Features in detail

Converged IDAM Platform

Universal Directory

Cross Identity has a built-in Identity Store, the central directory for all users and roles created in Cross Identity or any other source. It allows the solution to be massively scalable. Also, it allows organizations to access all functionalities of Cross Identity even if it is not using an Active Directory. This is an excellent option for authenticating users who are not in Active Directory.

Integration with Source of Truth (SoT)

1. The solution leverages a listener who can detect changes in the initial feed and based on the event, can provision/de-provision user accounts in the target systems. This can also be scheduled at off-peak hours. Reusing business rules depends on where the rules exist and the standards. All attempts will be made to reuse the existing components as much as possible.

2. Cross Identity can integrate with various Source of Truth (SoT) systems such as CSV files, Enterprise Directories, and HRMS applications, allowing organizations to quickly onboard users and manage users and their groups.

3. Cross Identity can integrate with HRMS as a Source of Truth (SoT) using the inbuilt connectors of Cross Identity.

4. It also allows multiple directory domains to be configured with the solution. This allows Administrators to configure features required for those specific domains.

5. Cross Identity provides an SoT Connector that supports the periodic reconciliation of the users into Cross Identity.

6. During reconciliation, a scheduled task invokes the connector framework operations. This framework, in turn, invokes a search operation on the SuccessFactors Connector Bundle, and then the bundle calls the API for reconciliation operation. The API extracts user records that match the reconciliation criteria and hands them through the bundle and framework back to the scheduled task, which brings the records to Cross Identity.

7. Each user record fetched from the target system is compared with existing Cross Identity Users. If a match is found between the target system record and the Cross Identity user, the Cross Identity user attributes are updated with changes made to the target system record. The target system record creates a Cross Identity user if no match is found.

8. CI supports integration with any SCIM-based Systems to pull User data.

Directory Integration

Multiple Active Directories can integrate with Cross Identity. Users from AD can be imported into CI and use various IAM use cases in CI.

Importing Users into CI through other methods

CI supports various options to onboard users into its Universal Identity Directory:

1. Through Add User Form:

   Admin can manually add users through the ‘Add User’ form when they join your organization. After adding the users to Cross Identity, you can assign them to applications and groups and manage their profiles.

   

2. CSV File Import

   CI Admin can onboard new users or update the existing Cross Identity users by uploading a CSV file containing the user information. This includes validation and error reporting of the imported data. The existing user can be ‘assigned as a manager’ to another user (imported through CSV), even if the existing user (manager) is not part of the imported CSV file.

   

   

3. Through CI API

   Cross Identity (CI) offers an API feature that allows you to programmatically create users within its Universal Identity Directory, thus eliminating the need for manual user creation. The user creation API supports HTTP or HTTPS requests and follows a REST design pattern. Using the user creation API feature, you can integrate user onboarding directly into your applications, workflows, or systems. This enables automated user provisioning and allows you to synchronize user data with other systems or databases.

   

Identity Attribute Transformation Rules

CI provides the following attribute management capability:

• Ability to expand and manage custom Identity schema attributes.

• Attribute mapping during Source of Trust synchronization between SoT and Identity Attribute.

• Attribute mapping for attribute value propagation from the target application accounts.

Identity Schema Management

CI supports expanding the identity object attribute schema as per the requirement. The Schema expansion is ultimately the UI drive.  

CI Supports different attribute types. The following are listed as shown in the figure:

Cross Identity enables the complete administration of attribute mapping.

SoT Attribute mapping

Cross Identity supports and provides a simple script-based process that enables manipulation, derivation and updated Cross Identity user attributes. For example:

• Creating a unique user ID based on different attribute combinations and validating the uniqueness of the value

• Concatenation of the attributes

• Conditioning of attributes

• Static Attribute

  

  Target application account attribute mapping
  Cross Identity supports and provides a simple script-based process that enables manipulation, derivation and propagation of Cross Identity user attributes to the target application account.
  

Delegated Authentication

In addition to authenticating against its Universal Directory, Cross Identity supports user authentications with any Enterprise Directory, such as AD or with any third-party Identity Providers (IdP), such as ADFS.

In Delegated Directory Authentication method, users can access Cross Identity modules by entering their Active Directory credentials.

In the Delegated IDP authentication method, users can access Cross Identity modules by entering their IdP credentials.

Note:

CI supports sAMAcountName or first part of UPN of AD user for CI Authentication.

Support for Multiple Authentication Roles

With the use of Authentication policies defined in the solution, users can get authenticated to various authentication (CI, AD, ADFS, etc.) stores to get access to Cross Identity modules. Also, multiple Active Directory domains can be integrated with CI and users from these domains can access Cross Identity to perform their IAM use cases in CI.

Support for Third-Party IdP Authentication

CI supports End-User Authentication with Third-party SAML Identity Provider.

Support for Integrated Windows Authentication

Integrated Windows Authentication (IWA) is a popular authentication mechanism used to authenticate users on Microsoft Windows servers. This authentication mechanism does not use the traditional form-based authentication, where the users must enter credentials in a form. Instead, it uses browser-based authentication, where the authentication is handled by the web browser.

The following diagram indicates how the authentication procedure works:

A new policy for IWA has been introduced which will have the highest priority and cannot be deleted once created. This policy works based on the Network IP Address of the users.

Configure the IWA Agent URL under the Authentication Policy:

Ensure that the Authentication Policy is enabled at the Admin Portal. Access the IWA URL.

Without manual intervention, authentication will be performed, and the user will be logged in to the CI portal and can also perform Single Sign On.

User Profile Management

The end user can manage the Identity profiles as below:

Access Management

Single Sign-on

Cross Identity offers a standard role-controlled end-user dashboard. It provides SSO integration capability to Cloud federations, enterprise Web and non-web applications, which include:

1. SSO for Federated Applications

   • SAML 2.0 (both IDP and SP Initiated SSO) Cross Identity also supports 3rd party Identity Providers (IDP), and CI can act as SP

   • OAuth 2.0 (Authorization)

   • OpenID Connect 1.0 (Authentication using JWT token)

2. SSO for Non-Federated Web applications

   • Password vaulting and forwarding or replay techniques.

3. SSO for Desktop Applications (Thick-Client Applications)

The Cross Identity tool supports the IdP, and SP initiated flow using HTTP Post SSO protocols such as SAML 2.0, i.e. Security Assertion Mark-up Language for assertion configuration. Supports passing of user attributes from user stores, including protocol access of LDAP and AD, including support for basic attribute customization.

Cross Identity can Integrate with IDP and SP. Also, it enables SSO assertions with name-id configuration, X509 subject name, Email Addresses, Windows Domain Qualified Name, Kerberos Principal Name, Persistent Identifier, Transient or One-Time Identifier and so on.

Password Vaulting:

1. CI uses password vaulting and forwarding techniques to perform Single Sign-on to Web Applications which do not support standards such as SAML or OAuth.

2. The password vault can be configured to use AD or LDAP credentials during forwarding.

3. When a user accesses an application for the first time, CI prompt the user to register or store the credentials in the password vault.

4. The password is encrypted and stored in the vault.

5. The password vault is stored on the Cross Identity cloud.

6. When a user accesses the subsequent application times, the password from the vault is decrypted and forwarded to the application.

Supports SAML Application Metadata import

The administrator can import the Service Provider (SP) metadata into the SAML SSO application configuration instead of manually filling in the required fields.

Intermediate Page for New Users during SAML SSO Flow

With the introduction of the intermediate page, new users are seamlessly guided through the account activation process within the SAML SSO flow. This page serves as a dedicated space where users can complete necessary activation steps, such as setting up account preferences or verifying email addresses, before gaining access to the CI user portal.

Landing Page redirection for SAML SP Flow

With this enhancement, upon initiating the password reset or unlock account flow during the SAML SP SSO flow, once the action is completed, the user will be redirected to the target application and SSO will be completed.

Support for Bookmark URL SSO

The SSO bookmark URL directs users to the SSO application login page, injecting login credentials for extension-based apps and redirecting to the app's home page for SAML-based apps.

Update the changed password for Extension-based/Thick-Client Application

This allows users to update the changed password of their credentials for multiple applications in one go on Cross Identity’s End User Portal.

CI Admin - Capturing and Storing AD Login Details for SSO Integration

Cross Identity (CI) admin can capture and securely store user login credentials within the CI environment, which operates on Active Directory (AD) authentication. By storing these credentials, administrators can implement Single Sign-On (SSO) for web-based or extension-based applications integrated with AD, thus enhancing user experience by eliminating the need for repetitive logins. The procedure involves capturing user login details during the authentication process and storing them securely within the CI vault or designated storage mechanism.

Implement the "nonce" parameter in the OIDC flow

In OIDC, the Nonce is used to make sure that the login token that the IdP creates for the user can only be used once, and not stolen and reused by someone else (the nonce is checked by the Service Provider (SP) to match what it was expecting, and not something it has recently used already, which could indicate a replay attack). The nonce parameter in OpenID Connect is crucial for associating a client session with the ID-Token and it is used for mitigating replay attacks.

Context-based Authentication

Cross Identity supports built-in Multi-Factor Authentication to support platform login, selective integrated application access, and advanced access control policies based on roles, devices and network context. The guidelines can be defined in CI based on the User’s Roles, Devices, Networks and other user contexts.

Below are the built-in MFA factors that CI supports:  

• Security Questions

• Email OTP

• SMS OTP

• Passwordless MFA

• Soft Token: CI supports any TOTP-based soft-token application such as:

1. Google Authenticator

2. Microsoft Hello

3. DUO

CI provides intelligent access decisions while reducing friction for end users. Combining a range of contextual data signals to assess risk, CI determines whether it needs to grant access with or without additional authentication factors or deny the access, by evaluating the risks.

Below are the details of contextual data signals that CI collects to determine the access controls:

The below picture shows the steps to configure a Context-based Policy in Cross Identity:

This policy is defined to enforce  additional MFA (Soft-token) when the end-user, who is a contractor (having “Contactor” role membership) and login ID begins with “CTR” and by using a “Windows” machine, is trying to access Office 365 Application from “Mumbai” or “Bangalore” location:

Context-based Authentication Policy – Actions:

Advanced Access Management policy for IP address

In the Advanced Access Management Policy, a new rule for IP Addresses has been introduced where the admin can define a set of IP addresses. If the user is logging in from the same IP for a certain amount of time continuously then MFA will not be prompted. If the user is logging in from some other device continuously and the IP address is not mentioned in the policy, consider that IP as a trusted IP and disable MFA.

Advanced Access Management policy for MAC address

In the Advanced Access Management Policy, a new rule has been introduced for MAC address where if the Mac address belongs to any of the existing Mac addresses of the user, then MFA will not be prompted for the user at the time of login.

Session Management

In addition to centralized authentication and single sign-on features, CI provides session management capabilities, including controlling session state for user-present interactions with applications. Ability to define Global session timeout:

Manage Multiple Sessions for End Users

This feature enhances system security within the Cross Identity (CI) platform by maintaining user sessions through the restriction of one browser session per user, as opposed to allowing multiple concurrent sessions. By enforcing this restriction, the system ensures that each user account is accessed individually, thereby minimizing the risk of unauthorized access or account misuse.

SAML Certificate Management

Cross Identity supports the ability to have individual certificates that can be used to sign SAML assertions for each integrating Service provider application:  

Consent Management

The end user can manage the consents that have been given to various applications as below:

Password Management

Self-Service Password Reset

Cross Identity allows users to reset their passwords and/or unlock their accounts without any helpdesk support. This is done through various authentication options that Email-based OTP and SMS-based OTP. Cross Identity lets users focus on business and not get hassled with password management giving users a seamless experience from anywhere and anytime.  

Self-Service Change Password

Cross Identity allows users to view, reset, and update passwords of all target applications which are not integrated with AD. This gives users the ability to change passwords right from the launchpad. The solution also allows changing the Active Directory password from the launchpad. This password can also be synchronized to other target applications with the help of password-sync connectors.

Password Synchronization

Cross Identity captures password changes initiated from it and synchronizes the new password with integrated systems. This gives users a reduced sign-on experience with password synchronization not integrated with AD.

Helpdesk Assisted Password Management

The helpdesk-assisted password reset or account unlock feature is a functionality to assist users in regaining access to their accounts when they are locked out or have forgotten their passwords. This feature allows the designated helpdesk users to unlock the accounts of specific users or generate a temporary password for them in case the user has forgotten their passwords.

Admin Capabilities to Reset User Password/MFA Re-Registration

In the identities section of Cross Identity (CI), admin users have the capability to reset a user's password, security questions, or soft token. With this feature, administrators can initiate the process of resetting user credentials, ensuring that when users access CI subsequently, they are prompted to register or establish a new password. This functionality enhances security by enabling administrators to manage and enforce password resets as needed, thereby bolstering the overall integrity of user accounts within the CI system.

Implementation of a Password Policy Restricting User Attribute Use

The password policy has been enhanced to restrict users from incorporating personal attributes (e.g., First Name, Last Name, Email) into their passwords. This configurable policy allows the Cross Identity Administrator to select specific attributes to be restricted, enhancing security by reducing the risk of easily predictable passwords.

Seamless Access to CI Launchpad with CI Authentication Agent

The introduction of the CI Authentication Agent ensures seamless access to the Cross Identity Launch Pad for end users. By, automatically initiating the agent upon navigating to the login URL, users can securely access the platform without manually entering login details. The agent captures device information including username, domain, IP address, and MAC address relaying it to the Cross Identity system for validation. Upon successful validation, users are granted seamless access to the Launch Pad. Detailed login reports are generated, labelled as "CI Auth Agent," and clear error-handling feedback is provided in case of validation issues. This integration enhances user experience while maintaining robust security measures.

MFA for 'Go to Admin Console'

Admin can enable MFA while navigating to the admin console from the end user launchpad. This can be enabled by configuring the Advanced Access Management with the target defined as “CI Admin Portal”.

Cached URL Redirection

This feature aims to improve user experience by redirecting users to the home URL when they attempt to access cached or direct access URLs within the application. It includes identifying all direct access URLs that may lead to cached pages and implementing logic to intercept these requests, ensuring users are redirected to the home URL instead of encountering error pages.

Unlock Account During Reset Password

This feature enables users to automatically unlock their accounts when they reset their passwords in Cross Identity (CI). It combines the account unlock and password reset processes into a single function, eliminating the need for users to choose between the two. The process involves user verification through multi-factor authentication (MFA), followed by a password reset that also unlocks the account if it is locked. Users will receive an email notification confirming the successful password reset and account unlock.

Identity Administration

User Lifecycle Management

Cross Identity supports automated user provisioning and de-provisioning in a real-time environment. There are multiple options available:

1. The system can be integrated with the Enterprise HR System/Active Directory/LDAP to pull the User information in real time. The following is the high-level flow:

   • Whenever there is a new user created in the HR System, Cross Identity can pull the new user record from the HR System

   • Check if the user exists or is a new user based on the unique attribute

   • If it is a new hire/join:

     i. CI performs attribute mapping/calculation logic between HR User record

     attributes and the CI User record attributes.

     ii. CI automatically creates the User in the identity repository

     iii. Based on the configured dynamic policies, the user may get access to application

     accounts/entitlements

   • If it is a terminate/leave operation:

     i. If it is an existing user with the terminate flag/attribute set, CI automatically

     terminates (disables) the user record in the identity repository

     ii. If the user has one or more roles/application accounts/entitlements, they are

     revoked/suspended automatically

   • If it is an update/move operation:

     i. If it is an existing user with the job/role/department change, CI automatically

     can update the user record accordingly in the identity repository

     ii. CI automatically adds/removes roles/application accounts/entitlements

     based on the job/role/department

2. Cross Identity exposes Rest APIs for all the User lifecycle management operations. Any 3rd party application can use the CI Rest APIs to perform automatic provisioning and de-provisioning of users in real time.

3. Following is a high-level description of the functional IGA capabilities:

User Administration Support

• New User onboarding

  • When a user is hired, the first step is creating a new record for the employee by HR. Once a record is created in the Source of Truth (SoT), the record will be synced in the Cross Identity solution based on a connector on the tenant.

  • CIAM Use case of Self-registration: CI provides a customizable self-registration page where users can register themselves.

• Contractors or Sponsored User Management:

  • CI provide the manager and the administrator the ability to onboard or register contractors or sponsored users manually.

  • Optionally CI provides CSV file-based bulk import of users.

  • All other lifecycle operations like dynamic role assignment, birthright

    provisioning, termination, self-service functionalities, access requests and

    access recertification are also supported.

• Promotion or Transfer

  • As users are promoted, transferred or change roles based on the new role, the new access will be provisioned. Existing accounts and entitlement will be removed automatically based on the dynamic roles.

• Suspend or Restore User and Application Accounts:

  • HR system updates the suspend date for a user when the suspend date matches the system date. The user ID and the associated accounts are all suspended.

  • HR system updates the restoration date for a user. Also, the User record and its provisioned accounts are restored.

• Remove User and All Accounts on Termination:

  • HR system updates the termination date for a user. When the termination date matches the system date, the User ID and the associated accounts will be disabled. Group access and shared resource ownership will be removed.

• Additional Access Requests and Approvals

  • Additional Access Requests and Approvals will be handled in Cross Identity Solution. End users or the User's manager can request further access. One-level or multi-lever approval is configured in the system. After the proper approval, the account and access will be provisioned in the target applications.

• Static and Dynamic Role Definition

  • The solution supports the ability to define Dynamic roles based on the combination of user attributes with the ability to auto-provision account and application entitlement

  • The solution also provides the ability to define static roles to entitlement definitions that can be mapped to access request workflow.

• Automated Target Application Account Provisioning

  • CI support hundreds of provisioning connector that supports the entire user provisioning use cases of:

    • Create

    • Modify

    • Suspend

    • Restore

    • Delete

    • Entitlement/group assignment and revocation

    • Change password

    • The provisioning connectors are available across the tenant as part of the application store and the administrators can be easily configured by the administrators.

Display identity creation method when the user is created

When an identity is created, CI displays the creation method in the “Others” tab of the respective Identity.

• When an identity is created manually, CI displays “Identity was created manually”.

• When an identity is imported into CI, it displays “Identity imported from AD/CSV/SoT”.

• When an identity is created via the CI add user API, the method will be mentioned as "Identity was created via Cross Identity (CI) API".

Supports option for test connectivity for SoT and AD Directory configuration

After configuring the SoT/ Directory as the Source of Truth System in the CI, the admin can now test the connectivity to the configured SoT system by clicking on the Test Connectivity button on the configuration page.

Rule-based Role Assignments

Cross Identity supports business or organization roles and supports the dynamic assignment of users to these roles. Users can create rules based on various user attributes so that users can automatically be assigned to specific roles when added to Cross Identity or when any of the existing user attributes are changed.

General Tab - IGA Application

Enhanced the Application Configuration tab by renaming it to "General" and introducing additional configuration details for Identity Governance and Administration (IGA) applications, so that crucial information such as the Application Owner and Dormancy Period can be conveniently managed.

Account Management Dashboard Creation

This dashboard for CI Admins displays vital statistics such as total accounts, total entitlements, recent access requests, access review summaries, average password resets and logins.

Test connectivity for IGA applications

The test connectivity button in the IGA Application configuration allows administrators to verify whether the connection details for the respective IGA application are correct or not.

Role-based Access Control

Cross Identity supports business/organization roles and supports dynamic assignment of users to these roles. Customers can create rules based on various user attributes so that users can automatically be assigned to specific roles when added to Cross Identity or when any of the existing users’ attributes are changed.

Cross-identity supports three types of roles:

• Static Role – IAM admin or authorized person can create a static role manually based on the organization's requirements. IAM admin can add multiple application entitlements in the static role. When an end-user requests a static role, Cross Identity sends the requests via a connector to target applications, creates a respective account, and adds appropriate entitlements. The solution supports defining segregation of duty checks on the static role. The SOD is evaluated during the access request process.

• Dynamic Role -   Dynamic roles can be created automatically based on a Cross Identity admin-configured rule. For example, the admin can create a rule that if the user's job title = is security Architect and Job location is equal to the United States, he will get the Security Architect Role. So, all users whose job title and Location match the rule will get the role automatically. It can be used for birthright provisioning. When the user gets the role, Cross Identity requests the target application via a connector to provision the accounts and entitlements. It helps to create accounts and entitlements automatically without manual intervention.

• Built-in/System Defined – Roles created by default and used for operating the Cross Identity System, including admin role, helpdesk, etc.

Cross-identity supports the setting of role-based access controls.

1. Admin can define if an application is available for SSO on the user's dashboard by authorizing the Application based on Roles and user attributes.

2. For example, if the admin defines users who are Role "Sales" members, they can do SSO to Salesforce. If a user, John is not a member of the " Sales " role, he will not see the Salesforce application SSO icon on the dashboard.

3. Admin can also restrict what menu options are available to the users during self-service based on roles.

4. When HR Data is read from an authoritative source, Cross Identity can automatically provision and de-provision application access based on roles.

5. Users of the Help Desk role can only perform Helpdesk password-related operations.

6. Only Managers and Application owners can perform workflow and certification tasks based on roles.

Account/Entitlement Provisioning

Birthright Account/Entitlement Provisioning

1. All users joining an organization get access to specific systems and applications as part of default application access for everyone (such as an AD account to login to OS and join the domain, an Email account, Office 365, etc.).

2. Organizations have different access to users based on the overall processes and organizational rules. Cross Identity can grant conditional birthright provisioning based on those rules that enable access to different systems and applications.

Promotions and Transfers

1. Cross Identity automatically adjusts user access across business applications based on promotions or transfers. The necessary accounts relevant to the user's new role are automatically provisioned. Those accounts that are no longer relevant to the user's new role are automatically de-provisioned. Provisioning and de-provisioning follow the rules defined in the relevant applications configured for the role.

Request Based Account Provisioning

1. Cross Identity supports the ability to request access to the published entitlements, Roles or application accounts.

2. Users can select the duration of the time the access is needed and provide the appropriate comments.

3. These requests are sent to the relevant authority for approval based on the multi-level approval workflow configuration. Upon approval, the request will be provisioned automatically.

4. Cross Identity allows the user to track and manage the request. Users can browse the name of the pending approver:

   1. Approver: An approver can approve, reject or forward the request. The approver can also change the duration of the time that the user has requested access.

   2. Cross-identity supports the ability to notify the approver and the requestor of the status of the action that has been taken.

5. Once the request is approved, based on the type of access, for example, if it's a business role that has been requested, CI will provision the mapped application accounts and entitlements. If the requesting access is a direct entitlement, CI will provision the entitlement in the requesting target application account.

Request Based Role Provisioning

1. Cross Identity allows users to request membership roles within Cross Identity. Based on the configuration in the multi-level approval workflow defined while defining the role, these requests are sent to the relevant authority for approval. Upon approval, the users are provided membership to the requested role and accesses linked to that role are automatically provisioned.

2. The user can initiate an Access Request using the Launchpad or the mobile app. Users can also see the status of their request on the Launchpad or the mobile app. Approvers can approve or reject access requests in the desktop or mobile Launchpad.

Suspension and Restoration

1. Cross Identity automatically suspends users marked as Suspended in the integrated SoT – CSV, Active Directory or HRMS. Based on the user's status in Cross Identity, their accounts in the various target applications are suspended.

2. When users are marked as Restored in the integrated SoT, Cross Identity automatically reactivates all their accounts and enables all their accesses.

Account categories (Regular/Privileged) in IGA

Admins can now apply appropriate access controls based on the account type, manually marking user accounts and entitlements as privileged. The feature includes options for provisioning changes and filtering users based on privilege status. The change category button allows admins to mark a user as Regular/ Privileged. If the user is marked as privileged, an orange hat icon indicates that the user is privileged.

Contractors/Sponsored User Management

CI provides the manager and the administrator the ability to onboard or register contractors, vendor users or sponsored users by requesting to create new Identities in CI.

Optionally CI provides CSV file-based bulk import of users.

All other lifecycle operations like dynamic role assignment, birthright provisioning, termination, self-service functionalities, access requests and access recertification are also supported.

De-provisioning/Termination

Cross Identity automatically detects this event when a user leaves the organisation from integrated SoT. It removes user access across all business applications, thus eliminating the need for it to be done manually. This feature allows organizations to achieve statutory and regulatory compliance and ensures adequate security.

Support for Application account attribute transformation

Target application account attribute mapping

Cross Identity supports and provides a simple script-based process that enables manipulation and derives and propagates Cross Identity user attributes to target application

accounts.

Multi-Level Approval Workflows

Cross Identity allows administrators to configure multi-level workflows for access requests to applications or roles. Admin can choose a role as the approving authority at each workflow level. Additionally, the admin can specify if all users or only one user of a role need to approve the request.

These workflows can be configured for each application and role.

Approval Delegation

CI supports the ability to delegate the approval task within CI, for example, requesting approval and access certification. In this, CI supports the ability to forward the approval request or configure the out-of-office delegation where access request approval and access certification approval are delegated to the other user.

Cross Identity also supports the ability of an authorized user/manager/admin to assign roles and entitlement to any other user with or without approvers to meet the requirement of the delegate.

Initiate Access Request Workflow using API (Oauth/OIDC)

Cross Identity can initiate access requests in two ways:

• CI user manually requests the Access via the End User Portal (existing feature)

• External system invokes an API to initiate the Access-Request

Once the request is initiated, the defined workflow in CI will be triggered (as per the current flow). Once the API is invoked from the external system, it returns with the request ID.

User Profile Management

The end user can manage the Identity profiles below:

Allows managers to revoke user’s role access and Application Access  

CI allows managers to revoke the role, application and/or entitlement access of his/her users through the CI End User Portal.

Supports Nested Drop-down in Access Request

The requester can select one value from the custom drop-down field and CI will populate the corresponding values on another drop-down field based on the above selection.

With this, the requester can easily select the value on the second drop-down field.

Option of initiating all Provisioning and de-provisioning activities based on schedule

It is a time-based approach for various operations like create, modify, suspend, restore, delete, password sync, add entitlement and remove entitlement.

For example: When a user is created in Cross Identity, you have the option to schedule the creation of the corresponding account in the target application.

Enhancing Failed Transaction Identification and Re-Triggering

This function helps in detecting both the successful and unsuccessful transactions initiated by the IGA connectors for the specified operations such as creating, modifying, suspending, restoring, deleting the account, password change, adding and removing entitlements.

With each failed transaction you can determine the underlying reason for the failure and retrigger the process once the issue is resolved.

Remove user-role membership in CI after import, if a user is removed from a group in AD

This enhancement ensures that users removed from AD groups are promptly unassigned from corresponding Cross Identity roles when AD import is initiated, enhancing access management consistency and efficiency.

User should convert to Privileged from Regular immediately after getting access to Privileged Entitlement

This enhancement ensures that when a regular user requests and is approved for privileged entitlement, they are immediately marked as a privileged user. Previously, users were not marked as privileged until account resets and reconciliation were performed in the IGA application. With this enhancement, the user’s status will be updated to privileged immediately upon approval, without requiring further actions in the accounts section of the IGA application.

Access Governance

Consolidated Access View

• Cross Identity lets administrators get a real-time view of user access across business applications.

• Enable administrators to see the account user holds across business applications, and they can take appropriate actions if anything is out of place.

  Orphan or Dormant Account Reporting

• Cross Identity detects orphan and dormant accounts across business applications and allows administrators to act appropriately.

• Once detected, an orphan account can be:

  1. Assigned to a user on specific criteria defined by the administrator

  2. Assigned to a user manually by the administrator

  Auditing - Dashboard and Reporting

  Cross Identity provides an intuitive dashboard to view everyday events such as:

Report to show who has not activated their CI account login as part of the initial activation process

Generates a report listing users who have not logged in to their CI accounts as part of the initial activation process.

Report to show who has not activated their MFA as part of the initial activation process

Generates a report listing users who have not logged in to their MFA as part of the initial activation process.

A report should be generated for failed email delivery

If the email generation has failed while the admin is notifying the user regarding the CI Account and/or MFA Activation, a report will be generated listing the failed email delivery.

Download the Identities report from the Identities page

Admin can download the list of identities from the identities page based on the column filters applied in the identities page. This report will be downloaded in the form of a CSV.

Access Review and Certification/Attestation

Supports four different access certification campaign definitions:

• Entitlement Campaign – Ability to combine entitlement across various applications into a campaign that must be certified.

• Role Certification Campaign – Ability to combine business roles across different applications into a campaign that must be certified.

• Application Account Campaign – Ability to select applications that must be certified for a campaign. All the chosen applications' accounts will be included in the campaign.

• User Identity Account Campaign – Ability to group users based on roles and attributes to trigger user end date extension.

  Access Certification Connectors: Cross Identity leverages the IGA connector to perform reconciliation, retain and revoke action via connectors that will be provisioned and integrated as part of the project implementation.

  CSV File-based Certification Connectors: For applications that are not integrated via the IGA connector, Cross Identity supports a simple CSV file-based approach to reconcile users' entitlement data and run the certification campaign.

  • Cross Identity supports the manual fulfilment approach where CI initiates a fulfilment task that the application administrator can mark as complete.

  Cross Identity also includes Access Review. Campaigns can be launched from the Cross Identity system. In a typical review campaign, the following steps are involved:

• Before the Access Review campaign begins, Cross Identity runs an Account and Access reconciliation report.

• The campaign begins when the system sends the report to all the managers with details of their subordinates' access:

  • In the tool, managers are given a deadline to finish the review. They must indicate the accesses to be accepted and rejected. This approach enables the addition of two levels of approval.

• Once the Manager Review is completed, Cross Identity follows this process:

  • The reviews are sent to the second approver.
    <OR>

  • A report is prepared by Cross Identity, compiling all the proposed access terminations.

  • The system then completes the access removals through the User Lifecycle module. This step is called closed-loop remediation. This step is optional.

After the review cycle is completed, Cross Identity generates the following:

• A comprehensive list of accesses was removed.

• The latest orphan account list. This list enables the organization to take action to reduce the orphan accounts by re-assigning them or eliminating them, thus efficiently utilizing licenses.

The Access Recertification module provides all the necessary reports and closes the campaign.

Event-based Access Review and Recertification

Admins can create Access Review campaigns triggered by events such as Role Removal/Movement or Dormant Account status. The feature includes customizable workflows, dynamic target selection, and default reviewers based on event types, ensuring efficient management and retention of entitlements. Reviewers are equipped with options to retain entitlement access while revoking role access.

The reviewers will have another option in the menu called “Event-based Certification” to review the Role movement and Dormant Accounts.

Segregation of Duties(SoD)

Cross Identity also provides a Segregation of Duties feature enabling the administrators to segregate responsibilities to prevent misuse of critical combinations of tasks in the process. SoD Policies can be defined for:

• Static Roles

• Applications

• Entitlements

Notes:

Dynamic Roles cannot be defined in SoD policy.

Defining SoD Policies

The SoD Menu is present on the End User Portal and will be enabled only for the admin users. The SoD Policy configuration menu will be made available only to the admin users and SoD owners. SoD reviewers will not have the ability to access the SoD policy configuration menu.

The sub-menus under the SoD module would be:

• Summary

• SoD Policies

• SoD Violations

The following will be the access control for each role:

• SoD Admin can view the Summary (Dashboard view) of the violations and view/edit the SoDPolicies.

• SoD Owners have the same control as the SoD Admin; and can also review the violations.

• SoD reviewers will only be able to view the Summary and perform the review of the violations.

  

SoD Owners and Reviewers will be configured in the below screen:

Offline SoD Campaigns

Offline SoD Campaigns mainly include the execution of a SOD campaign to identify prevailing violations pertaining to the policies created and run the campaign and trigger reviews for the violations to respective SoD owners/reviewers.

The campaign can also be previewed by the SoD admin/owner to identify the number of violations before triggering the SoD policy.

The SOD Campaign screen would look like below:

Online SOD Campaign

SoD violations of the requestor will be highlighted to the approver in case of Access Requests, and the reviewer in case of Access Certification. In case of violation during Access Request, the reviewer grants a limited-time access to the requester. Violation can be mitigated during the request/ review process.

The SoD policies will also be auto-triggered for the concerned application at the time of reconciliation. Also, if a user has been added to a static/dynamic role that grants access to applications and entitlements, the SoD policies will be auto-triggered. The above process allows the roles and entitlements of the existing users to be in check and prevents the users from getting unauthorized or elevated access.

SOD Delegation

The SoD Owner/ Reviewer can delegate an entire policy to another SoD Reviewer. This option will be available on the SoD Policy page under the Reviewer section.

The Out-of-Office Delegation menu captures the delegated SoD reviewer for the policies assigned to the logged-in reviewer. If the SoD task is delegated, the delegated user will be able to see the Pending Activities of the SoD Reviewer and Owner. In both cases, notifications are triggered to the reviewer if the review tasks have been delegated.

SOD Summary

The SoD Summary provides an overall view of the violations that are available in the system as a dashboard. The dashboard widgets will display the information based on the policies assigned to SoD Owner and SoD reviewer. Whereas the admin will view a summary of all the active SoD policies in the system.

Privileged Identity and Access Management

Cross Identity’s PAM solution is designed to help organizations prevent cyber-attacks by securing and managing privileged access across on-premises, cloud, and hybrid environments while also providing them with granular control and visibility over who has access to those accounts and how they are used.

This section describes the overall solution architecture of Cross Identity Privileged Access Management:

Our PAM solution provides comprehensive, centralized control over privileged accounts and access to be easy to use, secure and cost-effective, on a single platform to manage and secure privileged accounts across multiple systems and accounts.

Cross Identity’s PAM solution provides the below-listed features:

Single Sign on to CPAM

Single Sign-on to CPAM enables users to access privileged resources through a unified authentication process. CPAM can be integrated as a SAML application with Cross Identity to perform SSO. This can be configured as SP or IdP-initiated flows.

Session Monitoring and Recording

Session Manager in PAM records all privileged user sessions, including user activities and changes made to sensitive systems and data. It also provides the ability to replay privileged sessions for forensic analysis and incident response purposes.

Clicking on that link navigates to a screen with a player that loads the recording and allows it to be played back:

Multi-Factor Authentication (MFA)

CI-PAM can be enabled with context-based MFA factors for an additional security layer. With Cross Identity, we can enable a step-up authentication layer while performing login or Single Sign to Cloud PAM (CPAM). This can be set up based on various contexts available in the CI solution such as Geolocation, IP Range, Time of access and so on.

The MFA options include:

• ·Security Questions

• SMS OTP

• Email OTP

• Soft Token

• Password-less MFA

Password Vaulting

The password manager in PAM stores all privileged account credentials in a secure, centralized vault. This reduces the risk of password theft and unauthorized access to sensitive systems and data.

Password rotation

The Password rotation feature has been built for the PIAM applications wherein the password of the application accounts (both owned and orphan accounts) will be rotated based on the number of minutes configured. A random password will be generated with which the user will be able to access the PAM application.

Privileged Account Discovery

Identifies overprivileged accounts, service accounts using user identities, and unused accounts to classify accounts based on their privileged status.

The Privileged Access Discovery in CPAM identifies account misconfigurations including overprivileged accounts, service accounts using user identities, and unused accounts. By identifying the age of passwords, it points to unused accounts or accounts that have not had their passwords rotated.

Privileged Access Request and Approval

Access Manager in PAM can include workflows for requesting and approving access to privileged accounts and resources. Users can request access to the CPAM solution or certain servers through Cross Identity.

Once the approver approves the request, access will be granted. This helps ensure that access is granted only to authorized users and reduces the risk of insider threats.

Privileged Access Certification

This involves the oversight and control of privileged access rights within an organization. It ensures that policies and procedures related to privileged access are adhered to and regularly reviewed.

Privilege Elevation

The creation of privileged accounts with the necessary access rights and permissions along with the access termination (de-provisioning) is feasible with the Cross Identity IAM Solution integrated with CI PAM.

Compliance and Auditing

CI-PAM ensures compliance with regulations and industry standards through comprehensive auditing capabilities, access controls, and detailed reporting, enabling organizations to meet regulatory requirements and demonstrate compliance.

Pay-per-Use (PPU) Consumption Portal

Cross Identity offers two types of licensing models for Cross Identity:

1. User-based License- User-based License is the conventional license model where customers can purchase Cross Identity licenses based on the number of users in the system.

2. Consumption-based License - In this model, the customer pays according to the usage of the product.

Consumption-based (Pay-per-use) Licensing Model

Pay-per-Use (Consumption-based license) module is an innovative license model. Customers do not need to purchase CI licenses based on the number of users. Instead, they can get a bundle of user licenses without any payment. The pricing will be determined based on the consumption of the Cross Identity solution. This model uses the below events to determine the consumption of the customer:

1. Application Access

2. MFA Usage

3. Password Reset

4. User Management Events (Create, Update and Delete)

5. Access Request

6. Access Review

Each of these events will have a price defined when the customer purchases a Cross Identity subscription (as shown below).

Based on the usage of these events, the monthly price will be calculated, and the customer has to pay only that price – Pay-Per-Use Model.

Pay-per Use Consumption Portal provides a summary of various Identity and Access management-related events that occurred in the Cross Identity. It enables you to drill down the details of those events based on the User’s Department (Business Unit) and provides a summary of the consumption billing. This includes monthly billing details, billing trends and event-wise billing reports. Users can generate various reports based on events, and department of event status for the "Report" section.

Event Dashboard

It shows 8 widgets:

You can click on any widget to view further micro details.

Billing Dashboard

Reports

Integration of Tenant Creation and Modification in MSSP/Consumption Portal

The integration of tenant creation and modification in the MSSP/Consumption portal streamlines administrative tasks by allowing CI Admin users to create and modify tenants directly within the portal interface. This eliminates the need for separate URLs, providing a seamless and efficient experience for managing tenant configurations.

Other Features

Application Store

Cross Identity provides a centralized app store accessible by all users. The App Store includes 1500 plus SAML applications, 2000 plus web applications and 100 plus IGA application connectors.

SoT & IGA Connector Framework

Cross Identity’s Connector Framework provides interoperability between Cross Identity and IGA and SoT applications/systems. The Cross Identity IGA connector enables provisioning & de-provisioning to the accounts and entitlements that are maintained by the integrated target applications/systems.

SoT connectors allow CI to pull user identity data from the integrated SoT systems.

CI supports various mechanisms to develop custom IGA and SoT connector/s:

• REST API based

• SDK or API or CLI-based

• WebService Based

• LDAP-based (JNDI)

• Database-based (JDBC)

• CSV-based

• RPA-based (if the target application does not support any of the above options)

Notifications

Allows administrators to define event-based notifications and alerts. It could be any IAM event:

• End-User events – Authentication, SSO, Change Password, etc.

• Administrator events – Create Identity, Create Workflow and so on.

• System Events – User Import, Account/Entitlement Recon, etc.

• The option to choose multiple send-out notifications – Email, SMS

• Alternatives to schedule these notifications

• The option to choose the recipients of these notifications - Users and user groups

Email API provider to be integrated for SMTP

Email API provider has been integrated to improve email notifications, alongside the existing SMTP gateway. This integration allows for enhanced email functionality and leverages the capabilities of an external Email API provider.

Getting Started Page

The Getting Started Page helps to set up the Cross Identity solution hassle-free for the first time. It provides a step-by-step guide for the initial configurations for example: Onboarding identities, applications, Managing Roles, setting up the Agent, Configure Authentication policies and so on.

Supports Custom SMS Gateways

Custom SMS Gateways can be integrated with CI for sending various notifications from CI over SMS. Customers can configure the SMS gateway which they are already using in their organization in CI.

Enhance Security for TOTP Verification API through OAuth/OIDC Integration

By integrating OAuth 2.0 and OpenID Connect (OIDC) with our TOTP verification API, we bolster security measures, enabling secure authentication and authorization of client applications. This enhancement ensures that only valid requests are processed while safeguarding user authentication with robust security protocols.

Password Visibility Toggle

Both administrators and end-users are enabled to view passwords entered into password fields by clicking son a password visibility toggle. Administrators and end-users alike can utilize this toggle to ensure accuracy when entering passwords, streamlining authentication processes within the CI system.

Update Heading for Soft Token MFA Registration Step

An enhancement has been implemented in the soft token registration process to improve user guidance. The updated heading now provides clearer instructions to end users, displaying: "Please enter the TOTP code below to complete the registration." This modification aims to enhance user experience by providing explicit instructions during the registration process, ensuring smoother navigation and understanding for users.

Update Prompt for Entering Soft Token Code

The modification updates the heading from "Please enter 6-digit numeric code" to "Open your MFA app again, get the 6-digit numeric code and enter these 6-digits below. Click Verify". This adjustment aims to improve user understanding and streamline the verification process.

Deactivate button on the Identities Page

In the Admin portal, a new button called "Deactivate" is on the Identities page, so that the admin can permanently suspend a user and remove their assigned license. When the admin clicks on the "Deactivate" button, the user's status will be changed to "DEACTIVATED”, and their assigned license will be revoked.

This means that the user will no longer be able to access CI and their account will be permanently suspended.

License revocation after user deletion

When a user is deleted from Cross Identity’s Universal Directory, the license of that user will also be revoked permanently.

API for a list of active users in Cross Identity

A new API has been introduced to fetch all the active users present in CI.

Remove the login prompt when an end user clicks the registration/ manage credentials menu item

When a user logs in to the CI portal, when he/ she clicks on the Registration menu for registering with Security Questions/ Soft Token/Passwordless MFA, instead of a login prompt, the user should get the option of opting for multi-factor authentication (MFA) for added security.

To achieve this, the admin can navigate to the Target section of the Advanced Access Management Policies, and set policies for who has access to these MFA-enabled options.

Ability to trigger bulk emails to those who have not yet activated their CI account

Admin can select the users and trigger emails to the users who have not logged into their CI account even once. A bulk email trigger can also be generated.

Ability to trigger bulk emails to those who have not yet activated MFA

Admin can select the users and trigger emails to the users who have not activated their MFA options. A bulk email trigger can also be generated.

Alert should be sent to the admin of any issues encountered during the email-triggering process

When the email is triggered during the CI Account and/or MFA Activation has failed, an alert will be sent to the admin on his/her email address.

This configuration will be present under the SMTP Configuration of the Advanced Menu.

Trigger email when admin resets MFA Re-Registration for the identity

Email notifications will be sent to the respective user when the admin resets MFA options – Security Questions and Soft Token so that the user can re-register for the MFA.

Below are the more features of Cross Identity:

• Ability to populate data for a DROP-DOWN attribute of Identity through API

• Supports various user attributes (including Department) for searching Users on the Identity page

• Supports Microsoft Edge in Cross Browser (Browser Preference) feature

• CI supports multiple Domain Controllers of Active Directory

• A configurable Help-Link is introduced on the login page of CI End User Portal

• CI automatically detects multiple Domain Controllers (DCs) of Active Directory when it integrated as Directory in CI.

• Improved version of the Cross Identity scheduler module which is responsible for importing users from SoT and Directory systems as well as initiating reconciliation operations with target applications/systems is released.

• CI admin can import SAML Application Metadata while on-boarding SAML Application. This helps admin to on-board applications quickly.