I recently watched a great video on cloud federation by Coreblox and Ping Identity. You know the problem they’re trying to solve, your users are using applications in the cloud and your access and authorization solutions are stuck on premise. Ping Identity solves that beautifully.
Here’s the gist: an Active Directory user is added to an Active Directory group which PingFederate recognizes and provisions them to the cloud application; take the user out of the Active Directory group and that user is de-provisioned from the cloud application. As long as the user has an account on the cloud app, PingFederate grants them single sign-on privileges to access the account. Easy peasy.
Except in the real world. Don’t get me wrong, their part is easy, we have a mutual customer who assured me of that. What isn’t easy in the real world is keeping that Active Directory group accurate. If you’re going to use Active Directory groups for cloud identity management, you want to be sure that the membership is ALWAYS accurate.
Most product demos concerning Active Directory toss this in offhandedly, saying something like “just update the group membership.” Do you realize how many groups you have? And you’re supposed to go into ADUC and just, you know, update the group membership for each one? Say you have 5 cloud applications with 3 to 4 levels of access for each, meaning you have 15-20 groups to update with potentially thousands of members.
Managing that manually is a mess. Most projects that start with the simple premise of “just update the group membership” end up having 100% accurate membership on day 1 and then deteriorating in membership quality as time moves on until it’s pretty much useless (see SharePoint).
The thing is most cloud apps (Salesforce, Webex, box.net, ADP) have an identity profile associated with them. Salesforce is the sales team or the service team. Webex is sales and service. Box.net is everybody working remotely. ADP is finance. Why not dynamically manage that Active Directory group membership?
You need managerial access to Workday? Well since your job title is director or above and your department is Human Resources, you are automatically in that group. You need account rep privileges to Salesforce? Since you are in sales and your title is account executive I and you are not in the employees on probation group, you are automatically in the Salesforce AE group.
This needs to just happen or you’ll never get to cloud federation. As long as the Active Directory group structure exists and is so widely utilized, you cannot afford to let group memberships become outdated. Ping Identity uses them and I can only assume that Okta and Symplified do as well.
But Active Directory doesn’t come with dynamic groups. That’s why GroupID exists, to make dynamic security groups for you. If these groups are managed dynamically, you get past that point of “just update the group membership.” You don’t have to because it already is updated.
Get your users into the cloud by putting them in the correct Active Directory groups.