Our Solutions: SSO and IAM

User provisioning is made through connectors or agents. These agents act as a bridge between Soffid and all the repositories. These agents may act in both directions, either creating or modifying user accounts in managed repositories or creating identities or accounts found in existing repositories.

Soffid has a set of standard connectors that allow a very easy integration with most commonly used repositories, including LDAP directories, MS Active Directory, relational databases and most common operating systems.

From a technical perspective roles are grouped into repositories. However, Soffid also adds an organisational perspective, grouping roles into information systems. For any information system, the entitlement catalog is composed of a set of roles that grant access to the data in this specific information system regardless of the repository where these roles are saved. Users may be allowed to query or grant roles for selected information systems.

In a complimentary way, information system’s managers may define risk levels
associated to an entitlement or a group of them. For every entitlement, the risk level may be assigned to Low, Medium, High or Forbidden. For instance, if a group of entitlement is set to Forbidden, Soffid will prevent assignation of all this specific set entitlements to the same user.

Soffid has been designed using the JBoss JBPM engine, which has been extended and improve with further functionality. Using this engine, Soffid allows administrators to define decision and work flows simply, securely and accurately. Some of its unique features are:

• Graphical designer based on Eclipse, which enables ease of use without profound technical knowledge.
• Events can be coded using compiled java or interpreted bean shell.
• Run automatic and user tasks.
• Run synchronous and asynchronous (scheduled) tasks.
• Create multiple parallel execution threads in a single process.
• Create multiple processes from a parent process.
• Possibility of requiring electronic signature on manual tasks. Digital certificates can be stored on software, smart cards or HSM (Hardware security module) devices.
• Integrated with document management systems.

Attestation in the context of identity and access management and governance implies having capabilities and tools to revise and confirm the current set of permissions  and authorisations.

Revision of permissions definition:

• The application owner would validate/add/delete the permissions that are assigned to each business role.
• Optionally, the responsible of Information Technology security would confirm the previous revision.

Revision of assigned permissions:

• The head of each department would validate the set of permissions that have been assigned to each of the users in his/her department.
• The responsible of each application would validate the set of permissions assigned to all users in such application.
• Optionally, the responsible of Information Technology security would confirm the previous revision.
• Such processes may be revised and monitored in real-time by the responsible the Information Technology security.

Soffid supports automatic report generation using the iReport designer standard. Data related to identities, authorizations, audit and many other Soffid data fields may be exported to spreadsheets for further analysis.

To generate automatic recurring reports, Soffid has a builtin report generation feature and delivery system that allows report scheduling. This is also configured through the Soffid web portal.

Every action performed is recorded in Soffid database. This data may then be queried by Soffid console or third party tools.

Audit systems may be connected to external record management systems, or Security Information Event Management System (SIEM) to set up more complex analytics and alerting systems.

Soffid deliver three different levels of traceability:

• Firstly, any actions performed on all Soffid objects (users, accounts, permissions, authorisations) is automatically registered in the internal Soffid database together with the actions performed and the associated object.
• Secondly, any change or modification performed by Soffid on any managed system is also registered and correctly logged. Thus, all the actions performed by the synchronisation engine are easily identifiable.
• Finally, all the actions performed during any workflow are also logged and persisted to the Soffid database.

Since all the data to be used for auditing purposes is persisted in the Soffid database, full reporting and analysis flexibility may be implemented via SQL or any other query language. In order to integrate SIEM (Security Information and Event Management) capabilities, Soffid activates the auditing register via activation of the SYSLOG protocol.

Federation allows integration with the most widely used cloud services without the need of sharing passwords with third party providers. It supports SAML federation as well as OpenID. Federation is easily implemented by having an Identity Federation addon installed on the administration tool.

Then, on the Identity provider side that the end user would access, a SAML or OpenID bridge are used to connect securely to the External Identity Providers.

Soffid manages shared accounts that are used by more than one user simultaneously.

Each one of these accounts will have an access control list that specifies the identities that may use it. This access control list is formed by identities, business units or entitlements.

Of course, every shared account usage through the single sign on module is
conveniently audited.

Define user management delegation easily:

• Soffid allows selected users to create/modify user, accounts, groups, application roles, etc. based on its organization role, organizational unit or granted roles.
• Separated permission schema restricts the scope of users, accounts, groups or roles that can be queried by any user.
• XACML optional module available (eXtensible Access Control Markup Language to define attribute based control policy), thus permissions can be assigned based on location, time, device used or any other attribute.

Soffid manages the complete workflow to generate new certificates for certain applications and certain users completely integrated in the Soffid workflow engine.

A complicated process made simple and fully transparent to the end user.

The role mining feature in Soffid applies data mining technology to create business profiles based upon current application permissions in order to minimise the number of roles to be managed and maintained. In this context, the tool allows the administrator to select different role management strategies, such as:

• More roles with less permissions
• Fewer roles with more permissions
• Balanced approach

Then, the tool minimises a cost function that represents the effort of the
administration and maintenance of these accounts. It then suggests the type of roles that need to be used.

This functionality allows to minimise the number of roles that need to be live in a specific system, thus helping to reduce the amount of time and resources that need to be allocated to maintain such a system.