• SSO reduce IT workload with WALLIX Trustelem

How Single-Sign-On reduces the workload of IT administrators

By definition, the principle of Single-Sign-On – or SSO – is to provide one unique authentication to users for all business applications, simplifying their lives and facilitating efficiency.

If the improvements in terms of security (strong authentication, controlled and traced access, associated with application access permissions by user and IP zone) and user experience are obvious, the implementation of such a tool also allows IT administrators to save a significant amount of time.

Take a look at four key features of SSO security solutions – in this case, WALLIX IDaaS – that reduce the workload and everyday management of IT teams.

1. Just-In-Time Provisioning

What is it?

Just-In-Time or JIT provisioning consists of creating or updating users authenticated in SSO to an application on the basis of information transmitted by the identity provider (WALLIX IDaaS).

How does it work?

To set up JIT provisioning, you must start by establishing the list of attributes required by the application to create new users.

Then WALLIX IDaaS, in the application settings, associates the elements of this list with the attributes of the users of the subscription.

For example, if the application requests the user’s email address in the form of emailAddress, WALLIX IDaaS will send an attribute named as such, to which it will associate the value user.email

So, when a user is authenticated by WALLIX IDaaS , the application looks to see if it can map this identity with its database:

  • If a user exists, it will compare its characteristics with the values of the attributes sent by WALLIX IDaaS and possibly update the database.
  • If no user exists, then it will create a new entry based on the attributes received during authentication.

What is the advantage for administrators?

With an SSO solution like WALLIX IDaaS, user identities are synchronized with corporate directories. If the administrator has previously created an access rule associated with a directory group, then he only needs to create the user in that directory and the rest is taken care of.

  • The user will be automatically imported to WALLIX IDaaS
  • He will have the rights of the directory groups to which he belongs
  • He will be able to authenticate himself to the applications corresponding to these rights
  • His profile will be automatically provisioned in JIT during his first authentication to each application.

The administrator therefore no longer needs to create a new account on each of the company’s (many) applications. The IT admin manages the creation of accounts for applications by managing identities only in the main directory thanks to synchronization with WALLIX IDaaS and JIT provisioning of applications.

2. Self-Service Password Reset

What is it?

Self-Service Password Reset is a feature that empowers users to reset their unique passwords autonomously and securely, without IT intervention.

How does it work?

The administrator simply defines the password policy of WALLIX IDaaS, including what counts as sufficient proof of a user’s identity to be able to reset a password.

The admin establishes a number of challenges to which the user must respond in order to prove their identity, such as the use of a mobile application, a code sent by SMS, secret questions, validation by email, etc.

Any user can then reset their password as needed by clicking on “forgotten password” in the login page, then responding to the challenges chosen by the administrator.

Note: when WALLIX IDaaS is synchronized with an Active Directory, the password used to authenticate is the Active Directory password. To authorize WALLIX IDaaS to reset these passwords, you must give the necessary rights to the service account in charge of synchronization.

What is the advantage for the administrator?

There are many circumstances that lead users to need to change their passwords: password renewal campaign, forgetfulness after vacations, prolonged absence, fatigue, etc.

Setting up a Self-Service Password Reset functionality allows users to be autonomous in resetting their password and eliminates the need for them to seek help from IT teams, improving their own efficiency and freeing up the IT team.

3. LDAP/Radius Connector

What is it?

The LDAP / Radius connector (or Trustelem Connect) enables SSO administrators to connect applications that only support LDAP / Radius authentication or provisioning with WALLIX IDaaS.

How does it work?

Trustelem Connect is a service installed in the IT infrastructure to make LDAP/Radius applications compatible with SSO.

The application will send its requests to Trustelem Connect in LDAP/ Radius and the connector forwards the requests to the WALLIX IDaaS admin services in https.

If the user exists on WALLIX IDaaS and has the right to access the application, the request will be validated by WALLIX IDaaS and Trustelem Connect will transform this response into LDAP/Radius for the application.

The configuration of the connector is done on the WALLIX IDaaS administration platform and allows you to define all the information needed to configure the LDAP/Radius on the application side.

It’s even possible to complete these authentications with MFA.

What is the advantage for the administrator?

There are multiple benefits for the IT administration team:

  • Access management requires a single WALLIX IDaaS permission
  • There is no longer a need to have many services accounts for LDAP authentications
  • There is no longer any need to install and maintain a Radius server to do MFA
  • Everything is auditable on the same platform in a few clicks (application access to the directory and user access to the application)

4. Customizing SSO with WALLIX IDaaS APIs

Thanks to specially designed APIs, IT administrators can create their own tools to perfectly tailor their SSO solution according to their unique business needs. The use of APIs enables IT to replace certain manual actions to access or audit all these applications with automated scripts.

For example:

  • Extract all the logs related to access and build a personalized tool for detecting malicious behavior or connect to a SIEM.
  • Support a Trustelem user base by interfacing with identity sources outside the directory, to manage external partner access.

By configuring WALLIX IDaaS to each company’s unique context, IT admins gain the ability to centralize authentication to a maximum of applications via a single tool, simplifying access for users and minimizing tedious user management for IT teams.

With the right Single Sign-On solution, IT teams can reduce their own workloads and boost efficiency for their users all at once, thanks to a simplified, centralized, and automated federation of identities to corporate applications.