Streamlining Access to Multiple Zoho Applications with Okta SSO Integration

  • Introduction
  • Usecase Overview
  • Usecase Demonstration
  • Conclusion
  • Reference Links

Introduction:

In today’s digital landscape, Organizations often use multiple business applications like Salesforce, Office 365, including HRMS tools like Zoho People Plus and Zoho Recruit, CRM platforms to manage their operations. Employees are required to log in separately to each application, resulting in inefficiencies, wasted time, and a fragmented user experience.

To address the challenges of managing multiple applications within the Zoho portfolio, such as Zoho People Plus, Zoho CRM, and Zoho Recruit, we use a simple and effective solution by integrating Zoho Directory with Okta through SAML 2.0.

Usecase Overview:

Check out the presentation video to have an understanding about the use case around integrating Zoho with Okta.

Usecase Demonstration:

Here’s the technical walkthrough on the integration and provisioning between Zoho & Okta.

Conclusion:

In conclusion, integrating Okta with Zoho portfolio has significantly streamlined the users access to the platform. With Okta’s Single Sign-On (SSO) capabilities, users can now seamlessly log in to multiple Zoho applications without remembering multiple passwords, reducing login times and increasing productivity. The integration backed up with Okta’s Sign-On policies, enhances organization security posture by providing an additional layer of authentication, ensuring that only authorized personnel can access sensitive customer data. By streamlining Zoho access with Okta, we have improved user experience, increased efficiency and strengthened security. 

Reference Links:

Integrating Zoho with Okta | Zoho Docs

SailPoint IdentityIQ Prod Architectures

IT infrastructure and operations are critical assets for businesses to function smoothly. Disaster recovery management involves planning and implementing strategies to ensure that an organization can quickly recover from disruptive events, such as natural disasters, cyberattacks or equipment failures. IT disaster recovery management is a way to save the business from negative consequences of these risks. 

Such scenarios can present a direct threat to business continuity and survival. The impact can be in the form of financial losses, operation disruptions, reputation loss, or even legal consequences.

This blog post discusses disaster recovery management and the best practices to adopt. 

Disaster recovery is the process by which an organization attempts to prevent or minimize the loss of business and data in the event of a disaster. It is about how an organization bounces back and regains normalcy after the catastrophic impact of such events. 

Disasters can have significant impacts on software systems, affecting both the functionality and security of applications.

  1. Data Loss: Disasters can lead to the loss of critical data, especially if proper backup systems are not in place.
  2. Downtime: Software systems may experience prolonged downtime, disrupting business operations and leading to financial losses.
  3. Security Breaches: Disasters can expose vulnerabilities, making systems more susceptible to cyberattacks and data breaches.
  4. Corrupted Data: Data corruption can occur during disasters, leading to inaccurate or unusable information.
  5. Service Disruptions: Essential services and applications may become unavailable, affecting users and customers.

For example, in 2024, OpenAI experienced a major outage due to a misconfiguration in their Kubernetes system, which disrupted key services like ChatGPT and Sora for several hours. This incident highlighted the importance of proper configuration management and disaster recovery planning.

SailPoint Disaster recovery plan for business continuity. It refers to the processes and procedures to ensure the uninterrupted functioning of the business’s during and after a disruptive event.

The simple flow illustrates the DC-DR strategy.

Data Center-Disaster Recovery (DC-DR) architecture has several advantages.

  1. Business Continuity: Ensures that critical business operations can continue during and after a disaster, minimizing downtime.
  2. Data Protection: Provides robust data backup and recovery solutions, safeguarding against data loss.
  3. Compliance: Helps meet regulatory requirements for data protection and disaster recovery.
  4. Scalability: Can be scaled to accommodate growing business needs and data volumes.

This video explains the SailPoint IdentityIQ Production Architecture and business continuity plan strategies.

Prerequisites: (DC-DR works for all latest versions).

The below software’s are used by our ENH environment.

  1. SailPoint IIQ
  2. JDK
  3. Tomcat (any application servers).
  4. NGINX (Load Balancer)
  5. Database (Mysql)
  6. Linux (OS)

The Key points of Disaster recovery is Data Replication and Load balancing.

Steps – How database replication works:

  • Step 1: Identify the Primary Database (Source): A primary (or master) database is chosen as the main source of truth where data changes originate.
  • Step 2: Set Up Replica Databases (Targets): One or more replicas (or secondary databases) are configured to receive data from the primary database.
  • Step 3: Data Changes Captured: Any updates, inserts, or deletes in the primary database are recorded, typically through a transaction log or change data capture mechanism.
  • Step 4: Transmit Changes to Replicas: The captured changes are sent to replica databases over the network in real-time or at scheduled intervals.
  • Step 5: Apply Changes on Replicas: The replicas apply these updates to keep their data in sync with the primary database.

In an active-standby (or active-passive) load balancer setup, the primary load balancer (active) handles all the traffic under normal conditions, while the secondary load balancer (standby) remains on standby, ready to take over if the primary load balancer fails.

Steps – How Load balancers works.

  • Primary Load Balancer (Active):
    1. Actively manages and distributes incoming traffic to the servers in the primary data center (DC).
    2. Continuously monitors the health and performance of the servers and the network.
  • Secondary Load Balancer (Standby):
    1. Remains on standby, not handling any traffic under normal conditions.
    2. Regularly synchronizes with the primary load balancer to stay updated with the current state and configurations.
  • Failover Process:
    1. If the primary load balancer detects a failure or significant issue, it triggers the failover process.
    2. The secondary load balancer becomes active and starts handling the traffic, ensuring minimal disruption to services.
  • Failback Process:
    1. Once the primary load balancer is restored and verified to be fully operational, traffic can be redirected back.
    2. The secondary load balancer returns to standby mode, ready for any future failover events.

This setup ensures high availability and reliability by providing a backup load balancer that can quickly take over in case of a failure.

The following demo video is a deep dive demonstration of SailPoint Disaster recovery plan and failover configurations using our ENH environment.

NGINX (Load Balancer):

  1. Configure only UI servers in Load Balancer.
  2. Sticky Sessions: Configure the load balancer for sticky sessions (also known as session persistence) to ensure that user sessions are consistently routed to the same application server.
  3. We recommend active-standby (or active-passive) load balancer setup.

Database:

  1. Configure your database for replication to ensure high availability and disaster recovery. Use native database replication features like MySQL replication or Oracle Data Guard.
  2. Data base must be one phase commit.
  3. While replicating make sure only identityiq, identityiqah, identityiqPlugin are replicated.



Password Management for Okta Administrators using CyberArk PVWA 

  • Introduction
  • Pre-Requisites
  • Use case Overview
  • Technical Demonstration
  • Conclusion
  • Reference Links

Introduction: 

As Organizations continue to adopt cloud-based identity and access management solutions like Okta, securing administrative access to these platforms has become a top priority. Okta administrators possess elevated privilege allowing them to manage user identities, configure security policies, and access sensitive data. However, this also makes them a prime target for attackers seeking to exploit these privileges. 

To mitigate this risk, it is essential to implement a robust password management solution that can securely store, manage, and rotate administrative credentials. Okta manages password in cloud and the organization desires to manage passwords on-premises using CyberArk Password Vault

To address the integration challenge, we will implement a comprehensive solution that integrates Okta with CyberArk PVWA using SAML 2.0. This integration will enable secure and automated management of Okta admin account passwords, reducing the risk of password-related security incidents and ensuring compliance with regulatory requirements. As part of this solution, two admin accounts will be created in Okta: one non-privileged account to access Okta user dashboard, and a second one Privileged account which will be linked to CyberArk PVWA. The Privileged account will receive a password generated by CyberArk, which will be used for authentication. Using SAML 2.0, the admin will log in to Okta using the privileged account credentials, with the password provided by CyberArk. This will ensure secure and compliant access management and password management processes, streamlining administrative tasks and reducing the risk of security breaches.

Pre-requisites: 

  • Okta tenant, CyberArk PVWA tenant and Active Directory with a Domain. 
  •  Active Directory must be integrated with CyberArk and Okta. 

Use case Overview:

Please refer to the below video to have an understanding about Okta & the use case around integrating CyberArk Password Vault with Okta.

Technical Demonstration:

Here’s the technical walkthrough on the integration between CyberArk Password Vault & Okta.

Conclusion: 

The integration of Okta with CyberArk PVWA provides a comprehensive solution for managing Okta administrator passwords, enhancing security, and improving compliance. By automating password rotation, expiration, and compliance, organizations can reduce administrative burdens and minimize the risk of password-related security incidents. With real-time visibility and control over password management, organizations can respond swiftly on security incidents and ensure the integrity of their identity and access management systems. Overall, this integration provides a robust and scalable solution for securing Okta administrator passwords and protecting sensitive resources and applications. 

Reference Links:

Setup SSO | Okta 

SAML authentication | CyberArk Docs 

Integrating SailPoint IIQ with Okta

  • Introduction
  • Prerequisites
  • Usecase Overview
  • Technical Demonstration
  • Conclusion
  • Reference Links

Introduction

In today’s digital landscape, many organizations face significant challenges in securely managing access to their sensitive data. These unchecked identity challenges often result in vulnerabilities, data breaches, and difficulties in ensuring that only the right individuals have the appropriate access. This solution offers a robust answer to these issues by simplifying and strengthening access control with a governance view. By integrating Okta with product like SailPoint IdentityIQ (IIQ), organizations can strengthen their identity governance and automate the provisioning and de-provisioning processes. This integration ensures that users are granted access solely to the resources they need, thereby minimizing security risks and ensuring compliance.

To get started, organizations need to configure SSO and Okta connectors within Sailpoint IIQ, which link their systems and data sources to enable seamless and secure access management across the enterprise.

Prerequisites

Usecase Overview

Please watch the video to understand why we are integrating SailPoint IIQ with Okta and the specific use case for this integration.

Technical Demonstration

In this video, we’ll show you how to integrate SailPoint IIQ with Okta. We’ll cover setting up SSO, configuring the Okta Connector, and mapping Okta attributes to SailPoint. We’ll also demonstrate how admins manage access reviews and how users can access SailPoint IIQ from Okta.

Conclusion

On a closure note, with all the steps carried out in this use case, it is fair enough to say that we have successfully integrated SailPoint IIQ with Okta, which enhances access management by governing the right identities have access to the right resources. Along with that achieving identity lifecycle management by ensuring synchronized access and governance policies are harmonized between the products. This integration reduces manual processes, increases compliance, and streamlines access control across the organization. Regular monitoring and fine-tuning of policies ensure the integration remains effective as the organizational needs evolve.

Reference Links

Integrating SailPoint IIQ with Okta

Best_Practices_Integration_Guide

Okta Custom Login URL and Branding 

  • Introduction
  • Problem Statement
  • Solution
  • Usecase Overview
  • Technical Demonstration
  • Conclusion
  • Reference Links

Introduction

In today’s enterprise environment, providing a seamless and branded login experience is essential for user engagement, security, and brand identity. Companies using Okta for identity management often seek to customize their login portals to cater to different user such as employees, contractors, and partners. A custom login page not only enhances the user experience but also reinforces the company’s branding and can improve security by providing distinct, role-specific access points. 

This blog describes how to set up personalized login URLs and pages for employees and contractors/partners, enabling each user to enjoy a customized login experience while utilizing Okta’s identity management features.

Problem Statement 

Organizations typically have a diverse set of users, including employees, contractors, and business partners. These users may need to access different resources, apps, and tools, but they may also have different access control policies and security requirements. The need for custom login experiences arises from the following challenges: 

  • Brand Consistency: The login experience should reflect the company’s branding and visual identity. 
  • Role-based Customization: Different users (employees, contractors, partners) may have different access levels and login requirements. 
  • User Segmentation: Having a single login page can be confusing for users from different groups who may have different authentication mechanisms or access privileges. 
  • Security and Compliance: Separate login pages can help implement role-based security policies more effectively. 

Solution 

To address the problem, we propose the following solution using Okta’s customization features: 

Custom Logon URLs and Pages for Different Users 

  • Employee Login Page: A custom URL like https://employeelogin.company.com will serve employees, presenting the company’s branding and specific employee-related apps. 
  • Okta Customization: Okta provides options to customize the login page through its “Okta Sign-In Widget” and “Custom Sign-In Pages.” These tools allow for integrating branding elements (e.g., logos, colors), different authentication methods (e.g., MFA), and a dynamic user flow tailored to each user group. 

Usecase Overview:

Check out the presentation below to explore how to configure a Custom Domain in Okta, including the benefits of custom branding and DNS configurations for a seamless user experience.

Technical Demonstration:

Check out the demo below to see how to configure a Custom Domain in Okta, customize the sign-in page, and apply DNS configurations for a fully branded and secure Okta experience.

Conclusion 

Customizing the Okta login experience for different users like employees, contractors, and partners helps enhance security, improve user experience, and maintain consistent branding. By using Okta’s flexibility in customizing login URLs and pages, along with role-based access control, organizations can ensure that each group has the appropriate level of access while maintaining a branded, user-friendly login process. 

Reference Links

Custom Domains & Branding | Okta 

Use an Okta-managed certificate

Use your own TLS certificate

CyberArk PAM Master Policy

Managing and securing privileged access across diverse IT environments is complex and prone to vulnerabilities. Without a centralized approach, inconsistencies in policy enforcement can lead to security breaches and compliance issues.

Using CyberArk’s PAM Master Policy helps standardize and enforce security and compliance policies consistently across all platforms, reducing the risk of unauthorized access and enhancing overall security.

CyberArk’s PAM Master Policy offers a simple and intuitive way to manage an organization’s security policy.

The Master Policy enables us to configure the security and compliance policy of privileged accounts in an organization from a single pane of glass. It allows us to configure compliance-driven rules, which will be defined as the baseline for the organization.

The Master policy is divided into four higher-level and compliance-driven policy sections, such as:

  1. Privileged Access Workflows
  2. Password Management
  3. Session Management
  4. Audit

Each of the above sections has a set of rules and offers better visibility and control over policy configurations and enforcement.

Master policy rules
Image: Rules of the Master Policy

Master policy settings, when configured, can be applied to most privileged accounts in the organization. However, a few privileged accounts may need to deviate from these global settings for various reasons. We can create exceptions for the accounts that need to deviate from the configured global settings.

The following video will explain CyberArk PAM’s Master Policy and it’s rules in detail. Below are the topics covered as part of this video:

  • The Master Policy
  • Master Policy: Main Concepts
  • Master Policy: Rules
  • Master Policy: Configuring a Rule
  • Privileged Access Workflows
  • Password Management
  • Session Management
  • Audit
  • Exceptions
  • Combining Privileged Access Workflows
CyberArk PAM Master Policy: Technical Presentation

The following video will provide a detailed technical demonstration on configuring the Master Policy:

CyberArk PAM Master Policy: Technical Demonstration

In conclusion, managing privileged access across diverse IT environments is complex and prone to vulnerabilities. The CyberArk’s PAM Master Policy standardizes and enforces security and compliance policies, reducing the risk of unauthorized access. 

ENH iSecure plays a crucial role in this ecosystem by providing comprehensive support and expertise in implementing and managing CyberArk’s PAM Master Policy. With ENH iSecure, organizations can ensure that their privileged access management is not only effective but also aligned with industry best practices and compliance requirements.

Transparent User Management

Introduction:

Managing privileged accounts in complex IT environment is risky due to manual processes, excessive permissions, and limited visibility. This increases security threats, hinders, compliance, and adds administrative burden.

To overcome this problem, CyberArk Transparent User Management addresses these challenges through automation, secure credential gangling and auditing.

CyberArk Transparent User Management automates privileged account provisioning, secure credential management, and access auditing. By integrating with LDAP directories, it streamlines user administration, reduces manual effort, and enhances security. Transparent User Management ensures that access rights remain aligned with roles, minimizing risks from excessive permissions and insider threats.

From the diagram, we can see that users and groups from Active Directory are integrated using LDAP over SSL. After LDAP integration, the users and groups are seamlessly and securely provisioned into CyberArk. These groups from Active Directory are then mapped to predefined groups in CyberArk.

In this blog, we will be discussing about the CyberArk Transparent User Management in detail. The following are the key topics that are discussed as part of the blog.

  1. Types of users in CyberArk
  2. Transparent Users and Groups
  3. Pre-requisites for LDAP Integration
  4. LDAP Integration
  5. Directory Mapping
  6. User Provisioning
  7. LDAP Synchronization
  8. Managing Transparent users and groups

In the video blog of CyberArk Transparent User Management, we will be discussing above mentioned topics.

Presentation:

Detailed demonstration on Transparent User Management is present in the following video.

Demo:

Pass Through Authentication via Active Directory in SailPoint IdentityIQ

In today’s digital age, secure authentication is crucial for all kinds of organizations. Pass Through Authentication enables users to access resources seamlessly without the need for maintaining credentials in on-prem infrastructure. The user credentials are validated against the organization’s directory service such as Active Directory without the need to store credentials. PTA is used commonly in hybrid environments where organizations want control over authentication while integrating with cloud services. The diagram below depicts the process of Pass Through Authentication via Active Directory in SailPoint IdentityIQ.

Image: Pass Through Authentication via Active Directory

  1. A user requests to log in to an application, in our case, SailPoint.
  2. The application (SailPoint) secures the credentials by encrypting them.
  3. The login configuration is checked and found out to be Pass Through Authentication.
  4. The credentials are validated against Active Directory.
  5. After successful validation, the user is logged in.

⦁ Pass Through Authentication ensures the credentials are not stored, reducing the risk of exposure.
⦁ Simplifies user management by validating with a directory system like Active Directory.
⦁ Provides real-time authentication, ensuring accurate and up-to-date access control.
⦁ Offers seamless experience as users can log in to on-prem and cloud-based applications using the same credentials.

Let’s have a close look into Pass Through Authentication in below video.

In this video, a detailed demonstration on Pass Through Authentication via Active Directory and usecases like AD Birthright Provisioning are discussed.

SailPoint Identity Security Cloud Launcher and Launchpad

SailPoint Identity Security Cloud is a comprehensive Identity and Access Management (IAM) solution designed to help organizations manage user access to critical systems and applications efficiently and securely. Within IdentityNow, Launcher and Launchpad are key components that enhance user experience and streamline access management processes.

Launcher

Launcher is a feature within IdentityNow that allows users to manually initiate interactive processes related to access management. It is tied to entitlements and can be assigned to users through regular governance practices. Here’s how it works:

  • Manual Initiation: Users can manually start processes such as access requests, certifications, and reviews.
  • Entitlements: The launcher is linked to specific entitlements, ensuring that users have the appropriate permissions to initiate these processes.
  • Governance Integration: It integrates with IdentityNow’s governance framework, allowing for seamless management and oversight of access-related activities.

Launchpad

Launchpad is a centralized interface within IdentityNow that provides users with a single point of access to various identity management tasks and applications. It offers a user-friendly and intuitive way to navigate and manage identity-related activities. Key features include:

  • Centralized Access: Users can access different identity management functions from one place, improving efficiency and ease of use.
  • Customization: The launchpad can be customized to meet the specific needs of an organization, allowing for personalized dashboards and workflows.
  • Self-Service Capabilities: Users can perform self-service tasks such as password resets, access requests, and profile updates directly from the launchpad.

Creation Flow for Launcher and Launchpad

Together, Launcher and Launchpad enhance the user experience by providing intuitive and efficient ways to manage access and identity-related tasks within IdentityNow.

In the video below, I have thoroughly explained Launcher and Launchpad, along with Forms and Workflow, using a simple presentation:

In this video, I have vividly explained the entire process of Launcher and Launchpad using real-life analogies:

Machine Identity Management in SailPoint Identity Security Cloud

The age of AI and automation is here. With organizations all around the globe leveraging Artificial Intelligence and Machine Learning, more and more tasks and processes previously done manually, are now being automated. This leads to the creation of several machine accounts dealing with Robotic Process Automation (RPA), privileged service accounts for authenticating requests from an external system, and the like. Consequently, organizations are spending more time and resources managing the access held by these non-human accounts in every application, which can often lead to complicated situations as there is no centralized view of the same.

As described above, organizations are automating mundane processes, and thus more machine accounts are being created. These accounts can be difficult to manage and govern in a standalone environment, considering the lack of ownership and effective ways to control and manage their access. The following are some statistical insights on machine accounts shared by SailPoint: –

This gives a clear picture as to how AI, Automated Scripts and Robotic Processes are taking over the workplace, which signifies the difficulty as well as importance of managing these machine accounts.

This is where SailPoint’s Machine Identity Security jumps in. It offers a robust set of features to:-

  • Discover any accurately configured machine account on any source
  • Classify the accounts as machine accounts, by using an account attribute/set of attributes (eg, in Active Directory, if there are machine accounts containing the word “bot” in their sAMAccountName, we can use this account attribute to classify these accounts as machine accounts in SailPoint)
  • Assign a human owner to a machine account. This identity will be responsible for reviewing the access held by the machine account in a certification campaign
  • Correlate the machine accounts to machine identities
  • Certify the machine account’s access using Certification Campaigns

The diagram above depicts SailPoint Machine Identity Security, which aggregates machine accounts from various applications such as Active Directory, SAP and Web Service and manages them under a single platform i.e., Identity Security Cloud.

There are several advantages to using SailPoint Machine Identity Security: –

  • It provides clear visibility and insights on all machine accounts across various applications.
  • It provides tools to automate the management of machine accounts. This eliminates the need to maintain and manage these accounts and their access manually, such as on excel sheets.
  • Human owners can be assigned to machine accounts, ensuring accountability, risk detection and mitigation.
  • Access reviews via Certification Campaigns help ensure that machine accounts follow the principle of Least Privileged Access Control.

Let’s have a close look at how SailPoint Machine Identity Security works in the following video: –

The following video is a deep dive demonstration of SailPoint Machine Identity Security: –

Hope this blog gave you some insights into how you can use SailPoint Machine Identity Security to effectively classify, manage and govern machine accounts from any source. Please share your thoughts and feedback in the comment box below.

Please follow our socials to stay up to date with the latest technology content.

Thank you!