Cloud Security Perspectives and Insights

Comprehensive Identity-as-a-Service (IDaaS): Protect all your apps with cloud access management

The need for quicker SaaS onboarding led to Siloed IAM for early IDaaS adopters

When the Identity-as-a-Service (IDaaS) deployment model began building momentum early last decade, adoption was primarily driven by the need to keep up with the onboarding of SaaS applications. Business leaders were circumventing IT purchase processes and subscribing to SaaS services without IT input or security oversight. To maintain control, security organizations needed a fast way to onboard SaaS apps that also enabled control over who has access. The streamlined user experience that provided a single point of authentication across SaaS apps was just an added benefit.

IDaaS hit the target by pre-building app templates, making extensive use of the SAML protocol, and supporting long-tail apps via techniques such as password vaulting. But it quickly became apparent that maintaining two separate Identity and Access Management (IAM) stacks (one for on-prem and one for cloud/SaaS) was not ideal. The approach was more expensive, more complicated to manage, and sometimes offered a disjointed user experience. But the cat was already out of the bag and many organizations were bought-in to the benefits of a SaaS deployment model for IAM.

For many, IDaaS evolved to a Hybrid IAM approach

Combining SaaS benefits (such as ease of ownership, predictable cost, and ease of onboarding) with the need to maintain self-managed IAM solutions led to the popularity of hybrid IAM approaches in which organizations maintain multiple IAM components across on-prem and cloud. And that’s fine; for many, hybrid IAM is the right answer. This is why Oracle remains committed to our software-delivered IAM solutions that can be deployed on-prem or in the cloud. But IDaaS is taking an increasingly important role and many of our customers want to move more IAM functionality to our IDaaS solution. This brings us to the present.

Today, Oracle’s IDaaS provides comprehensive coverage for enterprise apps

IDaaS has matured quite a bit over the last several years and no longer relies as much on SAML or pre-built app templates. Today, Oracle Identity Cloud Service helps manage access to virtually any enterprise target. To accomplish that, we’ve introduced several technical approaches to bringing more applications into the IDaaS fold with less effort. These approaches, combined, provide the easiest path toward enabling the service to manage access for more systems and applications.

  • App Catalog: The App Catalog provides pre-built integrations for the most popular SaaS applications. Many of these integrations support account lifecycle management (user provisioning) in addition to authentication and single sign-on (SSO). For some enterprise applications, the service even enables management of app entitlements as well, which is atypical for other IDaaS solutions.
  • App Gateway: The App Gateway provides an easy way to enable authentication and SSO for applications that are hosted on customer-managed servers (either on-prem or via cloud compute instances) and don’t support standard federation protocols such as SAML or OpenID Connect. An added benefit of this approach is that it allows organizations to expose internal applications to external users without requiring a VPN connection. App Gateway acts as a reverse proxy that intercepts HTTP requests and restricts unauthorized access based on policies. This approach is especially useful for applications that support HTTP header-based authentication.
  • Provisioning Bridge: The Provisioning Bridge provides an easy way to enable lifecycle management (user provisioning) for applications that are hosted on customer-managed servers (either on-prem or via cloud compute instances). The bridge leverages Identity Connector Framework (ICF) connectors so customers can leverage their own or partners’ previous experience with ICF. ICF connectors have also been used by Oracle Identity Governance (OIG) for several years so there’s a substantial knowledge base in support of many complex systems and applications.
  • Active Directory Bridge: The Active Directory Bridge provides a highly available integration with Microsoft Active Directory (AD) which is typically deployed on-premises. The bridge enables bidirectional synchronization of users and groups between the identity service and AD. It also enables delegated authentication where users can authenticate to the cloud identity service using their AD credentials without storing AD credentials in the cloud service.
  • EBS Asserter: Oracle E-Business Suite (EBS) is a widely implemented enterprise application suite addressing key business operations such as Human Capital Management, Financials, Procurement, and more. The EBS Asserter provides a lightweight integration with EBS that eliminates the need for Oracle IAM components that are otherwise-required to enable authentication and SSO to EBS. The Asserter is a lightweight Java application enabling access to EBS mobile and web interfaces.
  • RADIUS Proxy: RADIUS is a client/server security protocol widely used to enable remote authentication and access. The RADIUS Proxy provides a way for the identity cloud service to interact with applications that support RADIUS such network VPNs and Oracle Database instances. A common use-case for this proxy is to enable MFA strong authentication for Oracle Databases. For this scenario, the service offers user management for database administrator and user accounts and enables database role management via service-specific security groups.
  • LDAP Proxy: The LDAP proxy allows applications to interact with the cloud identity service via LDAP protocol. This is useful for applications that have native support for LDAP but perhaps do not support other common identity protocols. Note that there’s also a generic LDAP v3 compliant connector in the app catalog that enables lifecycle management (user provisioning) for LDAP directory servers. This is an alternate way to support LDAP-enabled applications.
  • Linux PAM Module: Linux Pluggable Authentication Modules (PAM) provide an authentication service for Linux servers that replaces local credential-based authentication. Oracle Linux PAM Module enables Linux access to be centrally managed via the cloud identity service and enables Linux administrators or end users to query information about users and groups stored in the service via standard Linux commands such as id, group, and getent.

Comprehensive Identity-as-a-Service (IDaaS)

As you can see, Oracle Identity Cloud Service IDaaS solution accommodates numerous systems and application types. The service provides specific support for numerous applications via integrations found in the App Catalog, the AD Bridge, and the EBS Asserter. It also supports several generic integration approaches including the App Gateway, Provisioning Bridge, LDAP connector, and RADIUS Proxy.

If you’ve decided to standardize on IDaaS for your enterprise Identity and Access Management needs or would like more information about your specific use-cases, please visit the Oracle Identity Cloud Service page, sign up for a free trial, or contact us for more information.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.