X

Cloud Security Perspectives and Insights

Three Reasons Why Identity Management Should Be On Your Radar For SaaS

Paul Toal
Distinguished Solution Engineer - Cyber Security

Many of Oracle’s (and 3rd party) SaaS applications support key identity management capabilities, which enables them to integrate with an enterprise to deliver capabilities such as single sign-on. However, there are some use cases where a more robust identity management platform is required, to meet more demanding business requirements. Identity Cloud Service is Oracle’s strategic platform for delivering both identity management services for our customers to utilise, as well as delivering the identity management platform that underpins our IaaS and PaaS cloud services. Here are 3 key use cases where integration of SaaS with IDCS can provide additional value for a SaaS customer.

 

Reducing Risk through stronger authentication

Many SaaS applications contains a customer’s most sensitive information and therefore there is often a requirement to strengthen the level of authentication required when accessing these applications, especially by users with high levels of privileges within the SaaS application.

Text Box:  One-time passcodes

Identity Cloud Service can add a low-cost, stronger level of authentication to your sign-in process. This is similar, for example, to how your bank might authenticate a user. There is flexibility and choice for a user in deciding how they want to provide a stronger authentication, i.e.:

  • Memorable questions and answers
  • Regularly changing, one-time use passcode
  • Prompting a user on their smart device for approval
  • Text message

Backup codes can also be downloaded by the user for times when none of the above mechanisms are available to them at the time of authentication.

The IDCS Administrator configures a policy to determine which users the additional authentication applies to and under what conditions it applies, such as their current location.

  

Simplifying access from multiple organisations

Identity federation has long been the de facto approach for enabling a user to seamlessly access different applications, cloud-based or otherwise, using their organisation’s credentials, instead of maintaining multiple different usernames and passwords across lots of different services. Most SaaS applications today support identity federation.

However, a common limitation is the ability to only configure this trusted relationship with one organisation. In my experience, many organisations today have loosely couple IT, typically with many discrete partners, or sub-organisation, who all manage their own IT. This can lead to user data that is stored in a number of different places, each owned and mastered within those smaller entities. When this happens, organisations often cannot federate all of these different entities with their SaaS applications.

Instead they need the ability to configure multiple trust relationships between their different entities and the SaaS applications they are using. IDCS can help by supporting multiple trust relationships, meaning that each separate entity within your organisation can be configured as a trusted provider, enabling users seamless access into their SaaS applications, whether Oracle or 3rd party, irrespective of which entity they are coming from.

Embracing Consumers

Whilst many SaaS applications are geared towards enterprise services such as Human Capital Management (HCM) and Enterprise Resource Planning (ERP), there is sometimes a need to engage consumers and allow them to interact with the application. Whilst registration pages can be provided for users to ‘sign-up’, this doesn’t provide a good user experience for your end-users. Instead, it is common practice to enable registration and subsequent authentication through social platforms such as Facebook, LinkedIn, and Google. Not all SaaS applications support these integrations today.

Text Box:

Identity Cloud Service supports social authentication with a number of the common social providers as well as providing a general, standards-based integration for additional social platforms, not provided out-of-the-box. Identity Cloud Service handles the associated capabilities such as linking a user to their various social profiles and enabling user controls, such use consent and the ability to forget their link between their IDCS identity and their social accounts.

Utilising Identity Cloud Service to deliver social platform integration can significantly lower the development and integration effort required to maintain this capability across all of your chosen social providers.

 

These three identity management enhancements for SaaS are areas where I am regularly having discussions with customers. However, we shouldn't forget, what I call the "bread and butter" IAM, and that is the fundamental processes of making sure you have appropriate controls and procedures in place to provision/de-provision users and their roles into your SaaS applications, so that you are maintaining the right level of governance around your cloud accounts, and not just your existing on-premise applications. Of course, IDCS can help here as well, but that's the discussion for another post.

Join the discussion

Comments ( 1 )
  • Neville Varnham Tuesday, July 31, 2018
    Hi Paul, a great piece reinforcing the need to get basic security principles right and a reminder that IDCS is a key enabler in many real-life use cases.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.