Are you sure the “real-time” sync that your IAM platform boasts is truly real-time? Here’s just one story we’ve heard:
“My last day at work was last week Friday. The IT department removed access fast. I forgot to wrap up one last thing, tried to sign in the following morning, but couldn’t.
The odd part is I still can access files in Google Drive, maybe because I never closed Chrome? … it’s going on day 9.”
As you test out different platforms, you’ll want to be sure to ask these four questions to find out if “real-time” is exactly what it means―milliseconds, not days.
-
When you add a user to AD, how much time passes before the user can login and access apps?
Most IAM platforms will say anywhere from seconds to 1 hour to 1 day. Since the OneLogin Active Directory Connector (ADC) subscribes to change notifications instead of scanning the full directory, updates appear in milliseconds. So new users don’t have to wait until the next periodic sync before they can sign into OneLogin and start using their applications. You’ll never have to say, “Just wait a couple hours …” Consider this when assessing your needs for fast time-to-productivity.
-
Do roles and attributes sync with user information?*
More specifically, do users come over into the cloud directory with roles and attributes correctly mapped to allow them to be automatically provisioned into the correct application roles, or are manual steps required to further “setup” the user? Consider this when evaluating hidden costs of manual maintenance of your directory.
-
When you remove a user from AD, how much time passes before the user no longer has access to applications?
Again, with OneLogin’s ADC, deprovisioning happens in milliseconds. You don’t have to remove them from both OneLogin and AD either. Removal from AD will cause removal from OneLogin thanks to our bi-directional synchronization and authentication across Active Directory domains, trees and forests. Consider this when evaluating with your Security Officer your needs for security compliance.
-
Would a user remain logged in to an app even after she is deprovisioned from the directory?
Here’s a likely answer: Most sessions expire after several minutes of inactivity, so the user will be unable to log back into the application.
But what if a user is currently in applications that tend to remain open for days on mobile before expiring the session, like Google Drive or Slack? You wouldn’t want to rely on an application’s session-expiration settings for deprovisioning.
Some directories and apps, or vendors, don’t support session expiration (due to deprovisioning) at all. And some of those who do aren’t doing it in real-time, so it could take hours for the user to be locked out of their apps.
If the application supports real-time account deprovisioning, such as Salesforce, Office365, and Box (see list below), that user will be logged out instantaneously to protect corporate data. We are the only identity provider that subscribes to Active Directory change notifications, so users can be logged out of an active session instantly, enhancing application security and compliance.
Consider this when evaluating with your Security Officer security risks to your organization.
In addition to the above questions, be sure to ask if AD sync is a feature that’s easy to enable and is included in the price point you’re looking at.
Watch this 2-minute video on provisioning and deprovisioning a user with OneLogin’s real-time AD sync: