Features in detail

Converged IDAM Platform

Universal Directory

Cross Identity has a built-in Identity Store, the central directory for all users and roles created in Cross Identity or any other source. It allows the solution to be massively scalable. Also, it allows organizations to access all functionalities of Cross Identity even if it is not using an Active Directory. This is an excellent option for authenticating users who are not in Active Directory.

Integration with Source of Truth (SoT)

1. The solution leverages a listener who can detect changes in the initial feed and, based on the event, can provision/de-provision user accounts in the target systems. This can also be scheduled at off-peak hours. Reusing business rules depends on where the rules exist and the standards. All attempts will be made to reuse the existing components as much as possible.

2. Cross Identity can integrate with various Source of Truth (SoT) systems such as CSV files, Enterprise Directories, and HRMS applications, allowing organizations to quickly onboard users and manage users and their groups.

3. Cross Identity can integrate with HRMS as a Source of Truth (SoT) using the inbuilt connectors of Cross Identity.

4. It also allows multiple directory domains to be configured with the solution. This allows Administrators to configure features required for those specific domains.

5. Cross Identity provides an SoT Connector that supports the periodic reconciliation of the users into Cross Identity.

6. During reconciliation, a scheduled task invokes the connector framework operations. This framework, in turn, invokes a search operation on the SuccessFactors Connector Bundle, and then the bundle calls the API for reconciliation operation. The API extracts user records that match the reconciliation criteria and hands them through the bundle and framework back to the scheduled task, which brings the records to Cross Identity.

7. Each user record fetched from the target system is compared with existing Cross Identity Users. If a match is found between the target system record and the Cross Identity user, the Cross Identity user attributes are updated with changes made to the target system record. The target system record creates a Cross Identity user if no match is found.

8. CI supports integration with any SCIM-based Systems to pull User data.

Directory Integration

Multiple Active Directories can integrate with Cross Identity. Users from AD can be imported into CI and can use various IAM use cases in CI.

Importing Users into CI through other methods

CI supports various options to onboard users into its Universal Identity Directory:

1. Through Add User Form:

   Admin can manually add users through the ‘Add User’ form when they join your organization. After adding the users to Cross Identity, you can assign them to applications and groups and manage their profiles.

   

2. CSV File Import

   CI Admin can onboard new users or update the existing Cross Identity users by uploading a CSV file containing the user information. This includes validation and error reporting of the imported data. The existing user can be ‘assigned as a manager’ to another user (imported through CSV), even if the existing user (manager) is not part of the imported CSV file.

   
   

3. Through CI API

   Cross Identity (CI) offers an API feature that allows you to programmatically create users within its Universal Identity Directory, thus eliminating the need for manual user creation. The user creation API supports HTTP or HTTPS requests and follows a REST design pattern. Using the user creation API feature, you can integrate user onboarding directly into your applications, workflows, or systems. This enables automated user provisioning and allows you to synchronize user data with other systems or databases.

Identity Attribute Transformation Rules

CI provides the following attribute management capability:

• Ability to expand and manage custom Identity schema attributes.

• Attribute mapping during Source of Trust synchronization between SoT and Identity Attribute.

• Attribute mapping for attribute value propagation from the target application accounts.

Identity Schema Management

CI supports expanding the identity object attribute schema as per the requirement. The Schema expansion is ultimately the UI drive.

CI Supports different attribute types. The following are listed as shown in the figure:

Cross Identity enables the complete administration of attribute mapping.

SoT Attribute mapping

Cross Identity supports and provides a simple script-based process that enables manipulation, derivation and updated Cross Identity user attributes. For example:

• Creating a unique user ID based on different attribute combinations and validating the uniqueness of the value

• Concatenation of the attributes

• Conditioning of attributes

• Static Attribute  Target application account attribute mapping
  Cross Identity supports and provides a simple script-based process that enables manipulation, derivation and propagation of Cross Identity user attributes to the target application account.
  

Delegated Authentication

In addition to authenticating against its Universal Directory, Cross Identity supports user authentications with any Enterprise Directory, such as AD or with any third-party Identity Providers (IdP), such as ADFS.

In Delegated Directory Authentication method, users can access Cross Identity modules by entering their Active Directory credentials.

In the Delegated IDP authentication method, users can access Cross Identity modules by entering their IdP credentials.

Note:

CI supports sAMAcountName or first part of UPN of AD user for CI Authentication.

Support for Multiple Authentication Roles

With the use of Authentication policies defined in the solution, users can get authenticated to various authentication (CI, AD, ADFS, etc.) stores to get access to Cross Identity modules. Also, multiple Active Directory domains can be integrated with CI and users from these domains can access Cross Identity to perform their IAM use cases in CI.

Support for Third-Party IdP Authentication

CI supports End-User Authentication with Third-party SAML Identity Provider.

Support for Integrated Windows Authentication

Integrated Windows Authentication (IWA) is a popular authentication mechanism used to authenticate users on Microsoft Windows servers. This authentication mechanism does not use the traditional form-based authentication, where the users must enter credentials in a form. Instead, it uses browser-based authentication, where the authentication is handled by the web browser.

The following diagram indicates how the authentication procedure works:

A new policy for IWA has been introduced which will have the highest priority and cannot be deleted once created. This policy works based on the Network IP Address of the users.

Configure the IWA Agent URL under the Authentication Policy:

Ensure that the Authentication Policy is enabled at the Admin Portal. Access the IWA URL.

Without manual intervention, authentication will be performed, and the user will be logged in to the CI portal and can also perform Single Sign On.

User Profile Management

The end user can manage the Identity profiles as below:

Access Management

Single Sign-on

Cross Identity offers a standard role-controlled end-user dashboard. It provides SSO integration capability to Cloud federations, enterprise Web and non-web applications, which include:

1. SSO for Federated Applications

   • SAML 2.0 (both IDP and SP Initiated SSO) Cross Identity also supports 3rd party Identity Providers (IDP), and CI can act as SP

   • OAuth 2.0 (Authorization)

   • OpenID Connect 1.0 (Authentication using JWT token)

2.   SSO for Non-Federated Web applications

   • Password vaulting and forwarding or replay techniques.

3.  SSO for Desktop Applications (Thick-Client Applications)

The Cross Identity tool supports the IdP, and SP initiated flow using HTTP Post SSO protocols such as SAML 2.0, i.e. Security Assertion Mark-up Language for assertion configuration. Supports passing of user attributes from user stores, including protocol access of LDAP and AD, including support for basic attribute customization.

Cross Identity can Integrate with IDP and SP. Also, it enables SSO assertions with name-id configuration, X509 subject name, Email Addresses, Windows Domain Qualified Name, Kerberos Principal Name, Persistent Identifier, Transient or One-Time Identifier and so on.

Password Vaulting:

1. CI uses password vaulting and forwarding techniques to perform Single Sign-on to Web Applications which do not support standards such as SAML or OAuth.

2. The password vault can be configured to use AD or LDAP credentials during forwarding.

3. When a user accesses an application for the first time, CI prompt the user to register or store the credentials in the password vault.

4. The password is encrypted and stored in the vault.

5. The password vault is stored on the Cross Identity cloud.

6. When a user accesses the subsequent application times, the password from the vault is decrypted and forwarded to the application.

Context-based Authentication

Cross Identity supports built-in Multi-Factor Authentication to support platform login, selective integrated application access, and advanced access control policies based on roles, devices and network context. The guidelines can be defined in CI based on the User’s Roles, Devices, Networks and other user contexts.

Below are the built-in MFA factors that CI supports:  

• Security Questions

• Email OTP

• SMS OTP

• Soft Token: CI supports any TOTP-based soft-token application such as:

1. Google Authenticator

2. Microsoft Hello 

3. DUO

CI provides intelligent access decisions while reducing friction for end users. Combining a range of contextual data signals to assess risk, CI determines whether it needs to grant access with or without additional authentication factors or deny the access, by evaluating the risks.

Below are the details of contextual data signals that CI collects to determine the access controls:

The below picture shows the steps to configure a Context-based Policy in Cross Identity:

This policy is defined to enforce  additional MFA (Soft-token) when end-user, who is a contractor (having “Contactor” role membership) and login ID begins with “CTR” and by using a “Windows” machine, is trying to access Office 365 Application from “Mumbai” or “Bangalore” location:

Context-based Authentication Policy – Actions:

Session Management

In addition to centralized authentication and single sign-on features, CI provides session management capabilities, including controlling session state for user-present interactions with applications. Ability to define Global session timeout:

SAML Certificate Management  

Cross Identity supports the ability to have individual certificates that can be used to sign SAML assertions for each integrating Service provider application: 

Consent Management

The end user can manage the consents that have been given to various applications as below:

Password Management

Self-Service Password Reset 

Cross Identity allows users to reset their passwords and/or unlock their accounts without any helpdesk support. This is done through various authentication options that Email-based OTP and SMS-based OTP. Cross Identity lets users focus on business and not get hassled with password management giving users a seamless experience from anywhere and anytime.  

Self-Service Change Password

Cross Identity allows users to view, reset, and update passwords of all target applications which are not integrated with AD. This gives users the ability to change passwords right from the launchpad. The solution also allows changing the Active Directory password from the launchpad. This password can also be synchronized to other target applications with the help of password-sync connectors. 

Password Synchronization

Cross Identity captures password changes initiated from it and synchronizes the new password with integrated systems. This gives users a reduced sign-on experience with password synchronization not integrated with AD.

Helpdesk Assisted Password Management

The helpdesk-assisted password reset or account unlock feature is a functionality to assist users in regaining access to their accounts when they are locked out or have forgotten their passwords. This feature allows the designated helpdesk users to unlock the accounts of specific users or generate a temporary password for them in case the user has forgotten their passwords.

Identity Administration

User Lifecycle Management

Cross Identity supports automated user provisioning and de-provisioning in a real-time environment. There are multiple options available:

1. The system can be integrated with the Enterprise HR System/Active Directory/LDAP to pull the User information in real-time. The following is the high-level flow:

   • Whenever there is a new user created in the HR System, Cross Identity can pull the new user record from the HR System

   • Check if the user exists or is a new user based on the unique attribute

   • If it is a new hire/join:

     i. CI performs attribute mapping/calculation logic between HR User record

     attributes and the CI User record attributes.

     ii. CI automatically creates the User in the identity repository

     iii. Based on the configured dynamic policies, user may get access to application

     accounts/entitlements

   • If it is a terminate/leave operation:

     i. If it is an existing user with the terminate flag/attribute set, CI automatically

     terminates (disables) the user record in the identity repository

     ii. If the user has one or more roles/application accounts/entitlements, they are

     revoked/suspended automatically

   • If it is an update/move operation:

     i. If it is an existing user with the job/role/department change, CI automatically

     can update the user record accordingly in the identity repository

     ii. CI automatically adds/removes roles/application accounts/entitlements

     based on the job/role/department

2. Cross Identity exposes Rest APIs for all the User lifecycle management operations. Any 3rd party application can use the CI Rest APIs to perform automatic provisioning and de-provisioning of users in real-time.

3. Following is a high-level description of the functional IGA capabilities:

   User Administration Support

   • New User onboarding

     • When a user is hired, the first step is creating a new record for the employee by HR. Once a record is created in the Source of Truth (SoT), the record will be synced in the Cross Identity solution based on a connector on the tenant.

     • CIAM Use case of Self-registration: CI provides a customizable self-registration page where users can register themselves.

   • Contractors or Sponsored User Management:

     • CI provide the manager and the administrator the ability to onboard or register contractors or sponsored users manually.

     • Optionally CI provides CSV file-based bulk import of users.

     • All other lifecycle operations like dynamic role assignment, birthright

       provisioning, termination, self-service functionalities, access requests and

       access recertification are also supported.

   • Promotion or Transfer

     • As users are promoted, transferred or change roles based on the new role, the new access will be provisioned. Existing accounts and entitlement will be removed automatically based on the dynamic roles.

   • Suspend or Restore User and Application Accounts:

     • HR system updates the suspend date for a user when the suspend date matches the system date. The user ID and the associated accounts are all suspended.

     • HR system updates the restoration date for a user. Also, the User record and its provisioned accounts are restored.

   • Remove User and All Accounts on Termination:

     • HR system updates the termination date for a user. When the termination date matches the system date, the User ID and the associated accounts will be disabled. Group access and shared resource ownership will be removed.

   • Additional Access Requests and Approvals

     • Additional Access Requests and Approvals will be handled in Cross Identity Solution. End users or the User's manager can request further access. One-level or multi-lever approval is configured in the system. After the proper approval, the account and access will be provisioned in the target applications.

   • Static and Dynamic Role Definition

     • The solution supports the ability to define Dynamic roles based on the combination of user attributes with the ability to auto-provision account and application entitlement

     • The solution also provides the ability to define static roles to entitlement definitions that can be mapped to access request workflow.

   • Automated Target Application Account Provisioning

     • CI support hundreds of provisioning connector that supports the entire user provisioning use cases of:

       • Create

       • Modify

       • Suspend

       • Restore

       • Delete

       • Entitlement/group assignment and revocation

       • Change password

       • The provisioning connectors are available across the tenant as part of the application store and the administrators can be easily configured by the administrators.

     Rule-based Role Assignments

     Cross Identity supports business or organization roles and supports the dynamic assignment of users to these roles. Users can create rules based on various user attributes so that users can automatically be assigned to specific roles when added to Cross Identity or when any of the existing user attributes are changed.

     Role-based Access Control

     Cross-identity supports three types of roles:

     • Static Role – IAM admin or authorized person can create a static role manually based on the organization's requirements. IAM admin can add multiple application entitlements in the static role. When an end-user requests a static role, Cross Identity sends the requests via a connector to target applications, creates a respective account, and adds appropriate entitlements. The solution supports defining segregation of duty checks on the static role. The SOD is evaluated during the access request process.

     • Dynamic Role -   Dynamic roles can be created automatically based on a Cross Identity admin-configured rule. For example, the admin can create a rule that if the user's job title = is security Architect and Job location is equal to the United States, he will get the Security Architect Role. So, all users whose job title and Location match the rule will get the role automatically. It can be used for birthright provisioning. When the user gets the role, Cross Identity requests the target application via a connector to provision the accounts and entitlements. It helps to create accounts and entitlements automatically without manual intervention.

     • Built-in/System Defined – Roles created by default and used for operating the Cross Identity System, including admin role, helpdesk, etc.

     Cross Identity supports the setting of role-based access controls.

     1. Admin can define if an Application is available for SSO on the user's dashboard by authorizing the Application based on Roles and user attributes.

     2. For example, if the Admin defines users who are Role "Sales" members, they can do SSO to Salesforce. If a user, John is not a member of the " Sales " role, he will not see the Salesforce application SSO icon on the dashboard.

     3.  Admin can also restrict what menu options are available to the users during self-service based on roles.

     4. When HR Data is read from an authoritative source, Cross Identity can automatically provision and de-provision application access based on roles.

     5. Users of the Help Desk role can only perform Helpdesk password-related operations.

     6. Only Managers and Application owners can perform workflow and certification tasks based on roles.

     Account/Entitlement Provisioning

     Birthright Account/Entitlement Provisioning

     1. All users joining an organization get access to specific systems and applications as part of default application access for everyone (such as an AD account to login to OS and join the domain, an Email account, Office 365, etc.).

     2. Organizations have different access to users based on the overall processes and organizational rules. Cross Identity can grant conditional birthright provisioning based on those rules that enable access to different systems and applications.

     Promotions and Transfers

     1. Cross Identity automatically adjusts user access across business applications based on promotions or transfers. The necessary accounts relevant to the user's new role are automatically provisioned. Those accounts that are no longer relevant to the user's new role are automatically de-provisioned. Provisioning and de-provisioning follow the rules defined in the relevant applications configured for the role.

     Request Based Account Provisioning

     1. Cross Identity supports the ability to request access to the published entitlements, Roles or application accounts.

     2. Users can select the duration of the time the access is needed and provide the appropriate comments.

     3. These requests are sent to the relevant authority for approval based on the multi-level approval workflow configuration. Upon approval, the request will be provisioned automatically.

     4. Cross Identity allows the user to track and manage the request. Users can browse the name of the pending approver:

        1. Approver: An approver can approve, reject or forward the request. The approver can also change the duration of the time that the user has requested access.

        2. Cross Identity supports the ability to notify the approver and the requestor of the status of the action that has been taken.

     5. Once the request is approved, based on the type of access, for example,   if it's a business role that has been requested, CI will provision the mapped application accounts and entitlements. If the requesting access is a direct entitlement, CI will provision the entitlement in the requesting target application account.

     

     Request Based Role Provisioning

     1. Cross Identity allows users to request membership roles within Cross Identity. Based on the configuration in the multi-level approval workflow defined while defining the role, these requests are sent to the relevant authority for approval. Upon approval, the users are provided membership to the requested role and accesses linked to that role are automatically provisioned.

     2. The user can initiate an Access Request using the Launchpad or the mobile app. Users can also see the status of their request on the Launchpad or the mobile app. Approvers can approve or reject access requests in the desktop or mobile Launchpad.

     Suspension and Restoration

     1. Cross Identity automatically suspends users marked as Suspended in the integrated SoT – CSV, Active Directory or HRMS. Based on the user's status in Cross Identity, their accounts in the various target applications are suspended.

     2. When users are marked as Restored in the integrated SoT, Cross Identity automatically reactivates all their accounts and enables all their accesses.

     Contractors/Sponsored User Management

     CI provides the manager and the administrator the ability to onboard or register contractors, vendor users or sponsored users by requesting to create new Identities in CI.

     Optionally CI provides CSV file-based bulk import of users.

     All other lifecycle operations like dynamic role assignment, birthright provisioning, termination, self-service functionalities, access requests and access recertification are also supported.

     De-provisioning/Termination

     Cross Identity automatically detects this event when a user leaves the organisation from integrated SoT. It removes user access across all business applications, thus eliminating the need for it to be done manually. This feature allows organizations to achieve statutory and regulatory compliance and ensures adequate security.

     Support for Application account attribute transformation

     Target application account attribute mapping 

     Cross Identity supports and provides a simple script-based process that enables manipulation and derives and propagates Cross Identity user attributes to target application accounts.

     Multi-Level Approval Workflows

     Cross Identity allows administrators to configure multi-level workflows for access requests to applications or roles. Admin can choose a role as the approving authority at each workflow level. Additionally, the admin can specify if all users or only one user of a role need to approve the request.

     These workflows can be configured for each application and role.

     

     Approval Delegation

     CI supports the ability to delegate the approval task within CI, for example, requesting approval and access certification. In this, CI supports the ability to forward the approval request or configure the out-of-office delegation where access request approval and access certification approval are delegated to the other user. Cross Identity also supports the ability of an authorized user/manager/admin to assign roles and entitlement to any other user with or without approvers to meet the requirement of the delegate.

     User Profile Management

     The end user can manage the Identity profiles below:

     

     Allows managers to revoke user’s role access and Application Access  

     CI allows managers to revoke the role, application and/or entitlement access of his/her users through CI End User Portal.

     

     Access Governance

     Consolidated Access View

   • Cross Identity lets administrators get a real-time view of user access across business applications.

   • Enable administrators to see the account user holds across business applications, and they can take appropriate actions if anything is out of place.

     Orphan or Dormant Account Reporting

   • Cross Identity detects orphan and dormant accounts across business applications and allows administrators to act appropriately.

   • Once detected, an orphan account can be:

     1. Assigned to a user on specific criteria defined by the administrator

     2. Assigned to a user manually by the administrator

   • Auditing - Dashboard and Reporting

Cross Identity provides an intuitive dashboard to view everyday events such as:

Access Review and Certification/Attestation

Supports four different access certification campaign definitions:

• Entitlement Campaign – Ability to combine entitlement across various applications into a campaign that must be certified.

• Role Certification Campaign – Ability to combine business roles across different applications into a campaign that must be certified.

• Application Account Campaign – Ability to select applications that must be certified for a campaign. All the chosen applications' accounts will be included in the campaign.

• User Identity Account Campaign – Ability to group users based on roles and attributes to trigger user end date extension.

  Access Certification Connectors: Cross Identity leverages the IGA connector to perform reconciliation, retain and revoke action via connectors that will be provisioned and integrated as part of the project implementation.

  CSV File-based Certification Connectors: For applications that are not integrated via the IGA connector, Cross Identity supports a simple CSV file-based approach to reconcile users' entitlement data and run the certification campaign.

  • Cross Identity supports the manual fulfilment approach where CI initiates a fulfilment task that the application administrator can mark as complete.

  Cross Identity also includes Access Review. Campaigns can be launched from the Cross Identity system. In a typical review campaign, the following steps are involved:

• Before the Access Review campaign begins, Cross Identity runs an Account and Access reconciliation report.

• The campaign begins when the system sends the report to all the managers with details of their subordinates' access:

  • In the tool, managers are given a deadline to finish the review. They must indicate the accesses to be accepted and rejected. This approach enables the addition of two levels of approval.

• Once the Manager Review is completed, Cross Identity follows this process:

  • The reviews are sent to the second approver.
    <OR>

  • A report is prepared by Cross Identity, compiling all the proposed access terminations.

  • The system then completes the access removals through the User Lifecycle module. This step is called closed-loop remediation. This step is optional.

After the review cycle is completed, Cross Identity generates the following:

• A comprehensive list of accesses was removed.

• The latest orphan account list. This list enables the organization to take action to reduce the orphan accounts by re-assigning them or eliminating them, thus efficiently utilizing licenses.

The Access Recertification module provides all the necessary reports and closes the campaign.

Segregation of Duties(SoD)

Cross Identity also provides a Segregation of Duties feature enabling the administrators to segregate responsibilities to prevent misuse of critical combinations of tasks in the process. SoD Policies can be defined for:

• Static Roles

• Applications

• Entitlements

Notes:

Dynamic Roles cannot be defined in SoD policy.

Defining SoD Policies

The SoD Menu is present on the End User Portal and will be enabled only for the admin users. The SoD Policy configuration menu will be made available only to the admin users and SoD owners. SoD reviewers will not have the ability to access SoD policy configuration menu.

The sub-menus under the SoD module would be:

• Summary

• SoD Policies

• SoD Violations

The following will be the access control for each role:

• SoD Admin can view the Summary (Dashboard view) of the violations and view/edit the SoDPolicies.

• SoD Owners have the same control as the SoD Admin; and can also review the violations.

• SoD reviewers will only be able to view the Summary and perform the review of the violations.

  

SoD Owners and Reviewers will be configured in the below screen:

Offline SoD Campaigns

Offline SoD Campaigns mainly include the execution of a SOD campaign to identify prevailing violations pertaining to the policies created and run the campaign and trigger reviews for the violations to respective SoD owners/reviewers.

The campaign can also be previewed by the SoD admin/owner to identify the number of violations before triggering the SoD policy.

The SOD Campaign screen would look like below:

Online SOD Campaign

SoD violations of the requestor will be highlighted to the approver in case of Access Requests, and the reviewer in case of Access Certification. In case of violation during Access Request, the reviewer grants a limited-time access to the requester. Violation can be mitigated during the request/ review process.

The SoD policies will also be auto-triggered for the concerned application at the time of reconciliation. Also, if a user has been added to a static/dynamic role that grants access to applications and entitlements, the SoD policies will be auto-triggered. The above process allows the roles and entitlements of the existing users to be in check and prevents the users from getting unauthorized or elevated access.

SOD Delegation

The SoD Owner/ Reviewer can delegate an entire policy to another SoD Reviewer. This option will be available on the SoD Policy page under the Reviewer section.

The Out-of-Office Delegation menu captures the delegated SoD reviewer for the policies assigned to the logged-in reviewer. If the SoD task is delegated, the delegated user will be able to see the Pending Activities of the SoD Reviewer and Owner. In both cases, notifications are triggered to the reviewer if the review tasks have been delegated.

SOD Summary

The SoD Summary provides an overall view of the violations that are available in the system as a dashboard. The dashboard widgets will display the information based on the policies assigned to SoD Owner and SoD reviewer. Whereas the admin will view a summary of all the active SoD policies in the system.

Pay-per-Use (PPU) Consumption Portal

Cross Identity offers two types of licensing models for Cross Identity: 

1. User-based License- User-based License is the conventional license model where customers can purchase Cross Identity licenses based on the number of users in the system.

2. Consumption-based License - In this model, the customer pays according to the usage of the product.

Consumption-based (Pay-per-use) Licensing Model

Pay-per-Use (Consumption-based license) module is an innovative license model. Customers do not need to purchase CI licenses based on the number of users. Instead, they can get a bundle of user licenses without any payment. The pricing will be determined based on the consumption of the Cross Identity solution. This model uses the below events to determine the consumption of the customer: 

1. Application Access 

2. MFA Usage 

3. Password Reset 

4. User Management Events (Create, Update and Delete)

5. Access Request 

6. Access Review 

Each of these events will have a price defined when the customer purchases a Cross Identity subscription (as shown below).

Based on the usage of these events, the monthly price will be calculated, and the customer has to pay only that price – Pay-Per-Use Model. 

Pay-per Use Consumption Portal provides a summary of various Identity and Access management-related events that occurred in the Cross Identity. It enables you to drill down the details of those events based on the User’s Department (Business Unit) and provides a summary of the consumption billing. This includes monthly billing details, billing trends and event-wise billing reports. Users can generate various reports based on events, and department of event status for the "Report" section.

Event Dashboard

It shows 8 widgets:

1. License Usage

2. License Assigned by Departments

3. Application Access

4. User Login Events by Departments

5. Password Reset Events by Departments

6. User Management Events by Departments

7. Access Request Events by Departments

8. Access Review Events by Departments

You can click on any widget to view further micro details.

Billing Dashboard

 Reports

Other Features

Application Store

Cross Identity provides a centralized app store accessible by all users. The App Store includes 1500 plus SAML applications, 2000 plus web applications and 100 plus IGA application connectors.

SoT & IGA Connector Framework

Cross Identity’s Connector Framework provides interoperability between Cross Identity and IGA and SoT applications/systems. The Cross Identity IGA connector enables provisioning & de-provisioning to the accounts and entitlements that are maintained by the integrated target applications/systems.

SoT connectors allow CI to pull user identity data from the integrated SoT systems.

CI supports various mechanisms to develop custom IGA and SoT connector/s:

• REST API based

• SDK or API or CLI-based

• WebService Based

• LDAP-based (JNDI)

• Database-based (JDBC)

• CSV-based

• RPA-based (if the target application does not support any of the above options)

Notifications

Allows administrators to define event-based notifications and alerts. It could be any IAM event:

• End-User events – Authentication, SSO, Change Password, etc.

• Administrator events – Create Identity, Create Workflow and so on.

• System Events – User Import, Account/Entitlement Recon, etc.

• The option to choose multiple send-out notifications – Email, SMS

• Alternatives to schedule these notifications

• The option to choose the recipients of these notifications - Users and user groups

• The proposed solution is committed to industry-leading security and operational practices. Following are the Security highlights of the Solution:

  • Data in Motion – All the communication will be over the secured channel (TLS v1.2)

    1. End-user access to the Cross Identity (CI)

    2. CI to Active Directory

    3. CI to Provisioning Agents to Applications (Depending on the integration feasibility)

  • Data at Rest – The solution encrypts a pre-defined set of sensitive information and supports encryption of any additional required attributes.

  • Intra component communication

    1. Intra-component communication is communication between the browser to the app tier and from the app tier to the database or directory server over a secured SSL channel.

  • Target application communication

  • Communication from CI to the target application is over a secured SSL channel.

  • Logging event details

    1. CI maintains a read-only audit trail for every action performed by the administrators.

  • Account lockout on excessive invalid login and reset attempts.

  • CI supports SAML and OAUTH Signature validation and encryption and decryption support for SSO transactions, enabling integrity checks.