Pass Through Authentication via Active Directory in SailPoint IdentityIQ

In today’s digital age, secure authentication is crucial for all kinds of organizations. Pass Through Authentication enables users to access resources seamlessly without the need for maintaining credentials in on-prem infrastructure. The user credentials are validated against the organization’s directory service such as Active Directory without the need to store credentials. PTA is used commonly in hybrid environments where organizations want control over authentication while integrating with cloud services. The diagram below depicts the process of Pass Through Authentication via Active Directory in SailPoint IdentityIQ.

Image: Pass Through Authentication via Active Directory

  1. A user requests to log in to an application, in our case, SailPoint.
  2. The application (SailPoint) secures the credentials by encrypting them.
  3. The login configuration is checked and found out to be Pass Through Authentication.
  4. The credentials are validated against Active Directory.
  5. After successful validation, the user is logged in.

⦁ Pass Through Authentication ensures the credentials are not stored, reducing the risk of exposure.
⦁ Simplifies user management by validating with a directory system like Active Directory.
⦁ Provides real-time authentication, ensuring accurate and up-to-date access control.
⦁ Offers seamless experience as users can log in to on-prem and cloud-based applications using the same credentials.

Let’s have a close look into Pass Through Authentication in below video.

In this video, a detailed demonstration on Pass Through Authentication via Active Directory and usecases like AD Birthright Provisioning are discussed.

SailPoint Identity Security Cloud Launcher and Launchpad

SailPoint Identity Security Cloud is a comprehensive Identity and Access Management (IAM) solution designed to help organizations manage user access to critical systems and applications efficiently and securely. Within IdentityNow, Launcher and Launchpad are key components that enhance user experience and streamline access management processes.

Launcher

Launcher is a feature within IdentityNow that allows users to manually initiate interactive processes related to access management. It is tied to entitlements and can be assigned to users through regular governance practices. Here’s how it works:

  • Manual Initiation: Users can manually start processes such as access requests, certifications, and reviews.
  • Entitlements: The launcher is linked to specific entitlements, ensuring that users have the appropriate permissions to initiate these processes.
  • Governance Integration: It integrates with IdentityNow’s governance framework, allowing for seamless management and oversight of access-related activities.

Launchpad

Launchpad is a centralized interface within IdentityNow that provides users with a single point of access to various identity management tasks and applications. It offers a user-friendly and intuitive way to navigate and manage identity-related activities. Key features include:

  • Centralized Access: Users can access different identity management functions from one place, improving efficiency and ease of use.
  • Customization: The launchpad can be customized to meet the specific needs of an organization, allowing for personalized dashboards and workflows.
  • Self-Service Capabilities: Users can perform self-service tasks such as password resets, access requests, and profile updates directly from the launchpad.

Creation Flow for Launcher and Launchpad

Together, Launcher and Launchpad enhance the user experience by providing intuitive and efficient ways to manage access and identity-related tasks within IdentityNow.

In the video below, I have thoroughly explained Launcher and Launchpad, along with Forms and Workflow, using a simple presentation:

In this video, I have vividly explained the entire process of Launcher and Launchpad using real-life analogies:

Machine Identity Management in SailPoint Identity Security Cloud

The age of AI and automation is here. With organizations all around the globe leveraging Artificial Intelligence and Machine Learning, more and more tasks and processes previously done manually, are now being automated. This leads to the creation of several machine accounts dealing with Robotic Process Automation (RPA), privileged service accounts for authenticating requests from an external system, and the like. Consequently, organizations are spending more time and resources managing the access held by these non-human accounts in every application, which can often lead to complicated situations as there is no centralized view of the same.

As described above, organizations are automating mundane processes, and thus more machine accounts are being created. These accounts can be difficult to manage and govern in a standalone environment, considering the lack of ownership and effective ways to control and manage their access. The following are some statistical insights on machine accounts shared by SailPoint: –

This gives a clear picture as to how AI, Automated Scripts and Robotic Processes are taking over the workplace, which signifies the difficulty as well as importance of managing these machine accounts.

This is where SailPoint’s Machine Identity Security jumps in. It offers a robust set of features to:-

  • Discover any accurately configured machine account on any source
  • Classify the accounts as machine accounts, by using an account attribute/set of attributes (eg, in Active Directory, if there are machine accounts containing the word “bot” in their sAMAccountName, we can use this account attribute to classify these accounts as machine accounts in SailPoint)
  • Assign a human owner to a machine account. This identity will be responsible for reviewing the access held by the machine account in a certification campaign
  • Correlate the machine accounts to machine identities
  • Certify the machine account’s access using Certification Campaigns

The diagram above depicts SailPoint Machine Identity Security, which aggregates machine accounts from various applications such as Active Directory, SAP and Web Service and manages them under a single platform i.e., Identity Security Cloud.

There are several advantages to using SailPoint Machine Identity Security: –

  • It provides clear visibility and insights on all machine accounts across various applications.
  • It provides tools to automate the management of machine accounts. This eliminates the need to maintain and manage these accounts and their access manually, such as on excel sheets.
  • Human owners can be assigned to machine accounts, ensuring accountability, risk detection and mitigation.
  • Access reviews via Certification Campaigns help ensure that machine accounts follow the principle of Least Privileged Access Control.

Let’s have a close look at how SailPoint Machine Identity Security works in the following video: –

The following video is a deep dive demonstration of SailPoint Machine Identity Security: –

Hope this blog gave you some insights into how you can use SailPoint Machine Identity Security to effectively classify, manage and govern machine accounts from any source. Please share your thoughts and feedback in the comment box below.

Please follow our socials to stay up to date with the latest technology content.

Thank you!

SailPoint Identity Security Cloud Multi Host Groups

Introduction:

Modern Enterprises have huge infrastructure and configurations, governing and managing them in complex and difficult.

To overcome this problem, SailPoint Identity Security Cloud Multi Host Groups allows easier management of infrastructure and related integrations.

Multi Host Groups helps bulk source creation of infrastructure components and server configurations from a centralized location.

Basically, it is a container which holds sources and associated account aggregation and entitlement aggregation groups. So that we can aggregate all the sources at once, instead of doing one at a time.

From the diagram we can see, without multi host group, we need to aggregate all the sources, one at a time, which will be redundant and time consuming, but using multi host groups we can aggregate a group of sources once.

Features:

Below, is the list of available features in SailPoint Identity Security Cloud Multi Host Groups:

  • Bulk Source Integration
  • Support for MS SQL Server and Oracle Database Connector use cases
  • Aggregation Groups
  • Centralized integrations

In this blog, we will be discussing about the Identity Security Cloud Multi Host Group in detail. The following are the key topics that are discussed as part of the blog.

  1. What is Multi Host Group?
  2. Key Features of Multi Host Group.
  3. Creating and Viewing Multi Host Groups.
  4. Editing, Testing and Deleting Multi Host Groups
  5. Managing Account and Entitlement Aggregation Groups
  6. Limitations and Best Practices

In the video blog of SailPoint Identity Security Cloud Multi Host Groups, we will be discussing above mentioned topics.

Video:

Detailed demo on managing multi host groups is present in the following video.

Video:

SailPoint Identity Security Cloud Loopback Connector

Problem:

In SailPoint Identity Security Cloud, we often face challenges in managing and governing user level permissions and governance group membership effectively, which may lead to unauthorized access and audit failures. Governing access inside Identity Security Cloud is important.

Current blog helps govern access in Identity Security Cloud using Identity Security Cloud loopback connector.

Solution – Loopback connector:

The purpose of loopback connector is used to manage Identity Security Cloud user levels and governance groups as entitlements.

Users can request for elevated user levels permissions and governance groups as entitlements through request center. Once that is approved user will get required higher permission or governance group membership based on requested entitlement.

Supported Operations:

Below are the supported operations in loopback connector:

  • Account Aggregation
  • Governance Groups Aggregation
  • User levels Aggregation
  • Provisioning
  • Add Entitlement
  • Remove Entitlement

Operations and APIs

Below is the list of endpoints we used for each operation in loopback connector:

S. NoOperationsEndpoints
1Account Aggregation/v3/accounts
2Governance Group Aggregation/beta/workgroups
3Provisioning/v3/accounts
4Authentication/oauth/token
5Add Entitlement for User Levels/v3/auth-users/:id
6Add Entitlement for Governance Groups/v3/workgroups/accessId/members/bulk-add

In this blog, we will be discussing about the Identity Security Cloud Loopback Connector in detail. The following are the key topics that are discussed as part of the blog.

  1. Problem statement
  2. What is loopback connector and what we can achieve from that?
  3. Use cases we can achieve using loopback connector
  4. What are the supported operations?
  5. End points used for each operation.

In the video blog of SailPoint Identity Security Cloud Loopback Connector, we will be discussing above mentioned topics.

Video:

Detailed demo on developing & testing loopback connector is present in the following video.

Video:

All the mentioned technical components are only available for internal use. However, refer to the below table for an overview on different technical components, which can be used to develop the loopback connector.

S. NoComponent NameUse
1Java ProgramThis program is used to take details like tenant id, client id, client secret and source id and update all rules with provided input data.
2Account Aggregation RuleThis is Webservice After Operation Rule. Users can build this rule in such a way, where they can read all the available accounts from the respective tenant.
3User Levels Aggregation RuleThis is Webservice After Operation Rule. Users can build this rule in such a way, where they can read all user levels available from the respective tenant.
4Governance Groups Aggregation RuleThis is Webservice After Operation Rule. Users can build this rule in such a way, where they can read all the available governance groups from the respective tenant..
5Add EntitlementThis is Webservice Before Operation Rule. Users can build this rule in such away, upon entitlement request, respective governance group membership or elevated permissions are assigned to users
6Remove EntitlementThis is Webservice Before Operation Rule. Users can build this rule in such away, respective governance group membership or elevated permissions are removed from users.

Duo Two-Factor Authentication for SailPoint Identity Security Cloud

What is Duo

Duo is a two-factor authentication solution that helps organizations boost security by verifying user identity, establishing device trust, and providing a secure connection to company networks and applications.

Why Duo

Duo is fast, easy and flexible. Passwords and even basic Multi-Factor Authentication (MFA) aren’t enough to keep you safe from today’s attackers. Duo gives you the extra layers of protection you need for secure access management. With this setup, Duo two-factor authentication (2FA) is added as a verification option for account unlocking and password resets.

Prerequisites to integrate Duo

  1. Configure SailPoint Web application and copy ClientID, secret and hostname these details are required for SailPoint integration.
  2. Add users and enroll them in the application. User should have an account in SailPoint.

Technical Overview:

Here’s the technical demonstration on the integration of Duo

Use case Demonstration – Integration flow:

Please refer to the below video to have an understanding about Duo integration

SailPoint configuration

  1. The steps to be done in SailPoint tenant for duo integration
  2. First in SailPoint, integrate the Duo and then check the test connection after successful test connection
  3. Enable multifactor Authentication in Identity profile
  4. And select duo web in Password Reset and Unlock Settings
  5. Now you are all set to use duo authentication

Duo 2FA for Identity security cloud password reset

  1. With duo integration user can reset his password
  2. First user has to proceed to reset password
  3. Enter the username
  4. Then you should enter the passcode received from duo after successful duo authentication you can able to set new password

Duo 2FA for Identity security cloud Unlock account

  1. If the user account got locked, then he can unlock his account with duo integration
  2. First user has to proceed to unlock account
  3. Enter the username
  4. After successful duo authentication your account will be unlocked

 

A Deep-Dive into Okta Sign-On Policies

  • Introduction
  • Usecase Overview
  • Usecase Demonstration
  • Challenges
  • Conclusion
  • Reference Links

Introduction:

In today’s digital landscape, organizations rely on various applications to enhance productivity, necessitating secure access for diverse workforces, including remote employees and contractors. To ensure secure access for remote workers using new devices, implementing Multi-Factor Authentication (MFA) is essential. When accessing sensitive applications from unrecognized devices, Okta prompts for MFA, requiring additional authentication steps such as a one-time password or biometric verification. Administrators can set contextual-behavior based sign-on policies to determine when MFA is necessary, enhancing security and reducing unauthorized access risks, while logging all attempts for monitoring and auditing.

Usecase Overview:

Please refer to the below video to have an understanding about Okta Sign-On Policies focusing on their structure, functionality, and how they enhance security using contextual behavior detection methods.

Usecase Demonstration:

This demonstration offers a comprehensive overview of the Sign-on Policies in Okta, highlighting the practical application with a common scenario around WFH / remote employees.

Challenges:

In general, many organizations encounter various challenges when it comes to user access management: 

  • Securing access for remote employees, contractors, and full-time staff who require varying levels of access to applications. 
  • Ensuring consistent user attributes and access permissions across all applications. 
  • Demonstrating compliance with security standards by implementing strong access controls and monitoring user activity. 
  • Minimizing administrative overhead associated with managing user identities and access. 

Conclusion:

Implementing Okta for centralized security management enables organizations to leverage the platform’s robust features and benefits. By setting up user groups, integrating applications, configuring session policies, and enabling MFA, companies can create a secure and efficient identity management system that meets their specific requirements. 

Reference Links:

Global session policies | Okta Docs

Authentication policies | Okta Docs

Multifactor authentication | Okta Docs

Behavior Detection | Okta Docs

Risk scoring | Okta Docs


Integrating Active Directory with Okta’s Universal Directory

  • Introduction
  • Understanding Okta Universal Directory
  • Key Features of Okta Universal Directory
  • Prerequisites
  • Usecase Overview
  • Technical Demonstration – Integration flow
  • Conclusion
  • Reference Links

Introduction

Active Directory (AD), a directory service developed by Microsoft for Windows domain networks, is primarily used for authentication and authorization, helping organizations manage user access to resources. However, as organizations increasingly adopt cloud-based applications, managing user access across disparate directories has become a challenge for traditional Active Directory (AD)/LDAP systems. Each cloud service often introduces its own user store, leading to a proliferation of login credentials and making it difficult to maintain consistent, secure access control.

This complexity can result in administrative headaches, such as trouble deactivating user accounts when employees leave and a lack of visibility into resource access. To address these issues, many companies turn to Okta, an identity management platform that integrates seamlessly with Active Directory, bridging the gap between on-premises and cloud environments. By using Okta, organizations can continue to leverage their existing AD or LDAP services for user authentication while centralizing User Lifecycle Management, providing a unified dashboard for administrators to ensure consistent, secure access control across all systems.

Understanding Okta Universal Directory 

Okta Universal Directory is a centralized platform designed for managing user identities from various sources. As a core component of the Okta Identity Cloud, Universal Directory provides a centralized view of all users and their respective attributes, making it easier for IT teams to oversee and manage user data. This product enables organizations to maintain a unified profile for a user, no matter where their data comes from. This capability is especially advantageous for enterprises with multiple user directories, as it simplifies user management and bolsters security. 

Key Features of Okta Universal Directory 

  • Centralized User Management: Universal Directory allows you to manage all your user identities in one place. This means that whether your users are employees, partners, or customers, you can easily create, modify, or deactivate their accounts without jumping between different platforms. 
  • Integration with Multiple Sources: It allows integration with various identity sources, including Active Directory (AD), LDAP, and HR systems like Workday. This flexibility ensures that organizations can consolidate user information from different platforms seamlessly. 
  • Customizable User Profiles: Universal Directory supports both Okta user profiles and app-specific user profiles. This capability allows organizations to define and manage user attributes tailored to their applications, ensuring that each app only accesses the data it needs. 
  • Customizable User Attributes: With Universal Directory, you can customize user attributes to fit your organization’s unique needs. This flexibility enables you to collect and store specific information relevant to your users, such as job titles, department details, or location data. 
  • Real-Time Synchronization: Changes made in AD, such as user updates or account deactivations, are synchronized in real-time with Okta. This ensures that terminated employees lose access immediately, enhancing security and compliance. 
  • Delegated Authentication: The integration allows for delegated authentication, meaning that users can authenticate against AD without needing direct access to the AD environment. This feature simplifies the authentication process while maintaining security. 

Prerequisites

Okta Tenant: 

  • You must possess an account with Super Admin role privileges. 

On-Premises Active Directory: 

  • The host server should have at least two CPUs and a minimum of 8 GB RAM.  
  • Host server running Windows server 2016 & above.  
  • .NET framework 4.6.2 and above.  
  • The host server should be a member server part of the same domain.  
  • Okta agent installation wizard should be executed from the host server.  
  • An account with Domain administrator privileges for domain discovery & AD agent application installation in the host server.  
  • Delegated Authentication – Enables the users to use their AD credentials to access Okta & downstream applications. This feature is enabled by default.

Usecase Overview:

Check out the video below to explore Okta’s Universal Directory and how it works with Active Directory integration. Along with that, benefits of Universal Directory & the integration flow.

Technical Demonstration – Integration flow:

Here’s a technical demonstration, a step-by-step approach explaining the integration between Active Directory and Okta.

Conclusion 

Integrating Active Directory with Okta not only streamlines identity management but also enhances security and user experience. With Okta’s Universal Directory, organizations can manage user identities more effectively, ensuring that they are well-equipped to handle the demands of a cloud-first world. This integration empowers IT teams to focus on strategic initiatives rather than being bogged down by the complexities of traditional identity management systems. 

Reference Links

Active Directory Integration | Okta Docs

User Management | Okta Docs

Simplifying Server Access with Okta Advanced Server Access

  • Introduction
  • Prerequisites
  • Usecase Overview
  • Technical Demonstration
  • Conclusion
  • Reference Links

Many organizations face difficulties in securely managing access to their servers. This often results in compromised static credentials, delay in accessing the servers and increase in security risks. Okta’s approach to address this problem is unique, comes with Advanced Server Access (ASA) to provide simple & secure way to access the servers through ephemeral certificates. These certificates are short-lived & tightly scoped which ensures strong security for the connection. And also, JIT Passwordless authentication for server access which will create & revoke access for the user through time-bound constraints. It streamlines the login process and enhances security, ensuring that only the right people can access right resources.

To get started, we need to create and configure an ASA team, which is a designated group of users that can authenticate with Okta. Each team acts as an Advanced Server Access tenant, with all configurations and resources scoped to that team. 

  • An Okta Org account with the necessary permissions to configure applications and integrations.
  • Supported OS for ASA Server Agent – Linux & Windows
  • Supported OS for ASA Client Agent – Linux, Windows & MacOS
  • Administrative permission to install ASA Server Agent & Client Agent on servers & end devices.
  • For Network settings, please refer to Okta Docs.

Please refer to the below video to have an understanding about Okta Advanced Server Access & the usecase around integrating servers with Okta ASA.

Here’s the technical demonstration on the integration of Windows and Linux servers with Okta ASA. We will cover the process of creating an ASA team in ScaleFT, followed by integrating and configuring the ASA application in Okta. Next, we will explain how to enroll servers and clients, and finally, we will test the process by accessing the server from client machines to showcase a seamless user experience.

On a closure note, with all the steps carried out in this blog it is fair enough to say integrating Servers with Okta Advanced Server Access not only enhances security through ephemeral credentials but also simplifies management processes while ensuring compliance. Its scalable architecture supports modern cloud environments, making it a comprehensive solution for organizations looking to secure their server access effectively.

Okta Advanced Server Access Guide

Simplifying Salesforce Access with Okta SSO Integration 

  • Introduction
  • Pre-Requisites
  • Usecase Overview – Integration flow
  • Technical Demonstration
  • Conclusion
  • Reference Links

In today’s fast-paced business environment, manually logging into multiple App’s can be a tedious and time-consuming process, especially when dealing with multiple accounts or complex password policies. Moreover, security risks associated with password-based authentication can put your organization’s sensitive data at risk. 

That’s where Okta Single Sign-On (SSO) comes in, a solution that streamlines App access, boosts productivity, and fortifies security. By integrating Okta SSO with multiple App’s like Salesforce, Slack, LinkedIn, etc.., organizations can provide teams with seamless, one-click access to the platform, while maintaining the highest levels of security. 

In this blog, we’ll explore the benefits of using Okta SSO with Salesforce and provide a step-by-step guide on how to set up and configure this powerful integration. 

  • An account with Super Admin role privileges 
  • Salesforce Org with system administrator privileges 
  • Custom Domain: acme 

Please refer to the below video to have an understanding about Okta & the use case around integrating Salesforce with Okta.

Here’s the technical walkthrough on the integration and provisioning between Salesforce & Okta.

In conclusion, integrating Okta with Salesforce has significantly streamlined the users access to the platform. With Okta’s Single Sign-On (SSO) capabilities, users can now seamlessly log in to salesforce without remembering multiple passwords, reducing login times and increasing productivity. The integration backed up with Okta’s Sign-On policies, enhances organization security posture by providing an additional layer of authentication, ensuring that only authorized personnel can access sensitive customer data. By streamlining Salesforce access with Okta, we have improved user experience, increased efficiency and strengthened security, ultimately driving business growth and success. 

Okta Docs | Setup SSO for Salesforce

Okta Docs | Adding Salesforce to Okta