Automate user provisioning across cloud apps

Business problem

Enterprise companies are using more and more cloud apps in their daily workflows. Each cloud app has a user roster with sets of privileges. As users join or leave the company, an admin needs to provision or deprovision them in all the appropriate apps.

This means IT departments manage individual user IDs and passwords that are associated with different cloud apps for each user. With automated provisioning, employees get the tools they need as soon as they join the company. Companies also want to reduce possible security risks by deprovisioning a user from all cloud apps when that user leaves the company.

Your company wants to reduce the administrative overhead involved in managing users in individual third-party cloud apps that employees use. The goal: automate user provisioning to create, update, or delete user profile information in one place and see it reflected automatically in all cloud apps.

Solutions

There are Cloud Identity and third-party alternatives for implementing automated provisioning.

Cloud Identity automated provisioning

Cloud Identity offers a catalog of automated provisioning connectors, which act as a bridge between Cloud Identity and third-party cloud apps.

Once you set up SAML for Single Sign-On (SSO), you can set up automated user provisioning to create, modify, or delete a user's identity across your cloud apps. Admins can authorize Cloud Identity to synchronize a subset of their Cloud Identity users to one or more supported apps.

Advantages

  • Accommodates the full user lifecycle by creating, updating, removing, or suspending user profiles.
  • Accommodates full app lifecycle management by enabling companies to add or remove apps from their organization in a central location.
  • Provides a consistent user experience for all supported apps, including unified reporting, audit logs, and granular event tracking.

Third-party Just-In-Time provisioning

Many apps that support SAML can be automatically provisioned through Just-In-Time (JIT) provisioning. Some service providers set up their SAML apps so that when a user accesses their app, the app checks to see if the user has an account. If they don't, one is created for them.

Advantages

  • JIT requires less configuration, because only SAML app setup is required.
  • Customers could influence service providers to support JIT provisioning for apps where Cloud Identity currently doesn't have automated provisioning connectors.

Disadvantages

  • JIT doesn't support user deprovisioning, which requires manual intervention to remove app licenses for users who leave a company.
  • Not all third-party cloud apps support JIT provisioning.
  • Compared to the consistent Cloud Identity automated provisioning connectors, third-party connectors can vary in how they work and what their reports and logs include.

Recommendations

When an app is supported for automated provisioning in the Cloud Identity SAML catalog, we recommend you use the Cloud Identity automated provisioning connector.

If the automated provisioning connector you need isn't in the catalog, work with your service provider to develop the connector. If your service provider supports JIT, that's also an option. However, JIT usually only handles user profile creation and doesn't address profile updating, suspension, or deletion.

Third-party identity providers

If you have a third-party identity provider (IdP), you can still configure automated user provisioning to third party apps in the Cloud Identity catalog. User authentication occurs in the third-party IdP, and Cloud Identity manages the cloud apps.

To use Cloud Identity for automated provisioning, your users need Cloud Identity accounts. They sign in through your third-party IdP or using a password on their Cloud Identity accounts.

Example

Company A uses Cloud Identity as their primary IdP. They also use software as a service (SaaS) products for customer resource management (CRM), messaging, and customer ticket management. They want to automate user provisioning and deprovisioning in these cloud apps with Cloud Identity as the single source of truth.

On their first day at Company A, all Support employees automatically get a license to the customer ticket management app, and all salespeople get a license to the CRM app. Everyone gets the messaging app.

The IT department at Company A wants to ensure that only the correct set of people in the customer organization can access certain third-party apps. This involves synchronizing user profiles from Cloud Identity to all linked third-party apps that are assigned to particular users.

When a user loses access to an app (they leave the company or no longer need the app) their profile is automatically removed from the relevant linked third-party apps. This avoids blocked licenses.

IT sets up their cloud apps for automated provisioning:

  • Make a list of the cloud apps employees use.
  • Locate these apps in the Cloud Identity SAML and automated user provisioning catalogs.
  • Set up SSO for these apps by turning on SSO for them one by one (if SSO isn't set up already).
  • Configure automated user provisioning for the apps.

Automated provisioning flow

Company A hires Maria. Before her first day on the job, an admin adds her to Cloud Identity by creating an account for her. The admin also adds her to an organization. Maria can then access the cloud apps assigned to that organization.

Cloud Identity replicates Maria's identity to all of those cloud apps.

Sign in to cloud apps through SSO.

On Maria's first day, she logs in to Cloud Identity. Through SSO, she can access the cloud apps she needs using her Cloud Identity credentials.

Sign in to cloud apps through SSO.

Was this page helpful? Let us know how we did: