Identity Federation and Password Vaulting

Overview of Identity Federation and Password Vaulting

  • The transcript discusses two important concepts in identity management: Identity Federation and Password Vaulting.

Identity Federation

  • Definition: The user is authenticated primarily at the identity provider (IdP) side, such as Okta, rather than at the service provider (SP).

  • Example:

    • A corporate user signs into Okta and selects a service, such as Dropbox.

    • Dropbox does not perform any authentication itself.

  • Federation Trust:

    • Established by the Okta administrator when configuring app integration.

    • This trust means that the service provider (e.g., Dropbox) relies on Okta to authenticate the user.

    • As long as Okta provides a valid token for users, they are considered valid and allowed access to the SaaS application.

Password Vaulting

  • Definition: Okta's implementation of Secure Web Authentication (SWA).

  • Comparison:

    • Similar to cloud-based password managers like LastPass or 1Password, but with key differences.

    • Users do not interact with Okta in the same manner as with traditional password managers.

  • Architectural Flow:

    • Integration with services such as Box using SWA means that the user creates and manages their password at the service provider.

    • Okta caches this password internally.

  • Advantages:

    • Allows centralized application of password policies and Multi-Factor Authentication (MFA) policies within Okta.

    • Provides a method for managing access to services that do not support Single Sign-On (SSO) protocols like SAML or OpenID Connect.

  • Use Case:

    • If an enterprise has various subscriptions to different SaaS solutions and some do not support standard SSO protocols, Okta can still facilitate access through secure web authentication, even if it’s not ideal.

    • Users can still use Okta tiles in their user portal to simulate an SSO experience for these services, even though it requires a password management approach rather than complete federation.

Conclusion

  • In summary, Identity Federation and Password Vaulting represent two methodologies for managing identity and access to applications, each suited for specific scenarios depending on the capabilities of the service provider and the identity provider used.