fbpx

Posted on by admin

Top 5 reasons to help keep your MFA and Identification providers in sync

By now, you might have found out about SecureX, Cisco’s new built-in platform that simplifies the security experience. SecureX is made into the Cisco protection portfolio, and connects your complete security ecosystem for simpleness, better visibility, and better operational performance. SecureX sign-on is among the key top features of SecureX – it’s offering users access immediately to the system and all their applications and information, while keeping the identification company (IdP) and multi-element authentication (MFA) in sync.

Is your organization utilizing an MFA and IdP supplier? You may make life easier for the SecOps group, while strengthening your organization’s cybersecurity position, improving compliance and improving visibility without adding duties to your team. This post shall describe a fresh automated process that may do all these for you personally.

Background

With SecureX sign-on, we have been using several identity suppliers (like Okta, Auth0, Azure AD and Cisco security) as our applications require and see suit. We chose Duo to be our multi-factor authentication (MFA) provider since it gave us excellent visibility into our customers’ security posture and is really a very versatile MFA. Now we had a need to possess our MFA and Identification Providers in sync.

An identity provider (abbreviated IdP or even IDP) is a program entity that creates, maintains, and manages identity info for principals while providing authentication providers to relying applications inside a federation or distributed system.

Multi-factor authentication can be an authentication method when a computer consumer is granted access just after successfully presenting several bits of evidence (or elements) to an authentication system: knowledge (something only an individual knows), possession (something an individual and only an individual provides), and inherence (something an individual and only an individual is).

Multi-aspect authentication reduces the incidence of on-line identity theft, as the victim’s password would no more be to provide a thief permanent usage of their information enough.

Why do my Identification and MFA providers have to be synchronized?

Listed below are 5 reasons to help keep them in sync:

  1. Common security hygiene. Maintaining user brands and deletion within sync to avoid 2 split human brain databases is always advisable – you won’t ever know if you are heading to make an effort to research a concern.
  2. Consumer deletion. For both compliance and safety reasons, easily delete a user, He could be wanted by me long gone from all my databases. Nearly every IDP has 50% ghost accounts and cleansing them up is essential.
  3. Reset user’s credentials. The quantity #1 reason behind calls to your call centers are dropped mobile phones and mistaken registration. Enabling a simple solution to reset in one place that permeate just about everywhere.
  4. Plan is king. Maintaining the data within sync enables me to generate dynamic plans that traverse the individual provider.
  5. Reporting. Providing meaningful reviews, with groups set up I can show particular admins how their domains appear to be.

Why not use SCIM?

System for Cross-domain Identification Management (SCIM) is really a regular for automating the swap of user identity details between identification domains, or IT techniques.

User identities synchronization may be accomplished utilizing the SCIM specification, nevertheless not absolutely all MFA providers desire to use or may use SCIM. This SDK keeps users synchronized between providers in this full case.

How this works

How this functions - Sequence Diagram

A user can upgrade his profile information in the IdP assistance.

An admin is capable of doing the next actions in the IdP program:

  • Create/delete a user
  • Create/rename/delete a team
  • Associate/disassociate the user to the group
  • Disable/reenable a user
  • Reset MFA for the user

Supported Identity Providers

This list is likely to grow with time

  • Okta
  • Auth0

Supported MFA Providers

This list is likely to grow with time

  • Duo Security

Deployment

The Webhooks endpoint can anywhere run, even on-prem.

Deployment scripts to AWS, Search engines and azure Cloud are given via Terraform.

Supported Cloud Providers

  • AWS
  • Azure
  • GCP

Show Myself the Code!

The source code can be acquired at https://github.com/cisco-sbgidm/idp-hook-updates

Getting Support

For those who have questions, worries, bug reviews, etc., please open up a Github Issue contrary to the project.