Provisioning users to web applications is an essential component of modern user lifecycle management and a virtually inescapable task for IT admins.
Whether it’s for email, productivity, or business support, companies are increasing their web app spending. Spiceworks projected that midsize organizations in 2020 will dedicate a larger portion of their software budgets to productivity software and business support apps than the year prior — and app spending will be a consistent component of budgets in any org size.
The question then becomes how to provision user access in the most systematic and secure way.
User Provisioning: The Basics
An account needs to be created for a user in the SaaS app, which can be done manually or automatically, depending on a number of factors that we’ll explore below.
One way or another, user attributes need to be populated and, ideally, synced with the central identity provider. User attributes describe a user’s identity in the directory, including obvious attributes like first and last name, username, and company email. Others include employee ID, department, and location — and which admins can use to facilitate roles and privileges within certain applications to which those attributes are pushed.
Different resources require different attributes, and they don’t always use the same syntax. For example, “department” in LDAP parlance is “departmentNumber.” This means admins need a way to ensure attributes are properly configured across resources and mapped from the directory to the requisite apps during provisioning.
There are various provisioning options, including through third-party solutions on top of AD and through a cloud directory service.
How Provisioning Works with Active Directory
If an organization is using Microsoft® Active Directory® (AD), they’ll need to seek an additional solution to provision users to web apps because AD doesn’t have that capability natively. It thrives in on-prem Windows® environments but isn’t designed for native connections to web apps, cloud infrastructure, or non-Microsoft resources.
There are various third-party solutions to extend AD identities to web apps. This is the core functionality an admin should look for when assessing these solutions:
- User attribute mapping
- Integration and syncing with other directories, including G SuiteTM, Office 365TM, and HR systems
- Ability to automate provisioning
Each of these capabilities is crucial in an AD identity bridge, but admins can also achieve them independently of AD.
Provisioning from a Cloud Identity Provider
Alternatively, an organization can use a cloud identity provider as its source of truth in provisioning to web apps. IT admins that go this route avoid having both a directory and additional solutions to manage, and they can instead provision and manage access from the cloud directory itself.
Beyond user provisioning, a cloud identity provider can also enable a seamless web application single sign-on (SSO) experience and improve user management. Through SSO solutions, admins can administer (or prohibit) app access via group membership.
Crucially, SSO solutions allow centralized control over access and the credentials that employees use to authenticate. Rather than forcing users to maintain multiple credentials — which are stored in each app and therefore harder to monitor and control — admins can implement SSO solutions to ensure employees use their core credentials to log in to their app portals.
They can also automate provisioning so that, when a user is created in the cloud directory during onboarding, that identity automatically flows to their allowed web applications.
Just-in-Time (JIT) and SCIM (System for Cross-domain Identity Management) are distinct but related protocols that streamline the creation of accounts in web apps.
In SAML-supported JIT provisioning, users’ accounts are created the first time they SSO into the application. In SCIM provisioning, which is an API integration, admins can automate both provisioning and deprovisioning in web apps, as well as maintain real-time creation, modification, and deletion of users between their directory and integrated apps.
This and other tools allow admins to automate user onboarding. Some solutions upcharge to provide JIT and SCIM provisioning, while others include it in their core offerings without an additional charge — which is something admins should keep in mind as they select a solution.
Click here to learn how centralized user provisioning and management from a cloud identity provider can benefit your organization.