OneLogin recently had the opportunity to attend Workday Rising, one of the largest HR-focused conferences in the world. One of the most common questions we heard at the event was how OneLogin’s integration with Workday benefits both HR and IT.
So here is a high-level overview of what HR-Driven Identity means, and how it’s making our customers’ lives easier.
What is HR-Driven Identity?
Stepping back for a moment, it’s worth considering the bigger trends within the IT landscape. One of those is Digital Transformation. Digital Transformation can take many forms: new business models, new products, new ways of delighting your customers.
But at the end of the day, it’s applications that underpin those transformations. Securing those applications is what OneLogin does, and HR-Driven Identity is a key way of ensuring that only the right people have access to the right apps.
Instead of a directory, HR-Driven Identity systems use an HRIS (HR Information System) like Workday, UltiPro, or Namely as a single source of truth. So, for instance, when HR enters a new employee into the HRIS and sets their status to active, the IAM system automatically does a number of things without IT having to lift a finger. These include:
- Replicating the new identity across all appropriate directories. This can include the directory of your IAM system, as well as external directories like AD, LDAP, or G Suite Directory.
- Allocating the appropriate applications to the new identity, based on its attributes. For instance, if the identity’s department is “sales”, then the Identity will gain access to Salesforce.com. Good IAM systems should be able to work on any identity attribute: title, department, employee ID, and so on.
- Creating user accounts in all connected applications, filling in as many account details when possible, assuming there is a programmatic way of doing so. This is called User Provisioning, and can be through SAML Just in Time provisioning (JIT), SCIM, or an account provisioning API that the app provides.
- Allocating licenses for apps that programmatically support it, such as Office 365.
- For applications that don’t have time-saving features like SAML JIT, SCIM, or provisioning APIs, the IAM system should automatically build a list of manual steps that IT should take. This helps ensure that nothing falls through the cracks, especially if IT is setting up dozens or hundreds of users with dozens of apps.
- Creating laptop user identities that have the same username and password as your applications. This way, a new user can log into their laptop using the same credentials they use to access their IAM single sign-on (SSO) portal and applications. With one less password to remember, forgotten password tickets and password resets drop dramatically — and studies show these are around 20-30% of all IT helpdesk tickets.
- Creating WiFi and VPN user identities that authenticate using RADIUS. These, too, should have the same username and password as SSO, applications, and laptops — and further reduce helpdesk tickets.
So what difference does this make?
One major benefit of the HR-Driven identity flow is a more seamless onboarding experience for new employees that reduces friction between HR and IT. Instead of manually distributing app access to new users, IT can automate the process. This saves time, decreases the likelihood of human error, and enables the new employee to get right to work on their very first day.
Even Smoother Offboarding
One of IT’s most important tasks is to offboard former employees, and ensure that they have no lingering access to corporate apps or data after they leave. HR-Driven Identity can help here as well, specifically with two challenges.
First, due to a reliance on slow manual offboarding processes, half of all companies provide ex-employees with access to company IT resources for longer than a day, according to a recent study by OneLogin of 500 IT decision makers. This provides a window of time when a company’s data is accessible to recently deactivated users.
Second, this problem is growing in size. With average employee tenure down to four years, according to the US Bureau of Labor Statistics (BLS), a company staying at constant size sees 25 percent of their employees leave annually. Additionally, companies are increasingly using temporary contractors: the number of temporary workers in the US has nearly doubled, from 1.7 million in 2009 to 3.1 million in 2017, according to the Federal Reserve.
With HR-Driven Identity, when an employee is terminated within an HRIS, all the onboarding steps above are reversed. Users are automatically deactivated within OneLogin, and all application, WiFi, and laptop access is immediately severed. Offboarding checklists are automatically created, so IT knows what manual steps need to be taken. And for apps that support license provisioning, (Office 365, for example) IT can reallocate app licenses to different users instead of having to buy new ones for new employees.
Cross-boarding and Re-boarding
In addition to on- and off-boarding, HR-driven Identity should also handle cross-boarding — when someone switches roles within the company, such as during a promotion. It also should handle re-boarding — when a former employee or contractor returns to work for the company. This is especially useful for seasonal employees, such as you might see in the Retail industry for holiday staff.
Ravindra Sunku, Director of IT at Stitch Fix, recently discussed his small IT team’s success with implementing OneLogin’s HR-Driven identity solution. One of the big challenges Ravindra’s team faces is that they have to manage identities for thousands of temporary Stitch Fix stylists. These stylists are temporary employees who will take on some assignments with Stitch Fix, then take some time off, then start working with Stitch Fix again. Using OneLogin, a Ravindra’s handful of team members are able to reliably manage the identities of an ever-shifting group of stylists.
Get the full story here to see how Stitch Fix is saving thousands of dollars each year after implementing a best of breed solution with Workday HCM and OneLogin. Sign up for a free trial to begin your journey to automated HR-Driven Identity.