Rapid business growth was a double-edged sword for mobile enterprise management vendor SOTI Inc. Between onboarding many new hires and the proliferation of SaaS business apps, the strains on IT and employees alike were starting to show. Obtaining, managing and maintaining access presented productivity and security challenges.
IT Manager, SOTI
SOTI had doubled the number of employees in just three years, and each Friday the IT team spent hours preparing new user onboarding for the coming Monday. And with turnover in any organization, ensuring former employees no longer had access to company apps was a continuing headache and growing risk.
“Single sign-on (SSO) gives you the ability to manage all the users, including their user names and passwords, through one single pane of glass. It was also important to provide a single web page for users to login to their apps. While it started with SSO and identity management, we also needed to reduce the time to set up new hires. And if somebody left or was terminated, we did not know which applications they had, if they still had access, or the risk associated with that uncertainty. So that's all part of identity management: gaining efficiencies and managing risk for user onboarding as well as offboarding,” says Mustafa Ebadi, Vice President of IT and Services at SOTI.
“We looked for a solution that was easy to configure, maintain and support,” adds Ebadi. OneLogin has thousands of pre-integrated apps, including the main ones SOTI relies on: Office 365, Workday, Salesforce, Adobe and more.
Internal custom web apps
In addition to SaaS apps, SOTI needed to provide access to internal web apps--such as inventory and feature request, billing apps, and dashboards--to employees, both internal and external to the corporate network. SOTI had a password policy requiring multi-factor authentication (MFA), so any solution it chose would need to support that as well.
SOTI evaluated whether to continue with Active Directory Federation Services (ADFS), supporting it themselves on-premise or to select a cloud identity and access management (IAM) vendor.
Cloud over ADFS
“We're a very forward-thinking company, and as part of our strategy we seek to leverage cloud as much as possible; ADFS would have required me to have a server in-house. ADFS requires consistent management, maintenance and support, and if there are issues or it goes down, we have to take care of it. Finding system admins to do all this isn’t easy, since they are in high demand,” says Ebadi.
“Instead, with an IAM provider, they are taking care of responsibility for all the back end. If there are any issues or support needed, they take care of it. Compare that to the cost of resources, commitments and support hours. There’s a day and night difference when you are actually doing it online versus traditional ADFS,” continues Ebadi.
“In evaluating IAM providers, the whole experience with OneLogin was around partnership, rather than them trying to sell me something. OneLogin was focused on understanding my business needs, and how they can solve those business needs. I decided to give OneLogin a try, and I'm happy that I did, because it has really helped us a lot and there is continuous improvement that I can see,” states Ebadi.
“There are significant indirect cost savings around your IT department when they're doing onboarding and offboarding. For a company of our nature where we're growing so rapidly--we have doubled our users in the last three years--because every time there's a new hire, we're really saving on that. And from an IT perspective, it was more around improving the user experience and security,” states Ebadi.
HR-Driven Identity with Workday
SOTI takes an HR-driven approach to identity management, allowing IT to leverage the immediacy of HR’s employee knowledge to streamline application access security. When an employee joins SOTI, HR enters their data into Workday and drops their user ID into different OneLogin security groups. Powered by OneLogin, Workday syncs user attributes between the two systems in real time, which then gives the employee SSO access to the appropriate applications and permissions.
“The way we’ve built our provisioning is when a new hire is entered in the Workday system, it triggers different levels of access to applications. It’s very safe, it’s very secure,” explains Ebadi. He adds, “Our technical people do nothing to create or provision accounts. We’ve automated it all. OneLogin is a very central piece to that.”
WAM for Custom Web Apps
OneLogin was able to help SOTI install OneLogin Web Access Management (WAM) with a web agent in Microsoft Internet Information Server (IIS), configuring it as a reverse proxy, so it could pass requests through IIS as a gateway to backend servers hosting internal custom web apps. SOTI was able to wire up and configure WAM, using OneLogin cloud as an identity provider, instead of doing local authentication against an Active Directory or LDAP server.
“Whether you access OneLogin internally or externally, you get the same user experience wherever you are in the world. The tight integration of OneLogin's cloud directory for SaaS apps and OneLogin WAM for our on-premise applications makes accessing the tools our employees need easier, enabling us to have a more efficient and effective workforce while reducing process overhead for our IT department. And it does so while securing all of our apps with multi-factor authentication," says Scott Underhill, IT Manager with SOTI.
SOTI user access to on-premise, custom apps enabled via OneLogin cloud directory, MFA and WAM
“OneLogin has been a huge success for SOTI overall. Users now have a single place to access all their applications, and don't have to worry about remembering passwords. IT efficiency has improved significantly -- we can now onboard and offboard a user within minutes instead of hours. With an average of 10 to 12 people starting a month, that's a lot of hours that we are saving,” says Ebadi.
The newfound ability for employees to access all applications with SSO, and not just in the office, but at home or while away on business as well, is a great productivity advantage for SOTI. In addition to SSO and remote access, user education is a real bonus.
“Many of our users did not know what applications were available inside or outside of the firewall. I had one user come in and say, ‘I can't believe that I haven't used VPN in such a long time, because I can do all my work by just using OneLogin.’ Our success and expansion with OneLogin is a testament to its convenience, as well as the efficiency and effectiveness, not only for the IT team, but for our users,” says Ebadi.
“We can expose internal apps safely with MFA without having to change any code in the app. We now have over 15 apps published. Also by using the proxy we can offload SSL if the app is not setup for SSL. We are using IIS as our reverse proxy server, as we have PHP, Java and .NET apps, and some are legacy and use different protocols and languages. With the integration of IIS, we're able to separate that, and use existing authentication but still secure it from the outside, so we don't have to rewrite our apps, even if they are legacy apps,” says Underhill.
“As head of IT, what I like about OneLogin is, I don't have to think about identity management anymore. I know if a user was terminated or left, I don't have to worry whether we shut down all the accounts. As a user, I can see all my applications at a glance, it's secure and I can access it anytime I want. I don't have to carry around my laptop any more or worry about my access or VPN if I need to do something while I’m out or on the weekend. As a user, that's the beauty of it for me, and I absolutely love it,” observes Ebadi.
For almost two decades, SOTI has been the mobile enterprise industry leader in delivering solutions to manage, secure, and support computing devices and businesses. Over 17,000 customers around the world, in retail, manufacturing, healthcare, government, logistics, and many other industries rely on SOTI for their mobility management needs.
OneLogin brings speed and integrity to the modern enterprise with an award-winning SSO and identity management platform. Our portfolio of solutions secure connections across all users, all devices, and every application, helping enterprises drive new levels of business integrity and operational velocity across their entire app portfolios. The choice for innovators of all sizes such as Condé Nast, Pinterest and Steelcase, OneLogin manages and secures millions of identities around the globe.