onelogin | Password-less World

The cloud + security is achievable with identity management best practice. OneLogin provides cloud admins an “easy-button” to parse out sub-account application access without permitting user self-administration. In fact, their users enjoy many such “easy-buttons.” Once inside the OneLogin Single-Sign-On (SSO) portal, users see all of their available applications, projects, resources, or access-jump-points in a tiled layout as they are added or removed from projects. They needn’t know the login and password for these resources—in fact, we don’t want them to know. My users are never allowed administrative controls beyond their role on the project, because their work is transient.

OneLogin (serving as the identity provider: IDP) has pre-established trust relationships with all of my cloud service providers (IDP to SP). With modern authentication via SAML SSO, OneLogin sub-admin users enjoy pre-provisioned access to resources appropriate to their project role and none they shouldn’t see. Access is further secured with adaptive multi-factor authentication (MFA) to ensure my users prove who they say they are and may only access applications if the conditions are appropriate.

Password-less login to OneLogin with ThinC-AUTH strengthen the entrance of OneLogin world. This strong authentication is maintained with SAML federation to all trusted chains and their connected applications. There are various options to stregthen OneLogin login, but we recommend to adopt the strongest methods by use of stand alone, cyber attack immune ThinC-AUTH, which maintains all users credential in the physically separated USB dongle.

Single Sign-On (SSO) : With OneLogin’s SSO portal users only have to enter one set of credentials to access to their web apps.

Real-Time User Provisioning : Automating the user provisioning lifecycle reduces errors and streamlines access control based on role, department, location, title and other attributes.

Adaptive Multi-Factor Authentication ; Policy-based MFA prevents unauthorized users from accessing corporate data with passwords alone. Use our MFA application or a pre-integrated solution.

Unified Directory : Synchronize users with any number of directories, such as Active Directory, LDAP, Workday, or Google Apps.

Compliance Reporting & Analysis : Reports give instant insight into login activity, application utilization, weak passwords, and more.

Even as enterprises continue to adopt more cloud applications, Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) still play a critical role in how information security, personal computers and users are managed. This whitepaper describes how OneLogin securely connects your Active Directory infrastructure to OneLogin and your cloud applications.

There are several other advantages to directory integration besides enabling users to sign into applications with the existing network credentials:

Eliminate passwords—The combination of SAML-based single signon and OneLogin’s AD integration eliminates passwords for all the applications that support SAML. Fewer passwords mean reduced IT workload and increased security.
Unify multiple directories—For organizations that have their user base spread over multiple directories, OneLogin can combine and present them as one, unified directory to other applications for federation via SAML.
Avoid point-to-point application integration—Some applications can delegate authentication to a directory via LDAP; however, as the number of applications increases, the cost of maintaining the integrations increases, and your firewall ends up
Centralized access control—Instead of signing into applications directly, users must authenticate via the identity provider, subject to multiple authentication factors.
Centralized audit trail—All sign-in activity is recorded in a centralized audit trail, which simplifies compliance and enables cross-application analysis.
The rest of this white paper goes into more detail about how OneLogin integrates with AD. (Note that a similar white paper exists about OneLogin’s LDAP integration.)

TASK	TOOLS
Manage user identities	IAM systems manage user identities. The IAM may be the sole directory used to create, modify, and delete users (such as employees). Or it may integrate with one or more other directories, such as Microsoft Active Directory, and synchronize with them.
Provisioning/deprovisioning users	Once a user is in the system, IT must provision the user, which is the process of specifying which apps, resources, etc. the user has access to and what level of access (administrator, editor, viewer, etc.) the user has to each item. Since it would be time-consuming to specify every individual’s access to every resource, IAM systems generally enable provisioning via policies defined based on role-based access control (RBAC). Users are assigned one or more roles, usually based on job function, and are automatically given access as per the definitions for that role. Just as it can be time-consuming to provision users, it can be time-consuming to deprovision them from all the apps and systems to which they have access. An IAM system automates this process—which is important since ex-employees who still have access present a serious security risk.
Authenticating users	IAM systems perform the task of authenticating a user when the user requests access. Today, secure authentication means multi-factor authentication and, preferably, adaptive authentication.
Authorizing users	After authenticating the user, the IAM system authorizes the user for access, as needed, to specific apps and resources based on the user’s provisioning.
Reporting	IAM systems provide reports that help organizations prove compliance with regulations, identify potential security risks, and improve their IAM and security processes.
Single Sign-On	Single Sign-On is not a component of all IAM systems, but it is a component of the best ones. SSO adds security and makes users more productive by making it faster and easier for them to access the resources they need without having to login each time or remember many different passwords.

OneLogin Service

Video for setting ThinC FIDO2 Login to OneLogin