Single Sign-On

Azure AD & OAuth User Rights Management
855.300.0527Book a Demo

Synchronized User Rights Management

 

Managing systems users can be a challenging aspect of implementing a GPS tracking and telematics system. Employees routinely come and go and the IT department or the GPS program manager is constantly struggling to keep up with employee changes. Additionally, this process may take time which leaves a window of opportunity for a disgruntled employee to access the system.

Integrated user management works from existing systems to automatically manage users in the GPS fleet management portal. Changes made in your normal employee management system are reflected in the portal when user access rights are checked between the systems. When you block an employee on your system, it immediately blocks the user on the Fleetistics portal.

Single Sign On (SSO) TechNet Magazine

Azure AD is the latest “flavor” of Active Directory. Azure AD utilizes cloud technology thus avoiding the server in the closet just for ADFS. Read more here.

 

Azure AD Points

The OAuth 2.0 is the industry protocol for authorization. It allows a user to grant limited access to its protected resources. Designed to work specifically with Hypertext Transfer Protocol (HTTP), OAuth separates the role of the client from the resource owner. The client requests access to the resources controlled by the resource owner and hosted by the resource server. The resource server issues access tokens with the approval of the resource owner. The client uses the access tokens to access the protected resources hosted by the resource server.

Reference

Active Directory Federation Services

Active Directory Federation Services, also known as ADFS, was introduced in Windows Server 2003 R2 to help organizations set up and participate in a standards-based identity federation.
IT organizations can use identity federations to make decisions based on identity data from other organizations, while also sharing selected information about their own users’ identities. You can think of a federation as an agreement between two organizations with some common purpose, often structured so that each partner retains the management of its own internal affairs. In this context, identity is defined by a set of statements or claims about a subject (you can read more about this in Joshua Trupin’s article in this issue, or in Kim Cameron’s “Laws of Identity”whitepaper). So the common purpose of an identity federation is the sharing of identity information and identity authentication responsibilities. ADFS enables this decentralized identity sharing by implementing the WS-Federation protocol along with standards such as WS-Trust and Security Assertion Markup Language (SAML).

ADFS Best Practices

Imagine for a moment that, as the local ADFS guru, you are asked to spearhead configuring your company’s 30 business partners as account federation partners. Setting up a single partner following the ADFS Step-by-Step Guide wasn’t too difficult, but what about configuration on a larger scale? There are important concerns for organizations looking to scale the number of partners further out in ADFS. Best practices for addressing these concerns include understanding the technical requirements of your partnering process, using a consistent structure for organization claims, and using the ADFS Object Model (OM) Application Programming Interface (API).

Standardization
Your organization may have a large set of business and legal requirements for setting up federation partners, but the ADFS technical requirements are fairly simple. Whether your organization will be functioning in the account or resource partner role, you’ll need to agree with each partner on the actual names for the claims that will be exchanged across organizations. If you are a resource partner with numerous account partners, it may be fairly easy to develop a standard set of mappings and ask your account partners to conform as part of the partnership. As a resource partner, you must also make sure you obtain each account partner’s token-signing certificate, which must be configured when creating the partner in the ADFS trust policy.
FlexibilityWhen organizing claims in trust policy, there are some constraints to be aware of. For organizations looking to leverage NT Token-based applications, at least one group claim must map to each security group that the organization plans to use for authorization decisions on account partner users. The claims and mapping system in ADFS allows for some flexibility and abstraction in claim assignment on the resource. For example, in situations where multiple different claims from a partner result in the same claim on the resource side, ADFS allows multiple claim mappings to refer to the same claim. Because the claims intended for claims-aware applications often do not map to Active Directory groups, there is, even more, flexibility for those applications. Flexibility in the ADFS claims model allows for many solutions.

Automation
For organizations with complex workflows and business processes and high partner churn, the ADFS OM API offers an alternative to the manual configuration process. The OM API allows programmatic access to trust policy construction and editing. Organizations with existing custom tools for handling business processes can integrate ADFS trust policy editing into the partnering process tools directly. As partner volume and churn increase, this can also be preferable to allow for some automation as well as extended partner-analysis functionality.
Read more about the ADFS OM API at go.microsoft.com/fwlink/?LinkId=66063.

Matt Steele – is a Program Manager on the Active Directory Federation Services team at Microsoft. Matt is currently working on ADFS product integrations and supporting the design of future identity and access technologies. View

?2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.

Azure AD Apps

Azure AD or ADFS Setup

ADFS is free if you are using Active Directory 2008 or newer. It is an “add-on” which enables access to your network from outside your network. Don’t worry, ADFS is secure and a standard Microsoft service used by thousands of large companies world wide. If you are unfamiliar with setting up ADFS the Fleetistics help desk service provider can provide IT consulting services and do this for you. Let your account manager know if you need this service from IGTech365.com.

Active Directory Implementation
Active-Directory-Security

Secure Process

Fleetistics will provide a set of groups which all users are assigned to in the customers Active Directory (AD). AD then passes this information to ADFS which acts as the secured gateway to external access. When a user attempts to login to the MyFleetistics portal, the request generates a token which is sent to the customers ADFS for authentication. Upon authentication, a token is returned which is matched to the request and the user is able to login with the groups access rights assigned.

Industry First AD Integration

Fleetistics is proud to be the first in the industry to offer user management through integration of Active Directory. Through the use of Active Directory groups, user access to features of the MyFleetistics portal can be centrally managed using the same familiar tools and processes already in place within your organization.

Contact Fleetistics

Ask about testing a fleet monitoring service


Complimentary Strategy Session

Service

877.467.0326

contact@fleetistics.com