Duo is a two-factor authentication solution that helps organizations boost security by verifying user identity, establishing device trust, and providing a secure connection to company networks and applications.
Why Duo
Duo is fast, easy and flexible. Passwords and even basic Multi-Factor Authentication (MFA) aren’t enough to keep you safe from today’s attackers. Duo gives you the extra layers of protection you need for secure access management. With this setup, Duo two-factor authentication (2FA) is added as a verification option for account unlocking and password resets.
Prerequisites to integrate Duo
Configure SailPoint Web application and copy ClientID, secret and hostname these details are required for SailPoint integration.
Add users and enroll them in the application. User should have an account in SailPoint.
Technical Overview:
Here’s the technical demonstration on the integration of Duo
Use case Demonstration – Integration flow:
Please refer to the below video to have an understanding about Duo integration
SailPoint configuration
The steps to be done in SailPoint tenant for duo integration
First in SailPoint, integrate the Duo and then check the test connection after successful test connection
Enable multifactor Authentication in Identity profile
And select duo web in Password Reset and Unlock Settings
Now you are all set to use duo authentication
Duo 2FA for Identity security cloud password reset
With duo integration user can reset his password
First user has to proceed to reset password
Enter the username
Then you should enter the passcode received from duo after successful duo authentication you can able to set new password
Duo 2FA for Identity security cloud Unlock account
If the user account got locked, then he can unlock his account with duo integration
First user has to proceed to unlock account
Enter the username
After successful duo authentication your account will be unlocked
In today’s digital landscape, organizations rely on various applications to enhance productivity, necessitating secure access for diverse workforces, including remote employees and contractors. To ensure secure access for remote workers using new devices, implementing Multi-Factor Authentication (MFA) is essential. When accessing sensitive applications from unrecognized devices, Okta prompts for MFA, requiring additional authentication steps such as a one-time password or biometric verification. Administrators can set contextual-behavior based sign-on policies to determine when MFA is necessary, enhancing security and reducing unauthorized access risks, while logging all attempts for monitoring and auditing.
Usecase Overview:
Please refer to the below video to have an understanding about Okta Sign-On Policies focusing on their structure, functionality, and how they enhance security using contextual behavior detection methods.
Usecase Demonstration:
This demonstration offers a comprehensive overview of the Sign-on Policies in Okta, highlighting the practical application with a common scenario around WFH / remote employees.
Challenges:
In general, many organizations encounter various challenges when it comes to user access management:
Securing access for remote employees, contractors, and full-time staff who require varying levels of access to applications.
Ensuring consistent user attributes and access permissions across all applications.
Demonstrating compliance with security standards by implementing strong access controls and monitoring user activity.
Minimizing administrative overhead associated with managing user identities and access.
Conclusion:
Implementing Okta for centralized security management enables organizations to leverage the platform’s robust features and benefits. By setting up user groups, integrating applications, configuring session policies, and enabling MFA, companies can create a secure and efficient identity management system that meets their specific requirements.
Active Directory (AD), a directory service developed by Microsoft for Windows domain networks, is primarily used for authentication and authorization, helping organizations manage user access to resources. However, as organizations increasingly adopt cloud-based applications, managing user access across disparate directories has become a challenge for traditional Active Directory (AD)/LDAP systems. Each cloud service often introduces its own user store, leading to a proliferation of login credentials and making it difficult to maintain consistent, secure access control.
This complexity can result in administrative headaches, such as trouble deactivating user accounts when employees leave and a lack of visibility into resource access. To address these issues, many companies turn to Okta, an identity management platform that integrates seamlessly with Active Directory, bridging the gap between on-premises and cloud environments. By using Okta, organizations can continue to leverage their existing AD or LDAP services for user authentication while centralizing User Lifecycle Management, providing a unified dashboard for administrators to ensure consistent, secure access control across all systems.
Understanding Okta Universal Directory
Okta Universal Directory is a centralized platform designed for managing user identities from various sources. As a core component of the Okta Identity Cloud, Universal Directory provides a centralized view of all users and their respective attributes, making it easier for IT teams to oversee and manage user data. This product enables organizations to maintain a unified profile for a user, no matter where their data comes from. This capability is especially advantageous for enterprises with multiple user directories, as it simplifies user management and bolsters security.
Key Features of Okta Universal Directory
Centralized User Management: Universal Directory allows you to manage all your user identities in one place. This means that whether your users are employees, partners, or customers, you can easily create, modify, or deactivate their accounts without jumping between different platforms.
Integration with Multiple Sources: It allows integration with various identity sources, including Active Directory (AD), LDAP, and HR systems like Workday. This flexibility ensures that organizations can consolidate user information from different platforms seamlessly.
Customizable User Profiles: Universal Directory supports both Okta user profiles and app-specific user profiles. This capability allows organizations to define and manage user attributes tailored to their applications, ensuring that each app only accesses the data it needs.
Customizable User Attributes: With Universal Directory, you can customize user attributes to fit your organization’s unique needs. This flexibility enables you to collect and store specific information relevant to your users, such as job titles, department details, or location data.
Real-Time Synchronization: Changes made in AD, such as user updates or account deactivations, are synchronized in real-time with Okta. This ensures that terminated employees lose access immediately, enhancing security and compliance.
Delegated Authentication: The integration allows for delegated authentication, meaning that users can authenticate against AD without needing direct access to the AD environment. This feature simplifies the authentication process while maintaining security.
Prerequisites
Okta Tenant:
You must possess an account with Super Admin role privileges.
On-Premises Active Directory:
The host server should have at least two CPUs and a minimum of 8 GB RAM.
Host server running Windows server 2016 & above.
.NET framework 4.6.2 and above.
The host server should be a member server part of the same domain.
Okta agent installation wizard should be executed from the host server.
An account with Domain administrator privileges for domain discovery & AD agent application installation in the host server.
Delegated Authentication – Enables the users to use their AD credentials to access Okta & downstream applications. This feature is enabled by default.
Usecase Overview:
Check out the video below to explore Okta’s Universal Directory and how it works with Active Directory integration. Along with that, benefits of Universal Directory & the integration flow.
Technical Demonstration – Integration flow:
Here’s a technical demonstration, a step-by-step approach explaining the integration between Active Directory and Okta.
Conclusion
Integrating Active Directory with Okta not only streamlines identity management but also enhances security and user experience. With Okta’s Universal Directory, organizations can manage user identities more effectively, ensuring that they are well-equipped to handle the demands of a cloud-first world. This integration empowers IT teams to focus on strategic initiatives rather than being bogged down by the complexities of traditional identity management systems.
Many organizations face difficulties in securely managing access to their servers. This often results in compromised static credentials, delay in accessing the servers and increase in security risks. Okta’s approach to address this problem is unique, comes with Advanced Server Access (ASA) to provide simple & secure way to access the servers through ephemeral certificates. These certificates are short-lived & tightly scoped which ensures strong security for the connection. And also, JIT Passwordless authentication for server access which will create & revoke access for the user through time-bound constraints. It streamlines the login process and enhances security, ensuring that only the right people can access right resources.
To get started, we need to create and configure an ASA team, which is a designated group of users that can authenticate with Okta. Each team acts as an Advanced Server Access tenant, with all configurations and resources scoped to that team.
Prerequisites:
An Okta Org account with the necessary permissions to configure applications and integrations.
Supported OS for ASA Server Agent – Linux & Windows
Supported OS for ASA Client Agent – Linux, Windows & MacOS
Administrative permission to install ASA Server Agent & Client Agent on servers & end devices.
Please refer to the below video to have an understanding about Okta Advanced Server Access & the usecase around integrating servers with Okta ASA.
Technical Demonstration:
Here’s the technical demonstration on the integration of Windows and Linux servers with Okta ASA. We will cover the process of creating an ASA team in ScaleFT, followed by integrating and configuring the ASA application in Okta. Next, we will explain how to enroll servers and clients, and finally, we will test the process by accessing the server from client machines to showcase a seamless user experience.
Conclusion:
On a closure note, with all the steps carried out in this blog it is fair enough to say integrating Servers with Okta Advanced Server Access not only enhances security through ephemeral credentials but also simplifies management processes while ensuring compliance. Its scalable architecture supports modern cloud environments, making it a comprehensive solution for organizations looking to secure their server access effectively.
In today’s fast-paced business environment, manually logging into multiple App’s can be a tedious and time-consuming process, especially when dealing with multiple accounts or complex password policies. Moreover, security risks associated with password-based authentication can put your organization’s sensitive data at risk.
That’s where Okta Single Sign-On (SSO) comes in, a solution that streamlines App access, boosts productivity, and fortifies security. By integrating Okta SSO with multiple App’s like Salesforce, Slack, LinkedIn, etc.., organizations can provide teams with seamless, one-click access to the platform, while maintaining the highest levels of security.
In this blog, we’ll explore the benefits of using Okta SSO with Salesforce and provide a step-by-step guide on how to set up and configure this powerful integration.
Pre-requisites:
Okta Tenant:
An account with Super Admin role privileges
Salesforce Tenant:
Salesforce Org with system administrator privileges
Custom Domain: acme
Usecase Overview – Integration flow:
Please refer to the below video to have an understanding about Okta & the use case around integrating Salesforce with Okta.
Technical Demonstration:
Here’s the technical walkthrough on the integration and provisioning between Salesforce & Okta.
Conclusion:
In conclusion, integrating Okta with Salesforce has significantly streamlined the users access to the platform. With Okta’s Single Sign-On (SSO) capabilities, users can now seamlessly log in to salesforce without remembering multiple passwords, reducing login times and increasing productivity. The integration backed up with Okta’s Sign-On policies, enhances organization security posture by providing an additional layer of authentication, ensuring that only authorized personnel can access sensitive customer data. By streamlining Salesforce access with Okta, we have improved user experience, increased efficiency and strengthened security, ultimately driving business growth and success.
Most of the organizations, rely on Microsoft Active Directory Services or LDAP for a centralized store for identities & access permissions. Majority of the on-prem applications rely on these services to authenticate and authorize the actions. But with the cloud-based application, where the applications would have their own identity profiles to manage the application it is challenging for the administrator to manage the user accounts & it would be challenging for the end user too to use multiple identities for multiple applications.
Okta provides a solution to utilize the existing Microsoft Active Directory Services / LDAP services to access the SaaS applications through Active Directory / LDAP integration. This allows a single dashboard for the users to access the applications using their existing credentials and for administrators a centralized service to handle the lifecycle management.
In this section, we will integrate an existing on-premises Active Directory to Okta and let Okta provision the user accounts for us in Microsoft 365 tenant.
For simulating this in our lab environment, we’ll need to have access to 3 entities & few prerequisites.
Okta Tenant.
Member Server for Okta Active Directory Agent Installation.
Microsoft 365 tenant.
Pre-requisites:
Okta Tenant:
An account with Super Admin role privileges.
Member Server for Okta Active Directory Agent Installation:
The host server should have at least two CPUs and a minimum of 8 GB RAM.
Host server running Windows server 2016 & above is supported.
.NET framework 4.6.2 and above is supported.
Host server should be a member server part of the same domain.
Okta agent installation wizard should be executed from host server.
Microsoft 365 Tenant:
Microsoft 365 tenant name – This is the default tenant name registered as “comanyname.onmicrosoft.com”
Microsoft 365 domain – This is the custom domain which is chosen for federation.
Microsoft 365 global administrator user account.
Usecase Overview – Integration flow:
Please refer to the below video to have an understanding about Okta & the use case around integrating Office365 with Okta.
Technical Walkthrough:
Here’s the technical demonstration on the integration between Office 365 & Okta.
Conclusion:
On a closure note, with all the steps carried out in this blog it is fair enough to say integrating Okta with Active Directory & Office 365 eases the overhead of IT administrators for access management and provisioning happening through Single Sign-on. With this integration in place, IT administrators can manage the user assignments & modifying the attributes from Okta and the replication will happen to AD & Office 365 tenant.
In order to create the transform, get transform details, update transform or delete any tranform, we can make use of REST APIs available for transforms.
Delete transform API is used to delete any transform using transform ID.
Transform Operations:
In order to make use of transform according to the use case, we should understand various transform operations that are available.
Below are the various types of operations that are available in transform. Each of these operations performs specific task, we can use them according to our needs.
The base64 decode transform allows you to take incoming data that has been encoded using a Base64-based text encoding scheme and render the data in its original binary format.
Transforms Series – Video 2 of 4: Below video is the second video in a series of 4 videos about transforms. This part contains use cases, transform operations like account attribute transform, base64 decode transform, base64 encode transform, concatenation, conditional, date format, date math, date compare, decompose diacritical marks, first valid, generate random string
Video:
Transforms Series – Video 3 of 4: Below video is the third video in a series of 4 videos about transforms. This part contains about transform operations like get end of string, get reference identity attribute, identity attribute, index of , ISO3166, last index of, left pad, look up lower, name normalizer, random alphanumeric, random numeric
Video:
Transforms Series– Video 4 of 4: Below video is the fourth video in a series of 4 videos about transforms. This part contains about transform operations like reference, replace all, replace, right pad, rule, split, static, substring, trim, upper, username generator, UUID generator
Let us have an overview on the difference between the cloud rules & connector rules
Cloud Executed rules are running in the cloud within the Identity Now tenant. Connector rules run on the virtual appliance which is on-premise inside the customer’s data center
Cloud Execution Rule :
Cloud executed rules, as the name implies, are executed within the Identity Now multi-tenant environment.
They typically have independent functions for a specific purpose. For example, calculating an Identity attribute value.
Cloud executed rules typically need to query the Identity Now data model in order to complete their work.
The rule might need to guarantee uniqueness of a value and it would generate a value and query Identity Now to determine if that value already exists.
Access to any Identity Now data is read-only and you can’t make any calls outside of Identity Now such as a REST API from another vendor service.
Because they run in a multi-tenant environment, the are put in a very restricted context and there is a great deal of scrutiny taken during the required review process for rules.
We will cover the review process that is required when a cloud-executed rules is submitted later in the presentation.
Of course, this all makes sense as you cannot allow rules to effect other tenants if they are poorly written.
You also have to restrict the rules context so they can’t access any data from another tenant and things along those lines.
Connecter Execution Rule :
Connector executed rules do not run in the cloud which is fairly obvious based on the name.
These rules instead run on the VA itself. So they are running in the customers data center and therefore they are not running side by side with services from another tenant.
They are usually extending the connector capabilities. The functions that they perform are quite complex.
They do NOT have access to the Identity Now Data Model because they are executing on a virtual appliance.
The huge difference here is that they are not subject to a review process by SailPoint. These rules can be uploaded via the REST API and are significantly easier to work with. With that said you still want these rules to be well written.
The simple fact is that the possible negative effect of a poorly written connector rule is limited because it is not running within the Identity Now tenant.
SailPoint Provides us with six APIs to perform connector rule operations mentioned below :
GET, LIST, CREATE, UPDATE, DELETE, VALIDATE are the APIs that are currently used for connector rule operations.
A token with ORG_ADMIN authority is required to perform any operation.
Rule Examples
Example usage:
Calculate complex identity attributes.
Calculate complex account attributes.
Provide connector logic
Connector rule Example – If there is a requirement to disable the account based on the number of entitlements or the account should be disabled automatically based on role revocation, this can be achieved by writing a connector rule
Cloud rule Example– This can be used for generating a unique email id which can scan the existing email id’s and generate a unique id for every joiner.
Please subscribe to our social media and stay updated with latest technology content. Thanks you.
About Workday: Workday is a powerful cloud-based ERP platform that helps businesses streamline their financial and human resource process.
Benefits of Workday:
Workday is a human resource management system that helps companies with everything from hiring and onboarding to monitoring performance and keeping track of time and attendance to processing payroll.
Resource Management
Talent Management
Recruiting
Payroll
Big Data Analytics
Integration of Workday with SailPoint IdentityIQ:
Here, Workday application is integrated with SailPoint using Workday connector. You can have an overview of the connector documentation in the following link- SailPoint IdentityIQ Workday Connector.
The Workday Connector supports the following operations:
Account Aggregation (Full and Delta)
Update: Email, Phone, User ID (Internally mapped to username), Custom attributes
Let us have a quick overview on the presentation covering the Integration.
SailPoint’s Workday solution extends a deep level of management on your Workers, Contingent workers and Worker Accounts present in Workday HCM. It offers the seamless automation of your Joiner, Mover and Leaver use cases where you can manage the complete role base access control from single place with unlimited custom schema support.
Integration server: Workday is designed as a web service platform that is heavily into SOAP (Simple Object Access Protocol). The integration server is responsible for translating the SOAP into anything that might need integration and performs, generates reliable delivery.
By integrating SailPoint IIQ with Workday, organizations can automate and simplify employee onboarding and onboarding in minutes.
Let us go through the demo which covers the entire Integration of Workday with SailPoint
Automation testing refers to the testing of the software in which tester write the test script once with the help of testing tools and framework and run it on the software. The test script automatically tests the software without human intervention and shows the result.
Prerequisites for Automation:
Programming Language: As selenium support 14 different programing language Ex: java, python, Ruby, JavaScript, R. we can chose anyone but, I have chosen java.
Integrated Development Environment (IDE): Install an IDE such as Eclipse, IntelliJ IDEA, or Visual Studio Code to write and manage your Selenium scripts. i have used Eclipse
Java Development Kit (JDK): If you are using Java, you need to install the Java Development Kit (JDK) on your system.in my case I am using jdk 21 but we can use any version which is above 1.8, Since selenium 4th version has stopped supporting JDK 1.8 or below version.
Automation Testing Framework: we can choose any of the testing framework like TestNG, or Junit for java language.
Automation Testing Tool: We can use selenium, Appium, or similar tools based on the application type (Web, Mobile, etc)
I am using selenium because I am automating web page.
Let us walkthrough the Presentation for the same in the below link
Version control system: Git is commonly used for source code version control, which we have used for the demo
Build Tool: we can choose maven or Gradle for java project. I have used maven for demo
Continuous Integration server: I have used Jenkins
Eclipse is a digital workspace for automation testing. It’s a special software that makes creating and running automated tests easier. It is used by testers because it’s super flexible and works with different programming languages. It helps in writing, organizing, and running tests for finding problems or bugs in software.
Selenium is an Open source, It Supports multiple languages like java, python, Ruby. Scripts can be run on Multiple browsers like Chrome, Firefox, IE, Microsoft Edge. It supports Multiple operating systems like Linux, Windows, MacOS. It can be integrated with third party applications like TestNG, Cucumber.
TestNG is a testing framework used with Selenium for automating tests. It allows for organizing test cases, running tests in a specific sequence. It offers annotations to manage test execution flow, such as @Test for defining test cases, @BeforeMethod and @AfterMethod for pre and post-test setups, and @DataProvider for parameterization. The combination of Selenium and TestNG helps in efficient and structured automation testing, enabling testers to create, manage, and execute test cases reliably. Generates HTML reports showing test execution details.
Please find the below video which covers the entire demo on how automation works in SailPoint IIQ.
Advantages of Automation testing:
Efficiency: Automation testing can execute repetitive and complex tasks faster than manual testing.
Accuracy: Automated tests perform the same steps precisely every time, reducing the chance of human errors.
Reusability: Test scripts can be reused across different phases of development and in various testing scenarios.
Faster Feedback: Automated tests provide rapid feedback on the software’s stability and functionality.
