Many of Oracle’s (and 3rd party) SaaS applications support key identity management capabilities, which enables them to integrate with an enterprise to deliver capabilities such as single sign-on. However, there are some use cases where a more robust identity management platform is required, to meet more demanding business requirements. Identity Cloud Service is Oracle’s strategic platform for delivering both identity management services for our customers to utilise, as well as delivering the identity management platform that underpins our IaaS and PaaS cloud services. Here are 3 key use cases where integration of SaaS with IDCS can provide additional value for a SaaS customer.
Many SaaS applications contains a customer’s most sensitive information and therefore there is often a requirement to strengthen the level of authentication required when accessing these applications, especially by users with high levels of privileges within the SaaS application.
Identity Cloud Service can add a low-cost, stronger level of authentication to your sign-in process. This is similar, for example, to how your bank might authenticate a user. There is flexibility and choice for a user in deciding how they want to provide a stronger authentication, i.e.:
Backup codes can also be downloaded by the user for times when none of the above mechanisms are available to them at the time of authentication.
The IDCS Administrator configures a policy to determine which users the additional authentication applies to and under what conditions it applies, such as their current location.
Identity federation has long been the de facto approach for enabling a user to seamlessly access different applications, cloud-based or otherwise, using their organisation’s credentials, instead of maintaining multiple different usernames and passwords across lots of different services. Most SaaS applications today support identity federation.
However, a common limitation is the ability to only configure this trusted relationship with one organisation. In my experience, many organisations today have loosely couple IT, typically with many discrete partners, or sub-organisation, who all manage their own IT. This can lead to user data that is stored in a number of different places, each owned and mastered within those smaller entities. When this happens, organisations often cannot federate all of these different entities with their SaaS applications.
Instead they need the ability to configure multiple trust relationships between their different entities and the SaaS applications they are using. IDCS can help by supporting multiple trust relationships, meaning that each separate entity within your organisation can be configured as a trusted provider, enabling users seamless access into their SaaS applications, whether Oracle or 3rd party, irrespective of which entity they are coming from.
Whilst many SaaS applications are geared towards enterprise services such as Human Capital Management (HCM) and Enterprise Resource Planning (ERP), there is sometimes a need to engage consumers and allow them to interact with the application. Whilst registration pages can be provided for users to ‘sign-up’, this doesn’t provide a good user experience for your end-users. Instead, it is common practice to enable registration and subsequent authentication through social platforms such as Facebook, LinkedIn, and Google. Not all SaaS applications support these integrations today.
Identity Cloud Service supports social authentication with a number of the common social providers as well as providing a general, standards-based integration for additional social platforms, not provided out-of-the-box. Identity Cloud Service handles the associated capabilities such as linking a user to their various social profiles and enabling user controls, such use consent and the ability to forget their link between their IDCS identity and their social accounts.
Utilising Identity Cloud Service to deliver social platform integration can significantly lower the development and integration effort required to maintain this capability across all of your chosen social providers.
These three identity management enhancements for SaaS are areas where I am regularly having discussions with customers. However, we shouldn't forget, what I call the "bread and butter" IAM, and that is the fundamental processes of making sure you have appropriate controls and procedures in place to provision/de-provision users and their roles into your SaaS applications, so that you are maintaining the right level of governance around your cloud accounts, and not just your existing on-premise applications. Of course, IDCS can help here as well, but that's the discussion for another post.