For most enterprises, Microsoft Active Directory (AD) is the official user directory for managing access to key business applications. Microsoft’s Active Directory Federation Services (AD FS) can bridge AD with cloud applications and services, but its complexity hinders IT’s ability to keep pace with the “now” mentality of business. AD FS also lacks key functionality like user provisioning and compliance reporting.
When combined with OneLogin, Active Directory takes on powerful new capabilities to control real-time access to SaaS, web, desktop, and mobile applications– and there’s no need to embark on a complex Active Directory integration project for each new app. From single domain environments to complex directory infrastructures, OneLogin makes it easy to extend Active Directory to the Cloud. Here’s how:
OneLogin’s Active Directory single sign-on integration deploys in minutes, yet its superior architecture scales to support dozens of domains, tens of thousands of OUs (Organizational Units), and millions of users and security groups. The OneLogin Active Directory Connector (ADC) installs as a simple Windows service that subscribes to change notifications instead of scanning the full directory. Updates appear in milliseconds and there’s no need for a dedicated server.
While others claim “real-time”, OneLogin offers true real-time bi-directional synchronization and authentication across Active Directory domains, trees and forests. A faster sync means increased security and greater peace of mind.
OneLogin’s Active Directory Connector (ADC) installs via a simple click-through process that deploys the ADC as a Windows service– so you don’t have to worry about manual restarts after a Windows reboot. No firewall changes are required as all communication is performed via an outbound SSL connection. To sync users, simply check off which OUs you’d like to import, and rest easy knowing that all passwords remain on-premises.
The outbound connection to OneLogin is also used to authenticate users against Active Directory from OneLogin’s login page. This can be combined with PKI certificates, IP address restrictions and two-factor authentication.
OneLogin leverages Microsoft’s Integrated Windows Authentication to authenticate users to OneLogin when they are logged in to their office computer. When employees are on the corporate network and signed in with their Windows credentials, they can use Desktop SSO (from a PC or Mac) to get one-click access to their web applications. There’s no need for additional usernames or passwords, just like on-prem apps. To minimize network complexity, the same OneLogin ADC also enables Desktop SSO.
OneLogin performs real-time user provisioning, importing, matching and de-duplication as well as Just In Time Provisioning into the application user store. OneLogin also provides user provisioning with entitlements into a growing list of SaaS applications. For example, you can not only create a user in Salesforce, but actually restrict their access to that of a Standard User profile– all based on Active Directory attribute mappings and business rules that you define in OneLogin.
OneLogin provides flexibility around Active Directory Groups while also adding in Roles as an additional administrative capability. For example, you can use any attribute in Active Directory as an indicator for assigning roles (groups of applications), group memberships (policies), as well as perform bulk operations (like activating users).
Real-time Active Directory integration is useful when people join an organization, or gain responsibilities, but absolutely critical when they leave or lose responsibilities. With OneLogin, you can instantly disable app access for leavers in real time by removing them from Active Directory, and there’s no need to check back later.
Having a Windows service listening to events on your Active Directory (instead of periodic scans, or on-demand checks during an authentication event) ensures that the instant someone is terminated, the change is propagated through to OneLogin and connected services. This is critical when popular services like Google Apps allow back-door access through protocols like IMAP. Unless the user is immediately disabled, unwarranted access can occur. Best of all, all sign-in activity is recorded in a centralized audit trail, which simplifies compliance and enables cross-application analysis.
The ADC has a High Availability feature that allows customers to set multiple connectors to run in parallel. If a customer server hosting the primary ADC goes down, one of the secondary connectors is promoted to primary, automatically. Administrators can also manually promote ADCs or bring them online or ofﬂine from OneLogin.
Most applications are only able to integrate with one directory per customer, but OneLogin overcomes this limitation. OneLogin can import users from an Active Directory domain in conjunction with other directories such as LDAP-based directories like OpenDirectory, or SaaS directories like Google Apps and Workday. OneLogin can combine mixed directory types and present them as a unified meta-directory to other applications for federation via SAML.
OneLogin’s self-service password reset functionality synchronizes password changes across Active Directory, the OneLogin portal, as well those web applications secured with OneLogin. When a user’s password expires in Active Directory, they will be prompted to change their password the next time they log into OneLogin.
Users can also proactively change their Active Directory password through OneLogin by selecting Change Password in their OneLogin portal. When a user changes their password through their portal, OneLogin will keep the password synchronized with AD and any cloud applications where password provisioning is active.
OneLogin’s SCIM proxy enables OneLogin to provision on-premises applications via SCIM. OneLogin supports desktop apps either through Windows OS calls with password vaulting for login credentials, or through SOAP bindings used as a transport for SAML tokens to identify users.
OneLogin also supports the RADIUS protocol which can be used for applications and appliances configured to authenticate against a RADIUS server, at which point OneLogin will authenticate the user against the configured corporate directory.