Factors involved in selecting Cloud IDM Products that provision users into SaaS Apps
User Provisioning into SaaS Applications is currently one of the sought-after topics in Identity and Access Management Area. Provisioning into SaaS Apps is becoming increasingly complex with the introduction of multiple authorization technologies by the SaaS Apps that would enable the IDM products to integrate with them. Reverse Synchronization or Reconciliation is another complicated feature. Above all, there is the interpretation of standards in implementation of APIs like REST, SCIM by each of the SaaS Apps for provisioning that makes it increasingly difficult for the IDM Products to make it to work the integrations consistently. With this complex scenario in place, I wanted to pen down some important considerations that would help a customer in looking for a Cloud IAM product that does effective SaaS App Provisioning.
Well, first and foremost the product should be simple to configure as in general, SaaS App Provisioning could be a daunting task to configure for customers. There are so many areas like establishing connectivity to the SaaS App, configuring attributes to provision (required and optional), configure the different tasks/actions supported during provisioning, configure the reverse synchronization or reconciliation between the SaaS App and the IDM Product. With all these features, it would immensely help the customer if the product is very simple to configure. The configuration screens and fields should be understandable with easy user navigation. Appropriate hints and cause/effect scenarios should be given when a particular field is left blank or configured with a particular data (amongst available data). Cookbooks/Runbooks any form of help would help immensely.
Next point to consider would be the different authorization mechanisms supported out of the box by the IDM product when provisioning into SaaS Apps. It would be helpful if the product supports the latest authorization mechanisms like 3-legged OAuth, JWT etc. as these would be the features that most of the SaaS Apps would go for in the future. This is because of several reasons like compliance to standards, flexibility in adoption, adequate security and performance. IDM products that support only Basic Auth or Password-based Authorization to API services of the SaaS App (even though the SaaS App supports latest authorization techniques as mentioned above) can be ignored.
Also, normally there exists a relationship or dependency between all the CRUD operations. For example a soft delete (a delete where the user is not deleted in the SaaS App, but only deactivated) has a close relationship with the Activate/Deactivate feature. The provisioned user should be able to actively participate in SSO, without further need to add attributes to the user from the IDM product ie., the IDM product should seamlessly address this. During Reverse Synchronization, the product be able to take into account the deactivated/deleted users. A Cloud IDM product that effectively addresses these and other such dependencies and makes them transparent to the administrator during configuration is a clear leader amongst the others.
Another important aspect is how extensible the IDM product is in connecting to various features of the SaaS App. The product may not support all the features currently, but if it has a feature that would allow the customers to extend its capabilities to support various types of CRUD operations in the future then that is a good sign. For example, during user update or create process from the SaaS App to the IDM, there are some optional fields that may or may not be provisioned to start with. If the IDM product currently supports only a few of the optional fields and not the full set for now, it is fine if that feature can be implemented in the future.
Finally troubleshooting is an important aspect. A product that has an effective troubleshooting guide, that covers all aspects of troubleshooting is a keeper. Clear mention of each and every possible error that can occur for each of the SaaS Apps and a possible remedy for them would be really good.
Hope the above pointers helps in finding the right Cloud IAM product that does effective SaaS App Provisioning. For more Cloud IAM related enquiries reach us at firstname.lastname@example.org
Author Credits: Raj Srinivas is Chief Architect & VP Technology – IAM SBU at 8KMiles and you can reach him here