Like much of the identity and access management (IAM) market, Identity-as-a-Service (IDaaS) is a complex, confusing space. But the challenge when shopping around for the right solution is not necessarily the wide variety of players, but the multiplicity of definitions and choices. Some consider IDaaS part of directory services, some think it’s a directory extension technology, and others consider it a single sign-on to web applications. So, what’s the truth behind Identity-as-a-Service?
To answer this question fully, let’s begin by taking a broad definition. Any identity management solution delivered as a service can be included in the IDaaS category. That means all three of our above definitions are technically correct. IDaaS can be part of directory services, a directory extension technology, or a single sign-on to web applications – and beyond. But the most common definition for IDaaS is a cloud-based authentication solution that allows users to connect to a variety of company resources. These platforms operate as a single source of truth for security and identity and access management.
But understanding what IDaaS is is only the tip of the iceberg. In order to select the right platform for your business, you must also understand what modern IDaaS solutions offer. In this article, you’ll learn both. Read on to discover how to match your company’s needs with the right IDaaS features – and, ultimately, how to pick the right platform.
First: Identify Your Needs
Finding the right IDaaS provider will be a very individualized experience, because different companies will have different needs. That means the ideal provider for your competitor may not make sense for your business model. So, before you can begin comparing prices and features, you need to take inventory of what your company currently has – and what it ultimately wants. Let’s consider the following areas and questions to determine the right IDaas solution:
Internally hosted or cloud-based?
Is there a particular bias towards hosting the solution yourself within your own data center or is it acceptable to have a third-party provide the service? Your company’s security and compliance policies may make internal hosting imperative, but if they don’t, know that cloud services offer the utmost in flexibility and scalability – especially for remote teams.
Single sign-on (SSO) or federated?
Are you looking for a core directory service where all of your corporate identities will be hosted? This model uses SSO to authenticate access to all user systems and applications within your organization. Or does your business model require federated identity management, so users can access applications in multiple organizations? Depending on whether you need core or federated identity management, different platforms will work better than others.
Device authentication, application authentication, or both?
Are you looking to provide authentication management by device, by application, or both? Is the access limited to web applications, or do you need to incorporate authentication for devices as well? Devices include on-premises laptops or desktops, BYOD, company cell phones and tablets, and also your servers – whether hosted internally, or in the cloud.
Long-term security strategy?
Do you have future plans to move your company toward a Zero Trust security architecture? Zero Trust follows the “trust nothing, verify everything” method of identity authentication. This model allows access to company resources only after a user or device has been verified – often via multi-factor authentication (MFA). Modern IDaaS solutions allow for easy Zero Trust implementation with additional security factors and a single pane of glass for authentication management.
If you have other key requirements, add them to the list! These are just a few questions we recommend you answer to quickly point you in the right direction.
Second: Identify How IDaaS Can Help
Now, keeping in mind the considerations mentioned above, let’s break down the components of IDaaS. There are five major identity access management categories to examine.
Core Directory Services
A cloud-based core directory service can be considered as part of the Identity-as-a-Service space. Once user credentials are submitted into the directory, you can leverage those credentials to connect your users to whichever IT resources they need. You may also federate those identities to other identity management providers, even to other IDaaS providers. The core directory service is an authoritative user store, and the central control center for your identities.
Many organizations have described their services as IDaaS. Their primary objective is to extend the existing directory service to cloud-based IT resources, including mobile workers, Infrastructure-as-a-Service providers, and cloud applications. This category often does not provide the core directory, but rather extends the directory to the IT resources that the core directory cannot manage.
Single Sign-On (SSO)
The move to web applications is currently underway, and many of the providers that centralize access to these web applications consider themselves Identity-as-a-Service providers. SSO providers connect to a directory service and then connects those users to all of the web applications that they want access to. SSO providers take that single set of credentials and allow users to access a set of applications without having to re-enter those same credentials.
Multi-Factor Authentication (MFA)
Multi-factor authentication is the single-most important step in ensuring that your user identities are not compromised. It’s a critical component of Zero Trust, and of IDaaS. MFA is combining something a user knows (usually, their username and password – the most easily compromised credentials) with something they have (typically, a push notification to a personal device – very difficult to compromise). Modern IDaaS solutions often offer TOTP, push notifications, hardware keys, or even biometric authentication as the second verification factor.
Many IT admins will say that user provisioning (or deprovisioning) is the most time-consuming part of onboarding a new employee, but this doesn’t have to be true with IDaaS. Modern solutions create a single authoritative identity for users that is stored in the core directory. Prior to that user logging in, all the resources they’ll need for their role are already predefined and authenticated by the directory. All the IT admin has to do is create the original user login and select their application permissions. Then, the new employee has only to login to the core directory to access all their applications.
The Identity-as-a-Service space is not inherently complex, but with so many varying, competing interests in the market, it can be daunting to select the appropriate services. By being clear about your requirements and determining what you need, you will be better able to identify which of the three major identity access management categories will work for you.
Third: Compare Identity-as-a-Service Providers
Once you’ve inventoried your own needs and identified which components of IDaaS you’ll need to meet those needs, you can compare your IDaaS providers to determine the best fit for your business. Few solutions will be one-size-fits-all, but the important thing is finding the one that fits all the needs on your IDaaS checklist. With today’s options, you’re sure to find a provider that suits your business’s unique needs.
Azure AD works on top of Microsoft Active Directory to provide single sign-on (SSO) access to a variety of SaaS applications, like Office 365, Salesforce, DropBox, and many others. It’s also the user management system for Azure. In essence, it is designed as a bridge between your existing legacy Active Directory instance and Microsoft’s catalogue of compatible cloud delivered services (1). While it is possible to sync your Active Directory instance with Azure AD, in of itself Azure AD is not a complete cloud-based directory service.
This is because Azure AD does not act as the authoritative source of truth of user identities (unless you are just using Office 365 or Azure resources). This role is still within the domain of Active Directory for many organizations, thus requiring traditional on-prem devices and dedicated IT staff to create and maintain. While Azure AD is meant to be a cloud identity platform, unfortunately, the true source of identity management is still firmly grounded with the legacy directory service, Active Directory.
Okta, which went public in 2017, was one of the first cloud-based web application SSO solutions on the market. Web app SSO solutions, commonly referred to as first generation Identity-as-a-Service (IDaaS) platforms, are popular due to the wide use of web applications such as Slack, GitHub, Salesforce, and thousands of others.
While Okta is a leading web application SSO platform, it’s paired with a core on-prem identity provider, which historically has been Active Directory, over 95% of the time. While this multi-product approach may work, it certainly creates challenges, including high cost. It also creates a strange dynamic for Okta where they compete with Microsoft with respect to AAD, yet work together in IT organizations where Okta and Active Directory are present.
OneLogin is very similar to Okta in that it is a web app SSO solution. Like Okta, OneLogin also offers SSO, MFA, User Management, and directory integrations, and integrates seamlessly with Active Directory. But it also shares Okta’s similar shortcomings of needing to be paired with an on-prem core identity provider. This once again increases complexity for managing an entire business’s identities across multiple platforms. What’s more, if your company is slowly moving to cloud-first solutions, it makes much more sense to switch your entire identity provider to a cloud IDaaS platform instead of doubling up on Active Directory solutions like OneLogin.
Google Cloud Identity
Google Cloud Identity is the tech giant’s response to Microsoft AD. It’s the user management platform you receive when you sign up for G Suite™ or Google Cloud Platform services. It’s an identity management service to work across all Google applications, like Gmail™, Docs, Sheets, Drive, etc. Google Cloud Identity offers a free and a premium version. The premium version has more identity management capabilities over Google applications, but requires a subscription fee per user per month.
Although Google Cloud Identity enables authentication to Google Cloud resources and web applications via SSO, it’s not designed for authentication to systems, servers, networks, or other IT resources not housed within Google. Ideally, a cloud identity provider would enable authentication to all resources, rather than acting as only one of a collection of solutions to enable users to log in with their core credentials.
All of the solutions we’ve mentioned so far have one big weakness in common: none of them represent a complete, cloud-based one-stop-shop for your IDaaS needs. Azure AD can only work to extend existing Active Directory services; but you’re still tethered to Microsoft’s on-prem solution. Okta and OneLogin may provide SSO, but they’re SSO/MFA-based add-ons, not complete options in themselves. And while Google Cloud Identity is great at what it does, it only focuses on authenticating to Google-owned applications, not connecting all company resources under a single pane of glass. To get all those features, you need a complete cloud-based infrastructure.
That’s where JumpCloud comes in. JumpCloud is a comprehensive cloud replacement for all your IDaaS needs. No more expensive AD implementations or tedious OpenLDAP configurations. Our cloud directory service goes even further to tightly integrate with cloud services from Microsoft, Google, Amazon, and thousands of others regardless of the platform.
JumpCloud empowers you to choose which services are right for your organization. Administrators retain all of the advantages of Azure AD and Google identity management without being locked into their respective ecosystems. Through one centralized cloud directory, users and admins alike can enjoy the ease of domainless infrastructure that includes multi-factor authentication, SSO with user provisioning, LDAP, RADIUS, and cross-platform system management — all as-a-Service.
Identity-as-a-Service (IDaaS) with JumpCloud
If you’re ready to give a best-in-class directory platform a try for all your IDaaS needs, JumpCloud’s your solution. Drop us a note, or sign up for a free account and give it a try for yourself. It’s free to try for up to 10 users and 10 devices.