Automate user provisioning across cloud apps

Business problem

Enterprise companies are using more and more cloud applications in their daily workflows. Each cloud app has a user roster with sets of privileges. As users join or leave the company, they need to be provisioned or deprovisioned in all the appropriate apps.

This means IT departments manage individual user IDs and passwords that are associated with different cloud apps for each user. When provisioning is automated, employees get the tools they need as soon as they join the company. Companies also want to reduce possible security risks by deprovisioning a user from all cloud apps when that user leaves the company.

Your company wants to reduce the administrative overhead involved in managing users in individual third-party cloud apps that employees use. The goal is to automate user provisioning to create, update, or delete user profile information in one place and have it reflected in all cloud apps.

Solutions

There are Cloud Identity and third-party alternatives for implementing automated provisioning.

Cloud Identity automated provisioning

Cloud Identity has a catalog of automated provisioning connectors, which act as a bridge between Cloud Identity and third-party cloud apps.

Once you've set up SAML for Single Sign-On (SSO), you can set up automated user provisioning to create, modify, or delete a user's identity across your cloud apps. Admins can authorize Cloud Identity to synchronize a subset of their Cloud Identity users to one or more supported apps.

Advantages

  • Accommodates the full user lifecycle by creating, updating, removing, or suspending user profiles.
  • Accommodates full app lifecycle management by enabling companies to add or remove applications from their organization in a central location.
  • Provides a consistent user experience for all supported apps, including unified reporting, audit logs, and granular event tracking.

Third-party Just-in-Time provisioning

Many apps that support SAML can be automatically provisioned through Just-In-Time (JIT) provisioning. Some service providers set up their SAML app so that when a user accesses their app, it checks to see if the user already has an account. If they don't have an account, one is created for them.

Advantages

  • Requires less configuration, because only SAML app setup is required.
  • Customers might be able to influence service providers to support JIT provisioning for apps where Cloud Identity currently doesn't have automated provisioning connectors.

Disadvantages

  • Doesn't support user deprovisioning, which requires manual intervention to remove app licenses for users who leave a company.
  • Not all third-party cloud apps support JIT provisioning.
  • Compared to the consistent Cloud Identity automated provisioning connectors, third-party connectors can vary in how they work and what's included in their reports and logs.

Recommendations

When an app is supported for automated provisioning in the Cloud Identity SAML catalog, we recommend you use the Cloud Identity automated provisioning connector.

If the automated provisioning connector you need isn't in the catalog, work with your service provider to develop the connector. If your service provider supports JIT, that's also an option. However, it usually only handles user profile creation and doesn't address profile updating, suspension, or deletion.

Third-party identity providers

If you have a third-party Identity provider (IdP), you can still configure automated user provisioning to third party apps in the Cloud Identity catalog. In this case, user authentication occurs in the third-party IdP, and Cloud Identity manages the cloud apps.

To use Cloud Identity for automated provisioning, your users need Cloud Identity accounts. They log in through your third-party IdP or using a password on their Cloud Identity accounts.

Example

Company A uses Cloud Identity as their primary IdP. They also use software as a service (SaaS) products for customer resource management (CRM), messaging, and customer ticket management. They want to automate user provisioning and deprovisioning in these cloud apps with Cloud Identity as the single source of truth (IdP).

On their first day at Company A, all Support employees automatically get a license to the customer ticket management app, and all salespeople get a license to the CRM app. Everyone gets the messaging app.

The IT department at Company A wants to ensure that only the correct set of people in the customer organization can access certain third-party applications. This involves synchronizing user profiles from Cloud Identity to all linked third-party applications that are assigned to particular users.

When a user loses access to an app (they leave the company no longer need the app) their profile is removed from the relevant linked third-party applications so licenses aren't blocked.

IT sets up their cloud apps for automated provisioning:

  • Make a list of the cloud apps their employees are using.
  • Locate these apps in the Cloud Identity SAML and automated user provisioning catalogs.
  • Set up SSO for these apps by turning on SSO for them one by one (if SSO isn't set up already).
  • Configure automated user provisioning for the apps.

Automated provisioning flow

Company A hires Maria. Before her first day on the job, an admin adds her to Cloud Identity by creating an account for her. The admin also adds her to an organization. Maria will be able to access the cloud apps assigned to that organization.

Cloud Identity replicates Maria's identity to all of those cloud apps.

Sign in to cloud apps through SSO.

On Maria's first day, she logs in to Cloud Identity. Through SSO, she can access the cloud apps she needs using her Cloud Identity credentials.

Sign in to cloud apps through SSO.