Identity management vendor Okta provides a popular cloud-based identity-as-a-service (IaaS) solution with capabilities such as multi-factor authentication (MFA), single sign-on (SSO), credential hygiene, least privilege enforcement, passwordless login, and functions required for federated identity management (FIM).
Customers that jointly own IBM Security MaaS360 with Watson unified endpoint management (UEM) and Okta can gain great benefit by using the two solutions in concert to achieve several critical use cases that ultimately streamline operations, help strengthen the overall security posture, and combat mediocre implementations with a best-of-breed ecosystem model. Ultimately, when implementing a zero trust methodology for a hybrid workforce you should look to optimize existing investments while implementing critical new functions to go from incremental improvements to transformational practices.
Implement Zero Trust for Mobile Devices
Device Trust Conditional Access (Basic)
By using the MaaS360 Enterprise App Catalog, the Okta Verify App can be distributed as a Managed App with additional parameters in an AppConfig payload. When the Okta Verify App is used to authenticate to a federated SaaS service, the Okta system will check to make sure the request is coming from a suitable configured App instance, and as such, can restrict access to MaaS360 enrolled devices. This method does not provide a compliance check and the user experience requires the Okta Verify App be used.
Device Trust Conditional Access (Advanced)
A more advanced scenario leverages the integration between Okta platform and the MaaS360 Identity Management features. Using Routing Rules in the Okta system, targeted authentication requests can be routed to MaaS360. These requests are vetted for Device Trust where the device originating the request would have to be enrolled in MaaS360 and compliant before the authentication is passed.
The following video demonstrates the user experience when using a Compliant device to log into the Salesforce Chatter App for the first time.
NOTE: Because the device is MDM enrolled snd carries an SSO payload that includes an Identity Certificate, the user is not required to enter a Username or Password. The experience is completely Passwordless.
Implement Zero Trust for MaaS360 Administrators
Federated Authentication for MaaS360 Admins
Leverage the Okta Federated Identity Provider to compliment a role based access and least privilege strategy for administrators. Administrators would use their Okta federated credentials and MFA as they would for other systems with which they interact. This provides an additional set of controls and auditing for the administrators that have privileged access to MaaS360.
Provide a Better Experience for User Onboarding and Security
Federated Authentication for Enrollment
Leverage the Okta Federated Identity Provider to enable self-service on-boarding of devices and users. Users will be able to simply access a simple URL (e.g., m.dm/acmecorp) and authenticate for enrollment using their Okta Federated credentials. Layer on MFA for additional security.
Once the user successfully authenticates for the first time, MaaS3060 just-in-time provisioning will create a MaaS360 User record. Attribute Mapping can be used to pull Okta Attribute Values into MaaS360 for a variety of Grouping functions. (App Distribution/Compliance/User Risk, etc.)
The following video demonstrates the user experience when enrolling a BYO Device for the first time.
Seamless IOS and Android Native App Authentication
In addition to device trust, a benefit of the integration between the Okta platform and MaaS360 is the ability to provide a seamless SSO experience for native mobile apps on Apple iOS and Android. Again, by using Okta Routing rules, certain authentication requests from iOS and Android devices can be routed to MaaS360 where the authentication is handled using the Native App SSO capabilities offered by the MaaS360 Identity Management features.
References
Enforce Okta Device Trust for Native Apps and Safari on MDM-managed iOS devices
https://help.okta.com/en/prod/Content/Topics/Mobile/Okta_Device_Trust_Native_Apps_Safari_MDM_Devices.htm
Seamless Single Sign-On and Conditional Access with MaaS360 Identity and Access Management
https://community.ibm.com/community/user/security/blogs/margaret-radford/2019/04/14/maa360-seamless-single-sign-on-conditional-access
Okta MaaS360 Overview
https://www.okta.com/integrations/ibm-maas360/#overview
How to Configure SAML 2.0 for Maas360
https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Maas360.html