Why not SAML & SCIM?

Our of our values is to get you up and running in a few minutes, but that can easily stretch to weeks if you start using certain capabilities, such as SAML or SCIM or even allowing non Google/365 logins to the console.

There are three main areas this improves on:

1. Admin Login & Sign-Up Process: our authentication removes the need for any password resets, SSO integrations, or MFA integrations by instantly SSO with your existing IDP

2. Endpoint Authentication: removes any complex endpoint auth testing, SAML configurations, and certificate rotations - no IAM team required to configure

3. User & Group Policies: removes any user attribute mapping, complex SCIM configuration, and there's no IAM team required to configure

Admin Logins

To achieve the goal of an Instant SSO admin login, we have required all admins to use their 365 or Google account to authenticate. From there, the authentication will jump to whatever Identity Provider you have configured.

For example, if you were using Okta:

Okta <======SAML======> Microsoft 365 / Google Workspace <======OIDC======> Dope

The beauty of this mechanism is that you can even add a managed service provider, or other admin, and dope.security will automatically facilitate the SSO for that admin as well. This can range from Okta, Onelogin, Azure AD/Entra ID, and more!

Endpoint Authentication

Traditionally, this has been a hodgepodge of authentication options to get the user ID on the device they are using: Active Directory, LDAP, SAML, NTLM, etc. The most-used standard today is SAML for performing the authentication.

However, integrating a POC environment into your IAM/SSO tool via SAML is not so straightforward. There are a lot of fields that need to be correctly aligned, you'll need to re-test at least a few times to make sure that there are no issues, coordinate with the actual IAM team to do all of this, and above all, you'll need to re-coordinate to rotate the SAML certificate eventually. Else, people will have no Internet if they're installing for the first time.

By using the same method of OIDC to 365/Google, we removed all of this complexity and replaced it with a checkbox:

Yes, your Okta/Azure AD/etc. will work perfectly. By using the native browser, we have even allowed you to use any MFA mechanism that your device supports, ranging from YubiKeys (FIDO U2F), to Bluetooth U2F, etc.

User & Group Policies

Last, but not least, is actually applying policies to particular user & group combinations and creating category exceptions for particular users & groups.

Given that Google or 365 is a prerequisite to use dope, we can instantly import the Users/Groups from those services using the APIs they expose (after you've authorized this, of course). It ends up being a few clicks from your Google/365 admin, and we will automatically synchronize the User/Group data every 15 minutes. We have customers from 100 users to 400,000 using this process today - many of them also use Okta or Azure AD or other IAM solutions to manage their User Groups. By leveraging this mechanism, your group changes will synch from IAM -> 365/Google -> DS very quickly.

FAQs

1. What do I tell my compliance team about this? Compliance can be told that dope supports single sign on by default, and provides automatic de-authorization for any admins who are no longer with the company

2. What if I want an Okta tile or Azure AD button for the dope console? You can configure either app to be redirected to https://fly.dope.security

3. What do I tell my compliance team if they say dope needs to be integrated with the SSO tool? You can tell them that it is automatically integrated with SSO via 365 and Google. There is no additional configuration required.