In my last article, I introduced the merits of using Single Sign-On within your organization. In it, I discussed the possible security gaps that can multiply as you, in essence, extend your on-prem directory service to include multiple directories. And, while there are security benefits for using SSO – centralized policies and administrative work (which results in less human error), the use of a single password (which usually means you can require a much stronger password), and the use of multi-factor authentication – there are also obvious benefits in productivity for SSO.
The single password reducing helpdesk costs, user’s portal-based access to applications, and a unified meta-directory – all help to increase user productivity. But a productivity gap lurks within an organization’s use of SSO – and the severity of that gap all depends on IT.
Directory Accuracy – the Crux of SSO Productivity
An SSO implementation is only as good as the accuracy of the directories it relies upon. SSO gives users access to applications based (usually) upon membership in groups. The same goes for the use of distribution groups within email. In many organizations, this membership is completely automated, using a system of record – an HR database, for example.
But, if the current data from that system of record isn’t being synchronized across all directories used as part of your environment, you run the risk of your user’s inability to access applications or proper use of email distribution lists – which results in an increase in helpdesk tickets, thus also lowering IT’s productivity.
So, how can you ensure the directories utilized by SSO are all current?
Increasing your SSO Productivity
There are a few steps you can take to ensure your SSO implementation actually increases your organization’s productivity:
1) Know your directories – Assuming your SSO is connecting multiple on-prem, cloud-based, and application-specific directories,
2) Identify your system of record – Sure, you already know “it’s the HR database”, but the point here is to understand how often changes are being made, whether that system of record is actually being kept up-to-date, etc. – all in an effort to know whether IT can trust the data in your directories as the basis for automating much of the daily SSO changes, or whether IT is going to need to step in and keep this up to date.
3) Ensure all directories are updated – This can be accomplished in a number of ways. First is, a sync between your system of record and your primary directory (Active Directory for many of you) is necessary, followed by a per-directory sync (likely built into each directory or application). An alternative is to use a third-party directory management solution – one that facilitates the management of all your directories along with ensuring they all are in sync.
4) Implement Group Lifecycle Management (GLM) – Even if your system of record is kept up to date, it’s not HR’s job to place certain users in specific groups. All they’re going to do is make sure their department, title, supervisor, phone number, etc. are all up to date. IT needs to implement a means by which they regularly ensure group memberships are correct, that groups are necessary, and that permissions are correct.
Maintaining a Productive SSO
SSO provides organizations with an opportunity to make life easy for users – a single log on, a dashboard with all the apps they have permissions to use, and simplified access from anywhere. But, the foundation of that success is the accuracy of the underlying directories involved in provide users with access.
By ensuring directory accuracy, proper synchronization, and implementing group lifecycle management, SSO reaches its full potential as the basis for a productive and secure workspace for the entire organization.
Is your directory accurate? Find out now with a free, no obligation health check of your directory with Imanami Heath Meter.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.