Why not SAML & SCIM?
Last updated
Last updated
Our of our values is to get you up and running in a few minutes, but that can easily stretch to weeks if you start using certain capabilities, such as SAML or SCIM or even allowing non Google/365 logins to the console.
Ultimately, our goal is to give you high level of security controls (SSO, Endpoint Auth, Group Policies) with zero hassles & just a couple of clicks. That's why we chose a different integration (OIDC and 365/Google APIs) rather than SAML and SCIM
There are three main areas this improves on:
Admin Login & Sign-Up Process: our authentication removes the need for any password resets, SSO integrations, or MFA integrations by instantly SSO with your existing IDP
Endpoint Authentication: removes any complex endpoint auth testing, SAML configurations, and certificate rotations - no IAM team required to configure
User & Group Policies: removes any user attribute mapping, complex SCIM configuration, and there's no IAM team required to configure
To achieve the goal of an Instant SSO admin login, we have required all admins to use their 365 or Google account to authenticate. From there, the authentication will jump to whatever Identity Provider you have configured.
For example, if you were using Okta:
The beauty of this mechanism is that you can even add a managed service provider, or other admin, and dope.security will automatically facilitate the SSO for that admin as well. This can range from Okta, Onelogin, Azure AD/Entra ID, and more!
If you are using special accounts for admins, such as admin-js@voyager.com, add that instead. This will allow you to inherit the security policy automatically when that account authenticates.
Traditionally, this has been a hodgepodge of authentication options to get the user ID on the device they are using: Active Directory, LDAP, SAML, NTLM, etc. The most-used standard today is SAML for performing the authentication.
However, integrating a POC environment into your IAM/SSO tool via SAML is not so straightforward. There are a lot of fields that need to be correctly aligned, you'll need to re-test at least a few times to make sure that there are no issues, coordinate with the actual IAM team to do all of this, and above all, you'll need to re-coordinate to rotate the SAML certificate eventually. Else, people will have no Internet if they're installing for the first time.
By using the same method of OIDC to 365/Google, we removed all of this complexity and replaced it with a checkbox:
Yes, your Okta/Azure AD/etc. will work perfectly. By using the native browser, we have even allowed you to use any MFA mechanism that your device supports, ranging from YubiKeys (FIDO U2F), to Bluetooth U2F, etc.
Last, but not least, is actually applying policies to particular user & group combinations and creating category exceptions for particular users & groups.
Given that Google or 365 is a prerequisite to use dope, we can instantly import the Users/Groups from those services using the APIs they expose (after you've authorized this, of course). It ends up being a few clicks from your Google/365 admin, and we will automatically synchronize the User/Group data every 15 minutes. We have customers from 100 users to 400,000 using this process today - many of them also use Okta or Azure AD or other IAM solutions to manage their User Groups. By leveraging this mechanism, your group changes will synch from IAM -> 365/Google -> DS very quickly.
It's very common for groups & users to be managed from within an HR or IAM software, and we have tested this with many configurations where it automatically flows through to 365/Google (due to previous config) and dope is able to pick it up from there.
What do I tell my compliance team about this? Compliance can be told that dope supports single sign on by default, and provides automatic de-authorization for any admins who are no longer with the company
What if I want an Okta tile or Azure AD button for the dope console? You can configure either app to be redirected to https://fly.dope.security
What do I tell my compliance team if they say dope needs to be integrated with the SSO tool? You can tell them that it is automatically integrated with SSO via 365 and Google. There is no additional configuration required.