicated reseller.
Now we need to get more information from MssFalcke.How many applications are you using?Who has access to these applications?
Well, we have in total 5 different web based applications:Sharepoint, OWA, hardware inventory (Baramundi), Salesforce and SecurexThe last 2 are cloud based solutions. I hope this is not a problem?All these applications are protected with static passwordsWho has access to these applications?Besides all the 25 sales people, also my complete administrative staff (40 persons) and some technical guys (15 persons)So, in total 80 employees have access to all the internal applications.
Brent listened very carefully, thought about it, and came up with a solution!Dear Mss. Falcke, Thanks to the fact that you are already working with a VASCO solution, it is actually simple.Let me explain how:We will upgrade the 25 user licenses of the sales people from a Gold to an Enterprise editionYou need to buy 55 extra user licenses, Enterprise EditionAnd 55 DIGIPASS Authenticators, for the administrative staff and technical guys.
And how does this work in real life.Say hi to Sandra. Sandra is an administrative person. As from today, she has a secured access to the web based applications, thanks to IK Authentication Server.So each day, time she needs to login on each site with a OTP. Not really convenient!?Can we offer an even more convenient solution?
We can do better than this. Just keep the next concerns in mind:Each day Sandra, and the others, need to log in in different applications = annoyingIs she using, on each application the same username?Are all the web based applications talking SOAP? Or SAML? Oauth, …More and more applications are cloud based. So there is a big chance that this company will work in the future with extra applications.Upgrade of user licenses, can be hard to sell. And even than, you are not sure that it can work (SAML, Oauth, ….)
So, let’s give them a solution:Whereby we offer the end user a SSOWhereby security Which is future-ready:Extra applications No problemApplications talking SAML, REST, Oauth, SOAP can be easily integrated.Which on not need an upgrade of existing licenses.
Well, we can offer a solution which take care of all these topics: IDENTIKEY Authentication Server, in combination with IDENTIKEY Federation Server.And the good news is that they belong to the same familyOK, but how will it look like?
So, thanks to the combination of IK authentication server and Federation Server, we offer the end user a secure and convenient solution.
So,The IDENTIKEY Authentication Server, in combination with the IDENTIKEY Federation Server, offers the customer a lot of advantagesFor the end user:1 login to access all the applicationsLogin is secured by a One Time PasswordFor the company, and more specific, the IT-people:1 central point to manage all the usersNo administration overloadEasy management of licenses
Brief recapitulation:Case 1 :An existing IK Authentication customer.Request for securing web based applicationsSolution IK authentication and Federation ServerCase 2:New customerWeb based applications – scared of hackingSolution: IK authentication and Federation ServerCase 3:New customerWeb based applications – Likes to be a differentiatorSolution: IK authentication, Federation Server and MYDIGIGIPASS.COM
The company QuickMedia is situated in the marketing vertical.They offer their customers:Social Media Marketing CampaignsSEO solutions (Search Engine Optimization)Content marketingHelp to convert website visits into customers…
John is concerned about confidentiality. All the company applications are accessible via an username and password.So, he is scared that someone could have access to the internal databases of the company (without knowing it)
QuickMedia invited Alice Malley, a reseller of VASCO.John will explain that he likes to have a secure solution for his web based applications.Another concern he has, is about the consultants. He is not always sure that, when they leave the company, the access on each website is blocked.@Peter Vervloedt: Gartner report regarding the time it takes before an ex-employee is bloc
Well, and again, we must ask these 2 questions:Which applications would you like to protect?And how many persons are using these applications?
Well, we have in total 7 different web based application running.The customer has in total 7 different applications running:3 managed internallySharepointWordPress (for blogs)SAP (Management of data)3 managed externallyOffice 365HRnetSource (online HR portal)EPAY (Cloud based time tracking tool)Salesforce50 people or working in our company. 40 of them are on the Payroll of QuickMedia, the other 10 are consultants.
Alice can offer John a great solution: IFS together with the IAS.Q&AWhich solution can we offer? And Why?IAS in combination with IFSSecure (OTP) and simple user management (for blocking leaving people)What was the request again?Security and blocking consultants
So, thanks to the combination of IK authentication server and Federation Server, we offer the end user a secure and convenient solution.
So,The IDENTIKEY Authentication Server, in combination with the IDENTIKEY Federation Server, offers the customer a lot of advantagesFor the end user:Login is secured by a One Time PasswordFor the company, and more specific, the IT-people:1 central point to manage all the usersNo administration overloadEasy blocking consultants who are leaving the company
Brief recapitulation:Case 1 :An existing IK Authentication customer.Request for securing web based applicationsSolution IK authentication and Federation ServerCase 2:New customerWeb based applications – scared of hackingSolution: IK authentication and Federation ServerCase 3:New customerWeb based applications – Likes to be a differentiatorSolution: IK authentication, Federation Server and MYDIGIGIPASS.COM
Marc Celis is the IT manager of EduSocra. This company is offering HR-managers, of several companies in France, online tools to create/follow up, … training tracks of their employees.Good to know is that they are linked (financially) with the national government.
As an IT manager, Marc sees that 40% of the IT tickets are created because of password issues.Since they changed the password policy (stronger).This implicates also that the workload of the IT-department increases. EduSocra even took the recruitment of 2 new IT administrators in consideration.
Can you give me more information about the applications and the people who are using these?
We have in total 7 different applications. All internally managed, except Google apps.All the internal applications are “house made” and accessible by the B2B associates as well as the employees.In total 5120 persons are using the online applications.From the 5120 people, 120 are employees of EduSocra.
Justin: As far I can see, your company has setup a great solution for their employees and B2B-associates.Nevertheless, are people having complaints about this way of working?Marc: We hear more and more people complaining about the login on each website.They very often forget their username, password. This increases the workload of the IT staff.And keep also in mind that people are very impatient these days. The like to have a solution asap.
Mr. Celis, we can offer you the IDENTIKEY Federation Server. With this solution you will create a SSO-solution for your employees as well for your B2B-associates.
So, if it’s one of your employees or a business associate, they need to fill in only one their username and password.It’s a very convenient solution.But sorry, this is also a very dangerous solution!
Well, this is a really great solution and very convenient for the end user and IT administrators.But there is a major security risk!! All the web based applications are accessible with a username and same static password.
Get rid of these static passwords!! Combine the IDENTIKEY Federation Server together with the IDENTIKEY Authentication Server.Which IDENTIKEY Authentication Server?Is already possible with a standard edition. Is tricky, no backup license!!
Get rid of these static passwords!! Combine the IDENTIKEY Federation Server together with the IDENTIKEY Authentication Server.Which IDENTIKEY Authentication Server?Is already possible with a standard edition. Is tricky, no backup license!!
Get rid of these static passwords!! Combine the IDENTIKEY Federation Server together with the IDENTIKEY Authentication Server.Which IDENTIKEY Authentication Server?Is already possible with a standard edition. Is tricky, no backup license!!
Marc Celis is convienced of the proposed solution.He has however, some issues with the total cost of this solution.Paying for user licenses on the IFS, for employees and B2B associates no issue.This will decrease the helpdesk costs so acceptablePaying for security? Buying user licenses on IAS for employees:No issueOwn staff extra cost is acceptable.For the 5000 B2B associates to expensiveAre they still an associate after 1 year?
Marc Celis is convienced of the proposed solution.He has however, some issues with the total cost of this solution.Paying for user licenses on the IFS, for employees and B2B associates no issue.This will decrease the helpdesk costs so acceptablePaying for security? Buying user licenses on IAS for employees:No issueOwn staff extra cost is acceptable.For the 5000 B2B associates to expensiveAre they still an associate after 1 year?
And how would the solution look like?So, the B2B associates will secure login, with a free DIGIPASS authenticator on the MDP-platform.And MYDIGIPASS.COM can easily be linked to the IDENTIKEY Federation Server.
And the name of this solution? MYDIGIPASS.COM
And how would the solution look like?So, the B2B associates will secure login, with a free DIGIPASS authenticator on the MDP-platform.And MYDIGIPASS.COM can easily be linked to the IDENTIKEY Federation Server.
The IDENTIKEY Federation Server offers you a bunch of advantages:1 login to all the applications1 central place to manage the users1 central point to manage leaving employeesSSO increases productivity
Brief recapitulation:Combine the IAS and IFS gives customers a solution for different issues:Focus on SecurityFocus on User ManagementOr Focus on Help desk costs.Case 1 :An existing IK Authentication customer.Request for securing web based applicationsSolution IK authentication and Federation ServerCase 2:New customerWeb based applications – scared of hackingSolution: IK authentication and Federation ServerCase 3:New customerWeb based applications – Likes to be a differentiatorSolution: IK authentication, Federation Server and MYDIGIGIPASS.COM