The Identity Providers (IDP) system in the eTag Fuse platform enables seamless integration with external identity providers, ensuring secure and efficient authentication across multiple systems. By supporting industry-standard protocols such as SAML, OIDC, and OAuth, the platform offers organizations the flexibility to integrate with their preferred identity management systems while maintaining a unified security framework.
¶ 1. Support for Industry-Standard Protocols
Fuse integrates with widely used identity provider protocols, allowing organizations to use existing systems for authentication.
- Supported Protocols:
- SAML (Security Assertion Markup Language): A widely-used protocol for exchanging authentication and authorization data between an identity provider and a service provider.
- OpenID Connect (OIDC): An identity layer built on top of OAuth 2.0, allowing authentication with single sign-on (SSO) capabilities.
- OAuth 2.0: An open standard for access delegation, commonly used to grant websites or applications limited access to user information.
- Custom Providers: The platform also allows the creation of custom identity providers through Fuse’s security development framework. This enables organizations to integrate proprietary or non-standard identity systems seamlessly into their workflows.
With JIT provisioning, new user accounts can be automatically created upon successful authentication from external identity providers.
- Capabilities: Automatically create missing user accounts, claim types, groups, and roles upon authentication. This ensures that new users are provisioned into the system without manual intervention.
- Automatic Role and Group Assignment: Based on inbound claims, users can be automatically assigned roles and groups. This helps simplify user management by dynamically assigning users to appropriate permissions and access levels.
Administrators can map inbound claims from identity providers to user profiles in Fuse, allowing seamless integration of custom attributes and security policies.
- Capabilities: Inbound claim mapping enables profile field and custom attribute mapping from identity providers. Administrators can ensure that user profile data is consistent and fully populated when users authenticate via external providers.
- Claim Transformation: Fuse supports claim transformation, allowing administrators to manipulate or exclude certain claim values based on business requirements. This is especially useful when dealing with inconsistent claim types or data formats from different identity providers.
¶ 4. Federated Identity and SSO
Fuse provides federated identity management, allowing users to authenticate across multiple systems with a single identity. This includes full Single Sign-On (SSO) capabilities for seamless user access.
- Capabilities: Federated identity management enables organizations to maintain a single user identity across multiple systems and domains. With SSO, users can log in once and gain access to all connected applications without needing to re-authenticate. This reduces the need for managing multiple passwords and enhances the user experience.
- Universal User Identity: Even when using multiple identity providers, Fuse consolidates user information into a single universal profile. This ensures that users don’t have multiple fragmented accounts, improving auditability and management.
Identity providers in Fuse can be personalized for users, allowing customization of themes, accessibility settings, and more based on the provider.
- Capabilities: Organizations can tailor the authentication experience based on the identity provider. For example, different themes or accessibility settings can be applied to users authenticating with specific identity providers. This personalization enhances the user experience by aligning it with organizational branding or user needs.
Administrators can assign specific security policies to identity providers, applying these policies to all users authenticating through a given provider.
- Capabilities: Fuse allows administrators to enforce security policies such as multi-factor authentication (MFA), password policies, and session management rules based on the identity provider. For example:
- MFA Enforcement: Require multi-factor authentication for users authenticating with certain identity providers.
- Password Policies: Enforce specific password rules, such as complexity requirements or password expiration.
- Session Management: Define session duration, idle timeout, and concurrent session rules.
- Access Control: Restrict or allow access based on specific identity provider rules.
Fuse supports certificate-based authentication through identity providers, adding an extra layer of security for user authentication.
- Capabilities: Administrators can map client certificates to user profiles, ensuring that users are authorized based on the presence of a valid client certificate. This is particularly useful in high-security environments where mutual TLS authentication is required.
- Mutual TLS: Fuse supports mutual TLS, which verifies both the client and server during authentication, ensuring secure communication.
- Certificate-Based Authorization: Certificates can be mapped to user roles or groups, enabling certificate-based access to specific applications or resources.
-
Unified Identity Across Providers: An organization integrates multiple identity providers (e.g., ADFS, OKTA, Azure AD, OneLogin) into Fuse. Employees can authenticate using any provider, while Fuse consolidates the user identity into a single universal profile. This simplifies user management and provides a consistent user experience across systems.
-
Supplier Identity Management: An organization integrates the identity providers of its suppliers into the platform, allowing both internal employees and supplier employees to access business applications securely without managing external user accounts. This way, suppliers manage their own employee accounts, but the organization controls access to its internal applications.
The Identity Providers (IDP) system in the eTag Fuse platform offers robust integration options for external identity providers, ensuring a unified, secure, and seamless authentication experience across all applications and systems. It empowers organizations to manage and scale their authentication needs without compromising on security or user experience.