Google Apps is one of the most popular service providers for business of any size, but the tools provided by Google to manage user accounts and groups don’t give system administrators the flexibility and capabilities a specialized identity management product can offer.
With Soffid, you can configure Google Apps as one of the identity consumers of your organizations. You can decide to give Google accounts to every user on your organization, restrict them to a selected organization unit or user type, or write down a rule to enable or disable access depending on user attributes. In such a way, you can integrate mail groups and mail alias in your whole account life cycle, managing how users join or leave groups. You can tell Soffid to maintain mail groups based on a mix of users, business units groups and information system entitlements. Puede utilizar Sofifd para matnener las listas de correo en base a una mezcla de usuarios, unidades de negocio, y autorizaciones de sistemas de información.
Leveraging Soffid, you will also get synchronized password management. When a user changes its password, it’s immediately pushed to Google Apps.
More and more, you can deploy Soffid Identity Provider. With Soffid IdP, Google will no longer ask users for a password. Instead, Google will redirect the password request to Soffid Idp which will identify the user based on its password, digitial certificates or any other enabled mechanism. Google will receive a signed and cyphered authentication token issued by Soffid Idp, letting the user log in.
The most relevant benefits of using Soffid Idp + Soffid GoogleApps connector are:
You don’t need to give Google access to your directory.
Users logs in on your system first, keeping a live access log on your site.
You can easily customize how users are created on Google, using simple expressions.
You can use complex rules to set who can use Google services and who not.
Every change is audited at the highest level available.
To learn more about how to configure it, please visit our wiki.
Password reset is one of the most recurrent tasks in help desk departments. With Soffid you can dramatically reduce the number of call center calls, by giving the user the tools to self recover the password.
Soffid allows administrator to enable or disable some recovery methods including presaved questions, email, smart cards, SMS and others. At this post we will see how a user deals with presaved questions recover.
At first, user is encouraged to answer some predefined questions, as well as fill in new questions. The video below this lines shows how a user is automatically redirected to password recovery form just after login into the workstation.
Once the password has been filled in, the user is able to recover its password from within Windows login screen. See next video.
Soffid ESSO, as any other enterprise single sign on, needs to store the password in a way that can be used by applications, and this requirement implies that password should be stored in either clear text or reversible encryption algorithms, making them vulnerable to insider attacks.
To prevent any risk regarding any unlikely insider attack, Soffid has a highly sophisticated mechanism to protect your system passwords, as well as allowing enteprise single sign on module to know the password value when it is required. . To get this done, Soffid creates a RSA private key for each synchronization server. The key is stored locally on the server, and the public key is stored on the database.
Once the keys are stored, every process that needs to encrypt a password must do it once for each synchronization server public key. Then, if we have two synchronization servers, as on the image next to this lines, when Soffid sets a password for any user, the password will be stored twice. The first one will be encrypted using the first RSA public key and the second one will be encrypted using the second RSA key.
This mechanism guarantees that only a synchronization server will be able to decrypt the password, using the password version that was encrypted using its own public key.
By default, private keys are stored on file system, and protected by a secret word. The backup of this private keys and the configuration file that contains the secret word should be placed on different devices than the Soffid database backup.
To achieve the top security level, a HSM module can be used. Provided that the HSM module has a PKCS#11 interface, synchronization server will use it to use the private key that is stored on it. In such a way, you can get the best trust level on your passwords confidentiality.
Password stress is a common problem on small and big companies. The advent of cloud applications has increased the number of user names and passwords that an average user has to manage.
Soffid provides a complete single sign on mechanism, able to get rid authentication dialogs in a easy, efficient and secure fashion.
Password syncronization
Soffid IAM is able to synchronize user passwords, so that users can use the same password for every application or only a subset of them, despite the user name could be different in some of them. In this way, the number of issues related to password usage is dramatically reduced. Additionaly, Soffid provides two complimentary products to avoid users from wasting time entering user names and password, increasing their produtivity.
Enterprise Single Sign On (ESSO)
ESSO module is installed in desktop devices using Microsoft Windows or Ubuntu Linux. ESSO is able to enter the passwords needed for each application on behalf of the user. To get it, administrator is to configure dialog detection patterns as well as credential injection rules. This way, when a password is required, Soffid will immediately enter user name and password on behalf of the user. Only when the user is granted more than one account on an application, Soffid ESSO will request the user to select one of the granted accounts.
Web Single Sign On (WSSO)
WSSO module is installed in the network as an additional web server, acting as a bridge between users and actual applications. It uses the same technology as ESSO to inject user name and password in web applications. As no software is to be installed on the user device, it is suitable for smartphones, tablets or any other device where ESSO cannot be installed. As a live sample of this technology, Soffid developer area grants access to four independent applications. Soffid WSSO is connected to PHPBB, Drupal, Jira and Confluence, alllowing any people to register itself as well as using federated identities from Google, Facebook or Yahoo to access seamlessly to any of them. When the user closes the session, it will be closed on the four applications at once.
El estrés de las contraseñas es un problema habitual en pequeñas y grandes empresas. El advenimiento de las aplicaciones en la nube no ha hecho sino incrementar el número de nombres de usuario y contraseñas que un usuario medio debe utilizar.
Soffid proporciona un completo mecanismo de single sign on, capaz de eliminar los diálogos de autenticación de una forma fácil para el usuario a la vez que eficiente y segura.
Sincronización de contraseñas
Soffid IAM sincronizará las contraseñas del usuario, de tal forma que el usuarios puedan utilizar la misma contraseña en todas o casi todas las aplicaciones, independientemente de que el nombre de usuario pueda ser diferente. De esta forma se reduce de forma importante el número de incidencias derivadas del uso contraseñas. Adicionalmente, Soffid dispone de dos productos complementarios para conseguir que el usuario no deba perder tiempo reintroduciéndola, incrementando su productividad:
Enterprise Single Sign On (ESSO)
El módulo ESSO se instala en los equipos de escritorio con Microsoft Windows o Ubuntu Linux y es capaz de introducir las contraseñas necesarias en cada aplicación. Para ello, el administrador configurará los patrones de detección de las aplicaciones así como las reglas de inyección de contraseñas. De esta forma, cuando sea requerida la introducción de contraseñas, Soffid actuará introduciendo las contraseñas en nombre del usuario. Sólamente cuando el usuario disponga de más de una cuenta para una aplicación, se le solicitará que seleccione la cuenta a utilizar.
Web Single Sign On (WSSO)
El módulo WSSO se instala en la red como un seridor web más, haciendo de puente entre los usuarios y las aplicaciones reales. Utiliza la tecnología desarrollada para el módulo ESSO para inyectar usuarios y contraseñas en las aplicaciones web. Al no requerir su instalación en los equipos clientes, es ideal para soluciones que requieran el acceso desde dispositivos móviles u otros tipos de dispositivos donde el ESSO no es instalable. Como ejemplo ilustrativo de la funcionalidad WSSO, puede acceder al área de desarrolladores de Soffid. Consta de cuatro aplicaciones independientes conectadas mediante WSSO: PHPBB, Drupal, Jira y Confluence. El módulo permite qualquier persona puede registrarse o utilizar sus credenciales de google, facebook o yahoo para acceder de forma transparente a cualquiera de las cuatro aplicaciones. Al cerrar la sesión, se cerrará la sesión de las cuatro aplicaciones de forma simultánea.
This slideshow features five important lessons learned and key takeaways from recent data breaches for businesses that want to protect themselves from similar disasters, as identified by Mark McCurley, senior information security advisor of IDentity Theft 911, a leading provider of personal-touch identity management solutions, identity theft recovery services, breach services and data risk management solutions for businesses.
Please accept cookies to allow us to provide you with the best browsing experience across our website. Find out more on how we use cookies and how you can change your settings.OkCookies Policy
