neXus is committed to help our customers to keep control of there corporate identities and data but still bringing those valuable identities to as many services as possible. The same identity needs to be used when accessing internal web sites, internal computers using remote desktop, cloud services, wireless internet, VPN's and mobile applications. Whenever the identity is used it should be protected by secure authentication and privacy protecting encryption. An important prerequisite to being able to use the identities in as many places as possible and help users to reuse there authentication in as many places as possible is orchestration of the identities.
Identity Orchestration creates users when they need to be created, and removes the user when the user is deleted and it helps IT administrators to keep track of the services where users have been created. Creating users in cloud services before using them is crucial when it comes to a lot of services but removing users when is even more crucial. Identity Orchestration in the neXus Hybrid Access Gateway 5.0 implements identity Orchestration using a plugin based framework for provisioning to enable as many services as possible.
neXus is involved in standardizing the way identities can be provisioned and de-provisioned in the standard work called SCIM. SCIM defines a way to represent a identity information and to send the information between different systems in a secure matter. neXus Hybrid Access Gateway support the SCIM standard natively, and by that limiting the number of orchestration plugins needed to be imported into the product. Today neXus is involved in a SCIM interop that takes place at the Cloud Identity Summit in Napa Valley to test out various SCIM implementations together with Salesforce, Cisco, Ping Identity, SailPoint, WSO2 and UnboundID.
In the interoperability tests the neXus Hybrid Access Gateway appliance combines it's authentication, the access management and the federation techniques to orchestrate users and to keep track on identities. The data that the identity consists of can be aggregated from both internal users provisioned into the appliance, different types of user storages or if authentication is done using certificates or SAML attributes from x509 certificates or SAML assertions.
neXus Hybrid Access Gateway have access rules that forces the creation of users in configured cloud or internal services before the user access them the first time using single sign on. In the interop at the Cloud Identity Summit, neXus orchestrate users into Salesforce, Oracle and Ping Identity using SCIM authentication using both OAuth2 and BASIC authentication.
Orchestration of users to Salesforce is triggered by the end user on the users first access to Salesforce from the portal in neXus Hybrid Access Gateway. The user is created and then a SAML based single sign on lets the user automatically be logged in to Salesforce using the identity in neXus Hybrid Access Gateway. When the user is removed from neXus Hybrid Access Gateway the user is automatically deactivated in Salesforce.
Cisco WebEx is configured as a web based resource and when users is automatically created webEx is reverse proxied through neXus Hybrid Access Gateway and single sign can be applied. If the user is orchestrated into Cisco WebEx a removal request is sent if the user is deleted in neXus Hybrid Access Gateway.
The integration with Ping Identities IDaaS system is a good example on how identities can be moved between different IDaaS systems to enable single sign on in as many places as possible.
/ Erik Wahlström