IBM Security MaaS360

 View Only

Seamless Single Sign-On and Conditional Access with MaaS360 Identity and Access Management

By Margaret Radford posted Sun April 14, 2019 08:06 AM

  

Note: IBM Cloud Identity has been rebranded to IBM Security Verify. The screen captures in this blog reflect the prior branding, but the concepts are the same. 

Did you know that IBM MaaS360 comes bundled with IBM Cloud Identity, IBM’s Identity and Access Management solution? The IBM Cloud Identity Essentials solution that is bundled with MaaS360 (using one-to-one licensing* ) is a full Identity as a Service (IDaaS) platform ready for you to take advantage of seamless single sign-on (SSO) and conditional access to Software as a Servicer (SaaS) resources from mobile devices and desktops.

IBM Cloud Identity is a cloud hosted platform, which means there is no additional investment in infrastructure required to take advantage of its features. But if you have an existing Identity Provider such as ADFS, ISAM, or Azure AD, Cloud Identity can still manage all your cloud apps’ single sign-on requests leveraging your existing Identity Provider.  In some cases, you can use the MaaS360 Cloud Extender to replace your existing Identity Provider infrastructure, by using LDAP Passthrough.

MaaS360 administrators can enable Cloud Identity Essentials under the Identity and Access Management service in the MaaS360 portal and give it a try with no additional infrastructure cost.  It is that simple. When you enable the MaaS360 Identity and Access Management service, a full featured IBM Cloud Identity tenant is configured for you within minutes and you can begin configuring cloud resources for SSO and conditional access.

In this blog we’ll discuss the value Maas360 and Cloud Identity integration provide, review the architecture, and walk you through the high level configuration steps to get you started with seamless SSO and conditional access to SaaS apps from your mobile devices. At the end of the blog, a list of training resources is provided where you can try it for yourself.

* Contact your MaaS360 Client Success Manager for more information on one-to-one licensing with MaS360 and Cloud Identity

Value and Features of MaaS360 Identity and Access Management

The MaaS360 and IBM Cloud Identity integration can address the challenges faced by stakeholders when enabling third party cloud applications to the enterprise:

  • Employees complain about requiring multiple passwords for various apps, the mobile experience not being intuitive, identifying what apps they are entitled to and even the process to request access.
  • Line of Business users say that Shadow IT costs are expensive (for example, shadow IT is when someone in the line of business uses corporate credit cards to sign up for cloud app subscriptions without going through IT and security), they lose time waiting for IT and they believe there is loss of control over data. 
  • IT Security has tighter budgets to support new infrastructure, shrinking IT skillsets and a loss of security over data. 


The MaaS360 and Cloud Identity integration further streamlines the mobile experience for end users. Some of the key features are as follows:

  •  Single Sign-on (SSO) to Web / SaaS apps on mobile: Users do not have to enter credentials on any app to authenticate
  • Conditional Access Management: Enforces only entitled users and devices to access SaaS apps
  • Easy onboarding and provisioning: Administrators configure a new instance of IBM Cloud Identity from the MaaS360 portal by providing very basic information
  • Easy Identity Federation: Leverage pre-integrated connectors in Cloud Identity to easily integrate with SaaS apps such as Salesforce or Box
  • Threat Management: Powered by IBM X-Force Exchange, Cloud Identity provides risk data for the SaaS apps
  • Interoperability: Leverage existing investments in identity solutions by integrating with several Identity Providers, including the use of LDAP Passthrough for MaaS360 customers using Cloud Extender, ADFS, ISAM, Azure AD, Okta, and more.

How It Works


The objective of MaaS360 Identity and Access Management is to provide seamless SSO on and conditional access control for mobile devices to third party cloud apps using the integration of Maas360 and Cloud Identity. The diagram below is a high level overview of the integration and data authentication flows after the configuration is completed for one of your cloud apps.

When mobile users open a mobile app on their device, the request is sent to the cloud app, for example, Box. The cloud app recognizes the user’s domain as one that is using Cloud Identity and then redirects the authentication request to Cloud Identity. The Cloud Identity authentication service challenges the device for authentication and the device presents an identity certificate that MaaS360 provisioned to the device when it was enrolled.  Cloud Identity recognizes the certificate and checks if the device is compliant per corporate policies in MaaS360. After all the checks are passed, Cloud Identity issues a SAML token to the mobile app which in turn presents it to the third party cloud app, in this example Box.  The user is successfully authenticated, and the app opens.

The IBM Cloud Identity Essentials solution that is bundled with MaaS360 is a full Identity as a Service (IDaaS) platform.
 

Note: While this blog primarily focuses on MaaS360 managed mobile devices that will access third party cloud apps, IBM Cloud Identity also supports seamless single sign on for desktop users. Desktop users are provided with a Cloud Identity launchpad of available applications and log in to Cloud Identity (CI), CI redirects them to their corporate log in mechanism. When they have authenticated with the corporate login mechanism, CI sends the log in message to the Cloud application and the application opens.

High Level Architecture


High level architecture of IBM Cloud Identity Essentials

The high level architecture diagram shows both the MaaS360 cloud service and Cloud Identity cloud service. When you enable Identity and Access Management in the MaaS360 portal, you configure a Cloud Identity tenant automatically. After the configuration, your Cloud Identity tenant and Maas360 tenant exchange information and a regular synchronization begins where user and compliance information are exchanged. This is what allows Cloud Identity to serve as the Identity Provider for mobile apps that are pushed from MaaS360 to the devices.

Pre-defined Connectors: Cloud Identity has 1000s of predefined connectors for cloud apps. The administrator configures the connectors for the cloud apps that will be accessed by the MaaS360 enrolled devices. The connectors enable the federated SSO using SAML, where Cloud Identity is the Identity Provider and cloud apps such as Box and Salesforce are the Service providers. When you configure an app in Cloud Identity, you identify what type of devices can access it and the kind of access. For example, you can specify that only managed mobile devices that are compliant can access the app. You can also choose multifactor authentication using IBM Verify.

SSO using Identity Certificates: When a device enrolls with Maas360, an identity certificate is provisioned to the device. The identity certificate is used to authenticate the user and allows for the seamless SSO experience.  The certificate is unique to the user and the device. SSO fails if the certificate is used on another device. The identity certificate is what is used to authenticate with Cloud Identity, so the mobile user does not need to enter credentials, except maybe an email address. MaaS360 uses its own Certificate Authority to provision the identity certificate, so you do not need a PKI. All certificate revocation and renewals are handled by MaaS360.

SSO Payload and Compliance: MaaS360 also governs access to the cloud apps based on compliance with mobile device management policies that are applied to the device.   When the device enrolls in MaaS360, the MDM policy provisions an SSO payload to each device. The SSO payload has information on the SSO cloud apps the user can use.  MaaS360 regularly checks compliance on the device. You can configure Compliance Rules in the MaaS360 portal, for example, to make sure the device is at a specific OS level. If the device is not, it will be marked out of compliance and that information will also be made available to Cloud Identity. If you are a Wandera customer and have integrated their service into Cloud Identity for compliance, then you can use the Wandera threat level to trigger an out of compliance event so that in certain situations the user cannot log into sensitive applications. When the user attempts to access a mobile app, Cloud Identity will not grant access based on the out of compliance state if you have enabled that level of conditional access.

High Level Configuration Steps

The following configuration steps are not meant to be a detailed cookbook for setting up your configuration. The purpose is to provide a high level of understanding of what is involved in the set up. Detailed steps are available in the training materials and product documentation at the end of the blog.

Before you begin configuring, you should understand what your Identity source is. You must identify an Identity Source in Cloud Identity.  If you are using Local Users and Groups in MaaS360, then you do not need to configure a new Identity Source. Cloud Directory (local users and groups) is the default.

  • Are you using Cloud Extender for User Authentication with an On-Premise directory service?

Identity Source: LDAP Passthrough

  • Are you using an enterprise Identity source such as Azure AD, ISAM, or ADFS?

Identity Source: SAML Enterprise

           

Step 1: Enable the Cloud Identity service in MaaS360

In the MaaS360 portal, select SETUP > Services and find Identity and Access Management service. Enable it and click Configure. You need an IBM ID to configure the Cloud Identity service.

 How to enable the Cloud Identity service in MaaS360

Note: If you support Windows 10 devices then you will see an additional checkbox for laptop conditional access. Only enable the laptop access if you want to use conditional access for Windows 10.

Step 2: Launch the Cloud Identity service and set the default Identity Source

After your Cloud Identity tenant is created, you can launch it from the Identity and Access Management service selection in MaaS360. 

In this step, you must define the Identity Source you plan to use for authentication. If you are using local users and groups, Cloud Directory is already set up and is the default. In this example, Cloud Extender with Active Directory User Authentication is being used in the MaaS360 portal. Therefore, I created an LDAP Passthrough Identity Source.

In the Cloud Identity portal, click Add Identity Source.

Type a Name and a Realm. Name is the name that you assign to represent the user registry that is used by identity providers such as Microsoft Active Directory, Microsoft Azure Active Directory, or others. Realm is an identity source attribute that helps distinguish users from multiple identity sources that have the same user name. In both cases, you can enter whatever value you want in these two fields but make them meaningful to your environment.

Enable the new Identity Source by setting Enabled to On. When the identity source is configured and enabled, users can single sign-on to Cloud Identity and into their entitled applications with the selected identity source. Set Show for End User to On for all end users sign in page.  You can also enable it for Administrators if you want them to use LDAP Passthrough for authentication. Note that the sign in page is only displayed to the mobile user if the certificate authentication fails. 

When you save the new Identity Source, a unique ID is generated and the new Identity Source displays in the list of Sources.  Disable the other Identity Sources that you will not be using.



Next, go to Global Settings and select your new Identity Source in the Default Identity Source field and select a unique user identifier. The unique user identifier is used to identify IBM MaaS360 users who access Cloud Identity.




Step 3: Configure Cloud Identity integration with third party cloud applications

Configure the cloud apps that your mobile users will be accessing from their mobile device. If you want your MaaS360 mobile users to have seamless SSO and to control access based on their MaaS360 compliance status, for example: Salesforce and Box, you must select these predefined connectors in Cloud Identity and configure them for federated SAML authentication. When the mobile user accesses the app from their device, the authentication request goes to the cloud app, such as Salesforce, and Salesforce redirects the request to Cloud Identity. The connector configuration enables that redirection and authentication to happen. Each connector has detailed configuration steps that you follow.

If certificate authentication fails, the user will be redirected to their identity source to enter their user name and password (access to the application depends on your access policy). If certificate authentication succeeds, the user will automatically be authenticated and will not be shown a user and password log in screen.

When you select an application, you are also provided with a risk score and details from IBM X-Force Exchange. You can also link to X-Force Exchange for risk details.

Cloud identity provides detailed configuration steps for each cloud app connector. You will also need to log in to the cloud app, for example, Salesforce to complete configurations and gather parameters for the connector.



When the Sign On configuration is complete, you must also select the Access Policy for the application. This is where you can identify access criteria. For example, if you only want managed, compliant devices to access Salesforce, all other devices will be blocked from access. So, if you have a device user that is not enrolled in MaaS360, they will not be able to access the app. Or if they are enrolled in MaaS360 but are not in compliance with mobile policies, they will not be able to access the application.



Step 4: Configure Apps in MaaS360 for Enterprise Single Sign On

In the MaaS360 portal, you must add the mobile apps to the MaaS360 App Catalog and set Enterprise Single Sign On. Or if you have existing application in the catalog, you can edit the app catalog entry to set enterprise single sign on. Therefore, if you configure a Salesforce connector in Cloud Identity, you must add the Salesforce mobile app to the MaaS360 App Catalog and Enable Enterprise single sign-on.



Step 5: Set SSO Conditional Access in MaaS360 policies

Depending on the mobile device type: iOS, Android, or Windows 10, you must update the MDM policy in MaaS360 to enable SSO Conditional Access for the apps. The apps display in the Application Name selection based on Enterprise Single sign being checked in the App Catalog. After you save and publish the policy, the updated policy must be assigned to the mobile devices to take advantage of SSO and conditional access. This can be accomplished by setting the policy as the default, assigning the policy to a device group or single device.



Step 6: Configure Compliance Rules (Optional) in MaaS360

You can also configure compliance rules in MaaS360 to evaluate whether a device is compliant based on criteria you set. Compliance rules are very flexible; there are standard compliance conditions, such as checking for jailbroken devices, or making sure the device has a current OS version. You can also create custom compliance conditions based on group based rules and custom attributes.  Configure the Compliance Rule and assign it to mobile devices by making it the default or assigning to a device group. If the device is marked as out of compliance and you set the access controls in Cloud Identity to check for compliance, then the device will not be able to access the cloud apps you configured for SSO Conditional Access.



Step 7: Start accessing mobile apps using SSO

To take advantage of the conditional seamless SSO, the mobile device must be enrolled in MaaS360 with the policy assigned and the enterprise SSO enabled apps distributed to them.  When the device enrolls, the SSO payload and identity certificate is provisioned to the device. The user simply taps the app to open it and the seamless SSO authentication and conditional access check is done.


In summary, let’s review the benefits of MaaS360 and Cloud Identity’s Identify and Access Management solution.

  • It is a pure Cloud based solution, so no infrastructure investments are required to secure your public apps
  • MaaS360 CA issues Identity Certificates to all enrolled devices that are eligible for this service. So, you are not required to setup and integrate your PKI environment with MaaS360 (via MaaS360 Cloud Extenders)
  • Leverages native SSO on iOS and MaaS360 app based certificate authentication on Android and Windows 10. Authentication is seamless and the user does not have to enter any password whatsoever for all cloud apps.


This solution brings enterprise security for organizations to protect cloud apps, a great mobile experience for end users. and requires no on-premise integration.

Training and Document Resources

Hands-on Lab: Implementing Seamless SSO with MaaS360 and IBM Security Verify (Cloud Identity)

This IBM Security Learning Academy lab walks you through the Seamless SSO and conditional access configuration using MaaS360, Cloud Identity, and Salesforce. You do not have to use Salesforce, you can use any cloud app that has a preconfigured connector available in Cloud Identity.

Note: The lab uses Cloud Directory as the Identity Source which is local users and groups. If you would like to do the lab with LDAP Passthrough, you must have a Cloud Extender configured with your MaaS360 portal for User Authentication and User Visibility. See below for documentation on LDAP Passthrough.

Video Course: Implementing Seamless SSO with MaaS360 and IBM Security Verify (Cloud Identity)

These IBM Security Learning Academy videos walk you through the steps to integrate IBM MaaS360 with IBM Cloud Identity in to enable seamless single sign-on for mobile devices and desktops.

IBM Knowledge Center: Managing Identity Sources

IBM product documentation that explains the different Identity Sources that can be used with Cloud Identity.

IBM Knowledge Center: IBM Security Verify integration with MaaS360

IBM product documentation that explains the Cloud Identity and MaaS360 integration steps in more detail.

Protecting Office365 with IBM Security Verify (Cloud Identity) and MaaS360

This video walks you through how to secure access for Office365 with IBM Security Verify (Cloud Identity) and MaaS360

0 comments
76 views

Permalink