What do you use as an identity provider?
-
@jt1001001 said in What do you use as an identity provider?:
@Pete-S Old job we used Azuer AD exclusively because we were already in that space; no need for a'Third party" provider. We did review Okta as it integrated with on premise AD, and liked it but why spend extra $$ since we had to get E5 licenses already for other reasons. If you have a lower license teir Okta may make sense as its I think US$6/user/month if I remember correctly.
Haven't started new job yet so I don't know what system they're using.I think that scenario is pretty common. Did you authenticated other SaaS apps with Azure AD as well?
-
@Pete-S said in What do you use as an identity provider?:
@Dashrender said in What do you use as an identity provider?:
@Pete-S said in What do you use as an identity provider?:
I don't know if Azure AD would make sense as a standalone service, without users being on M365 or having Windows infrastructure in general.
I'll agree with you there - which is why I said - IF you have M365 or Google Workspace already....
If you don't, yeah, I likely wouldn't look to them as a basis for an identity provider, but if you already have them.... As I've done zero research - I have no clue what OKTA or DUO, etc bring to the table.
What do you guys do at your place?
Have no type of SSO.
All systems are separate.
That said, I'm trying to work us toward being rid of AD (on-premise or otherwise) and primarily use AAD as part of our M365 subscription for ID management.
I know our EMR can tie into AAD for SSO, but I have no idea what they will charge us for doing that.
After that there's 3-4 hospital systems that we could investigate setting up federation with - though I hold little hope for that to actually go anywhere.
-
@Dashrender said in What do you use as an identity provider?:
Have no type of SSO.
All systems are separate.I think that is pretty common too.
A lot of SaaS apps also requires that you have signed up for the enterprise tier to be able to do SSO. From what I've seen legacy on-prem software usually needs AD and then from there you can sync to an identity provider.
-
@Pete-S We were in process with that when I left. We still have legacy VPN needs so were demo'ing a Fortinet solution uses Azure SSO that worked well. I had gotten Mimecast email services workign with Azure SSO as well; both using SAML.
-
@Pete-S said in What do you use as an identity provider?:
@Dashrender said in What do you use as an identity provider?:
Have no type of SSO.
All systems are separate.I think that is pretty common too.
A lot of SaaS apps also requires that you have signed up for the enterprise tier to be able to do SSO. From what I've seen legacy on-prem software usually needs AD and then from there you can sync to an identity provider.
We don't have any on-premise software that ties to AD. We have only one on-premise software, the accounting software. So they tell me - next year is the year to replace it - hopefully something cloud based. Considering only 3 maybe 5 people in the whole company would ever log into it - if there is a cost involved in setting up SSO for that, I doubt we would do it.
-
One of the issues @scottalanmiller has mentioned about using things like AD for identity management is denial of service attacks.
i.e. if you put a Windows computer directly on the web with RDP (that's part of AD) then a hacker could deny any user in that environment access to their account because of account lock out (assuming an account lockout is set at say 5 bad password attempts).
RD Gateway I guess can solve this by only allowing those with certs to connect to the gateway, but that's pretty cumbersome.
The local hospitals all use Citrix web portals (formally nfuse - not sure new name, hell might still be called nfuse) the back end of that definitely ties to those hospital's AD - why don't they have account lockout issues?
-
@Dashrender said in What do you use as an identity provider?:
One of the issues @scottalanmiller has mentioned about using things like AD for identity management is denial of service attacks.
That can be an issue, but almost no one has built a LAN-centric central authority like AD for decades. AD was at the tail end of the "LAN authentication" era and carries legacy thought processes alone into the modern world and so has a lot of risks and problems that nothing modern would have.
-
@Pete-S said in What do you use as an identity provider?:
@Dashrender said in What do you use as an identity provider?:
@Pete-S said in What do you use as an identity provider?:
@VoIP_n00b said in What do you use as an identity provider?:
JumpCloud’s SSO goes beyond application access to provide a single identity that can access any IT resource, from applications to devices, networks and more. Backed by a robust Directory Platform, you can onboard, offboard, and manage the lifecycle of every user with a single set of credentials. With one identity per user, you can easily provision and deprovision user access to devices (MacOS, Windows, and Linux), on-premise applications, networks and VPN, and servers from a single, secure console.
Thanks. Are you using it as well?
Have you integrated JumpCloud with M365 or Google Workspace or whatever you might use?
If you have azure AD or Google Workspace, why bother with Jumpcloud?
You mean if you paid for M365 then you're already using Azure AD as your identity provider in which case JumpCloud serves no purpose?
I'm not 100% clear what capabilities each system have but I would guess that dedicated identity platforms such as JumpCloud, Okta, Onelogin etc are more mature, sophisticated and has more features.
I don't know if Azure AD would make sense as a standalone service, without users being on M365 or having Windows infrastructure in general.
Agreed, if buying the identify service individually, JumpCloud is quite a bit more mature and I would trust them far more.
-
@Pete-S said in What do you use as an identity provider?:
You mean if you paid for M365 then you're already using Azure AD as your identity provider in which case JumpCloud serves no purpose?
For one thing, Azure AD is lacking connectors for normal things like Linux desktops. Doesn't even WORK in our environment or most of our customers, almost none. At most it works for SOME workloads.
-
@Dashrender said in What do you use as an identity provider?:
The local hospitals all use Citrix web portals (formally nfuse - not sure new name, hell might still be called nfuse) the back end of that definitely ties to those hospital's AD - why don't they have account lockout issues?
web portal. Probably doing the exact thing that RDS Gateway does. If it is like most Citrix products, it IS RDS Gateway, just rebranded.
-
@scottalanmiller said in What do you use as an identity provider?:
@Dashrender said in What do you use as an identity provider?:
The local hospitals all use Citrix web portals (formally nfuse - not sure new name, hell might still be called nfuse) the back end of that definitely ties to those hospital's AD - why don't they have account lockout issues?
web portal. Probably doing the exact thing that RDS Gateway does. If it is like most Citrix products, it IS RDS Gateway, just rebranded.
I thought from our conversation that this protected against locked accounts by the use of certificates, not username/passwords... in my cases, it's always username/password. Everything is SSO, even if you have to supply that username/password multiple times.
-
@nadnerB said in What do you use as an identity provider?:
@VoIP_n00b said in What do you use as an identity provider?:
JumpCloud’s SSO goes beyond application access to provide a single identity that can access any IT resource, from applications to devices, networks and more. Backed by a robust Directory Platform, you can onboard, offboard, and manage the lifecycle of every user with a single set of credentials. With one identity per user, you can easily provision and deprovision user access to devices (MacOS, Windows, and Linux), on-premise applications, networks and VPN, and servers from a single, secure console.
There is so much marketing fluff speak in that.
Did you just copy and paste from the propaganda page?Of course he did, that is all he ever does.
-
@scottalanmiller said in What do you use as an identity provider?:
@Pete-S said in What do you use as an identity provider?:
You mean if you paid for M365 then you're already using Azure AD as your identity provider in which case JumpCloud serves no purpose?
For one thing, Azure AD is lacking connectors for normal things like Linux desktops. Doesn't even WORK in our environment or most of our customers, almost none. At most it works for SOME workloads.
There is another factor as well, which favors an independent identity provider and authentication. When you have everything in one place, you give too much power over your business to a single company. If you have a problem with Microsoft (or Google) all other services will be useless if you tied everything to Azure AD (or Google Identity Services).
Also changing "Office" apps from Microsoft to Google or to Zoho or whatever you might fancy will have far reaching implications. So less freedom to pick whatever is best for your company.
-
We use WSO2's Identity Server here. It's... not terrible, but can be a real PITA to get config file settings and web page customizations to stick across upgrades sometimes. It's not too bad to configure after you get past that bit.
Works great with AD.
Link above takes you to various setup types, not just docker.
-
@dafyre said in What do you use as an identity provider?:
We use WSO2's Identity Server here
It seems popular and so does Redhat's Keycloak.
I thought you had to have paid support to get patches and that it's cost prohibitive for small companies ($20K/year).
-
@Pete-S said in What do you use as an identity provider?:
@scottalanmiller said in What do you use as an identity provider?:
@Pete-S said in What do you use as an identity provider?:
You mean if you paid for M365 then you're already using Azure AD as your identity provider in which case JumpCloud serves no purpose?
For one thing, Azure AD is lacking connectors for normal things like Linux desktops. Doesn't even WORK in our environment or most of our customers, almost none. At most it works for SOME workloads.
There is another factor as well, which favors an independent identity provider and authentication. When you have everything in one place, you give too much power over your business to a single company. If you have a problem with Microsoft (or Google) all other services will be useless if you tied everything to Azure AD (or Google Identity Services).
Also changing "Office" apps from Microsoft to Google or to Zoho or whatever you might fancy will have far reaching implications. So less freedom to pick whatever is best for your company.
Excellent points.
