- 19 Mar 2024
- 27 Minutes to read
- Print
- DarkLight
- PDF
Features in detail
- Updated on 19 Mar 2024
- 27 Minutes to read
- Print
- DarkLight
- PDF
Converged IDAM Platform
Universal Directory
Cross Identity has a built-in Identity Store, the central directory for all users and roles created in Cross Identity or any other source. It allows the solution to be massively scalable. Also, it allows organizations to access all functionalities of Cross Identity even if it is not using an Active Directory. This is an excellent option for authenticating users who are not in Active Directory.
Integration with Source of Truth (SoT)
The solution leverages a listener who can detect changes in the initial feed and, based on the event, can provision/de-provision user accounts in the target systems. This can also be scheduled at off-peak hours. Reusing business rules depends on where the rules exist and the standards. All attempts will be made to reuse the existing components as much as possible.
Cross Identity can integrate with various Source of Truth (SoT) systems such as CSV files, Enterprise Directories, and HRMS applications, allowing organizations to quickly onboard users and manage users and their groups.
Cross Identity can integrate with HRMS as a Source of Truth (SoT) using the inbuilt connectors of Cross Identity.
It also allows multiple directory domains to be configured with the solution. This allows Administrators to configure features required for those specific domains.
Cross Identity provides an SoT Connector that supports the periodic reconciliation of the users into Cross Identity.
During reconciliation, a scheduled task invokes the connector framework operations. This framework, in turn, invokes a search operation on the SuccessFactors Connector Bundle, and then the bundle calls the API for reconciliation operation. The API extracts user records that match the reconciliation criteria and hands them through the bundle and framework back to the scheduled task, which brings the records to Cross Identity.
Each user record fetched from the target system is compared with existing Cross Identity Users. If a match is found between the target system record and the Cross Identity user, the Cross Identity user attributes are updated with changes made to the target system record. The target system record creates a Cross Identity user if no match is found.
CI supports integration with any SCIM-based Systems to pull User data.
Directory Integration
Multiple Active Directories can integrate with Cross Identity. Users from AD can be imported into CI and can use various IAM use cases in CI.
Importing Users into CI through other methods
CI supports various options to onboard users into its Universal Identity Directory:
Through Add User Form:
Admin can manually add users through the ‘Add User’ form when they join your organization. After adding the users to Cross Identity, you can assign them to applications and groups and manage their profiles.
CSV File Import
CI Admin can onboard new users or update the existing Cross Identity users by uploading a CSV file containing the user information. This includes validation and error reporting of the imported data. The existing user can be ‘assigned as a manager’ to another user (imported through CSV), even if the existing user (manager) is not part of the imported CSV file.
Through CI API
Cross Identity (CI) offers an API feature that allows you to programmatically create users within its Universal Identity Directory, thus eliminating the need for manual user creation. The user creation API supports HTTP or HTTPS requests and follows a REST design pattern. Using the user creation API feature, you can integrate user onboarding directly into your applications, workflows, or systems. This enables automated user provisioning and allows you to synchronize user data with other systems or databases.
Identity Attribute Transformation Rules
CI provides the following attribute management capability:
Ability to expand and manage custom Identity schema attributes.
Attribute mapping during Source of Trust synchronization between SoT and Identity Attribute.
Attribute mapping for attribute value propagation from the target application accounts.
Identity Schema Management
CI supports expanding the identity object attribute schema as per the requirement. The Schema expansion is ultimately the UI drive.
CI Supports different attribute types. The following are listed as shown in the figure:
Cross Identity enables the complete administration of attribute mapping.
SoT Attribute mapping
Cross Identity supports and provides a simple script-based process that enables manipulation, derivation and updated Cross Identity user attributes. For example:
Creating a unique user ID based on different attribute combinations and validating the uniqueness of the value
Concatenation of the attributes
Conditioning of attributes
Static Attribute Target application account attribute mapping
Cross Identity supports and provides a simple script-based process that enables manipulation, derivation and propagation of Cross Identity user attributes to the target application account.
Delegated Authentication
In addition to authenticating against its Universal Directory, Cross Identity supports user authentications with any Enterprise Directory, such as AD or with any third-party Identity Providers (IdP), such as ADFS.
In Delegated Directory Authentication method, users can access Cross Identity modules by entering their Active Directory credentials.
In the Delegated IDP authentication method, users can access Cross Identity modules by entering their IdP credentials.
Note:
CI supports sAMAcountName or first part of UPN of AD user for CI Authentication.
Support for Multiple Authentication Roles
With the use of Authentication policies defined in the solution, users can get authenticated to various authentication (CI, AD, ADFS, etc.) stores to get access to Cross Identity modules. Also, multiple Active Directory domains can be integrated with CI and users from these domains can access Cross Identity to perform their IAM use cases in CI.
Support for Third-Party IdP Authentication
CI supports End-User Authentication with Third-party SAML Identity Provider.
Support for Integrated Windows Authentication
Integrated Windows Authentication (IWA) is a popular authentication mechanism used to authenticate users on Microsoft Windows servers. This authentication mechanism does not use the traditional form-based authentication, where the users must enter credentials in a form. Instead, it uses browser-based authentication, where the authentication is handled by the web browser.
The following diagram indicates how the authentication procedure works:
A new policy for IWA has been introduced which will have the highest priority and cannot be deleted once created. This policy works based on the Network IP Address of the users.
Configure the IWA Agent URL under the Authentication Policy:
Ensure that the Authentication Policy is enabled at the Admin Portal. Access the IWA URL.
Without manual intervention, authentication will be performed, and the user will be logged in to the CI portal and can also perform Single Sign On.
User Profile Management
The end user can manage the Identity profiles as below:
Access Management
Single Sign-on
Cross Identity offers a standard role-controlled end-user dashboard. It provides SSO integration capability to Cloud federations, enterprise Web and non-web applications, which include:
SSO for Federated Applications
SAML 2.0 (both IDP and SP Initiated SSO) Cross Identity also supports 3rd party Identity Providers (IDP), and CI can act as SP
OAuth 2.0 (Authorization)
OpenID Connect 1.0 (Authentication using JWT token)
SSO for Non-Federated Web applications
Password vaulting and forwarding or replay techniques.
SSO for Desktop Applications (Thick-Client Applications)
The Cross Identity tool supports the IdP, and SP initiated flow using HTTP Post SSO protocols such as SAML 2.0, i.e. Security Assertion Mark-up Language for assertion configuration. Supports passing of user attributes from user stores, including protocol access of LDAP and AD, including support for basic attribute customization.
Cross Identity can Integrate with IDP and SP. Also, it enables SSO assertions with name-id configuration, X509 subject name, Email Addresses, Windows Domain Qualified Name, Kerberos Principal Name, Persistent Identifier, Transient or One-Time Identifier and so on.
Password Vaulting:
CI uses password vaulting and forwarding techniques to perform Single Sign-on to Web Applications which do not support standards such as SAML or OAuth.
The password vault can be configured to use AD or LDAP credentials during forwarding.
When a user accesses an application for the first time, CI prompt the user to register or store the credentials in the password vault.
The password is encrypted and stored in the vault.
The password vault is stored on the Cross Identity cloud.
When a user accesses the subsequent application times, the password from the vault is decrypted and forwarded to the application.
Context-based Authentication
Cross Identity supports built-in Multi-Factor Authentication to support platform login, selective integrated application access, and advanced access control policies based on roles, devices and network context. The guidelines can be defined in CI based on the User’s Roles, Devices, Networks and other user contexts.
Below are the built-in MFA factors that CI supports:
Security Questions
Email OTP
SMS OTP
Soft Token: CI supports any TOTP-based soft-token application such as:
Google Authenticator
Microsoft Hello
DUO
CI provides intelligent access decisions while reducing friction for end users. Combining a range of contextual data signals to assess risk, CI determines whether it needs to grant access with or without additional authentication factors or deny the access, by evaluating the risks.
Below are the details of contextual data signals that CI collects to determine the access controls:
Sr. No. | Contextual Data Signal | Description |
---|---|---|
1. | User Profile Attributes | CI uses the values of end-users’ profile attributes such as Login ID, Job Title, Department etc. to evaluate the access control policy. |
2. | User’s Role Memberships | CI uses the list of IDAM roles where the user is having memberships. |
3. | User’s IP Address | CI captures the IP address of the User’s device during the authentication process. This is a dynamic value as it captures at the time of the authentication process. |
4. | User’s Geo-Location | CI captures the Geo-location of the user from where the authentication request is initiated. This is also a dynamic value. |
5. | Device Type | It captures the types of Devices from where the user is accessing CI. This value can be Windows, Mac, Linux, iOS, Android, etc. |
6. | Host name | It captures the hostname of the user’s device. |
7. | Domain name | It captures the domain where the user’s device is linked if the device is linked with the AD domain of the organization(Domain-joined machines). |
8. | Access Channel Type | CI also captures the access channel type using which the user is accessing CI. The value of this parameter can be Web or Mobile or Browser type. |
9. | Network | CI provides the option to define various N/W (range of IP addresses) that the organization has such as Corporate N/W, Branch Office N/W etc. Once it is defined, this parameter also can be used in defining the Authentication Policies. |
10. | Device Mac ID | CI captures the Mac Address of the User’s device. This parameter also can be used to define the Authentication Policies. |
11. | Device Certificate | CI supports Device Certificates for evaluating the Authentication Policies. During the Authentication process, it captures the device certificate which is installed on the user’s device and used to determine his/her access. |
12. | User’s Certificate | CI also supports User’s Certificates for evaluating the Authentication Policies. During the Authentication process, it captures the user’s certificate which is installed on the device and used for determining his/her access. |
13. | User’s IP Risk-score | CI not only captures the end user’s IP address, but it also determines the dynamic risk score of this IP address. This risk score is also used in the Authentication Policies to determine whether to grant access or deny access. |
14. | Time of Access | CI captures the time of access. This parameter also can be used in controlling end-user access to applications. |
15. | Velocity | CI determines the actual velocity for the user (from the previous location and previous time of access and current location and the current time of access) |
The below picture shows the steps to configure a Context-based Policy in Cross Identity:
This policy is defined to enforce additional MFA (Soft-token) when end-user, who is a contractor (having “Contactor” role membership) and login ID begins with “CTR” and by using a “Windows” machine, is trying to access Office 365 Application from “Mumbai” or “Bangalore” location:
Context-based Authentication Policy – Actions:
Session Management
In addition to centralized authentication and single sign-on features, CI provides session management capabilities, including controlling session state for user-present interactions with applications. Ability to define Global session timeout:
SAML Certificate Management
Cross Identity supports the ability to have individual certificates that can be used to sign SAML assertions for each integrating Service provider application:
Consent Management
The end user can manage the consents that have been given to various applications as below:
Password Management
Self-Service Password Reset
Cross Identity allows users to reset their passwords and/or unlock their accounts without any helpdesk support. This is done through various authentication options that Email-based OTP and SMS-based OTP. Cross Identity lets users focus on business and not get hassled with password management giving users a seamless experience from anywhere and anytime.
Self-Service Change Password
Cross Identity allows users to view, reset, and update passwords of all target applications which are not integrated with AD. This gives users the ability to change passwords right from the launchpad. The solution also allows changing the Active Directory password from the launchpad. This password can also be synchronized to other target applications with the help of password-sync connectors.
Password Synchronization
Cross Identity captures password changes initiated from it and synchronizes the new password with integrated systems. This gives users a reduced sign-on experience with password synchronization not integrated with AD.
Helpdesk Assisted Password Management
The helpdesk-assisted password reset or account unlock feature is a functionality to assist users in regaining access to their accounts when they are locked out or have forgotten their passwords. This feature allows the designated helpdesk users to unlock the accounts of specific users or generate a temporary password for them in case the user has forgotten their passwords.
Identity Administration
User Lifecycle Management
Cross Identity supports automated user provisioning and de-provisioning in a real-time environment. There are multiple options available:
The system can be integrated with the Enterprise HR System/Active Directory/LDAP to pull the User information in real-time. The following is the high-level flow:
Whenever there is a new user created in the HR System, Cross Identity can pull the new user record from the HR System
Check if the user exists or is a new user based on the unique attribute
If it is a new hire/join:
i. CI performs attribute mapping/calculation logic between HR User record
attributes and the CI User record attributes.
ii. CI automatically creates the User in the identity repository
iii. Based on the configured dynamic policies, user may get access to application
accounts/entitlements
If it is a terminate/leave operation:
i. If it is an existing user with the terminate flag/attribute set, CI automatically
terminates (disables) the user record in the identity repository
ii. If the user has one or more roles/application accounts/entitlements, they are
revoked/suspended automatically
If it is an update/move operation:
i. If it is an existing user with the job/role/department change, CI automatically
can update the user record accordingly in the identity repository
ii. CI automatically adds/removes roles/application accounts/entitlements
based on the job/role/department
Cross Identity exposes Rest APIs for all the User lifecycle management operations. Any 3rd party application can use the CI Rest APIs to perform automatic provisioning and de-provisioning of users in real-time.
Following is a high-level description of the functional IGA capabilities:
User Administration Support
New User onboarding
When a user is hired, the first step is creating a new record for the employee by HR. Once a record is created in the Source of Truth (SoT), the record will be synced in the Cross Identity solution based on a connector on the tenant.
CIAM Use case of Self-registration: CI provides a customizable self-registration page where users can register themselves.
Contractors or Sponsored User Management:
CI provide the manager and the administrator the ability to onboard or register contractors or sponsored users manually.
Optionally CI provides CSV file-based bulk import of users.
All other lifecycle operations like dynamic role assignment, birthright
provisioning, termination, self-service functionalities, access requests and
access recertification are also supported.
Promotion or Transfer
As users are promoted, transferred or change roles based on the new role, the new access will be provisioned. Existing accounts and entitlement will be removed automatically based on the dynamic roles.
Suspend or Restore User and Application Accounts:
HR system updates the suspend date for a user when the suspend date matches the system date. The user ID and the associated accounts are all suspended.
HR system updates the restoration date for a user. Also, the User record and its provisioned accounts are restored.
Remove User and All Accounts on Termination:
HR system updates the termination date for a user. When the termination date matches the system date, the User ID and the associated accounts will be disabled. Group access and shared resource ownership will be removed.
Additional Access Requests and Approvals
Additional Access Requests and Approvals will be handled in Cross Identity Solution. End users or the User's manager can request further access. One-level or multi-lever approval is configured in the system. After the proper approval, the account and access will be provisioned in the target applications.
Static and Dynamic Role Definition
The solution supports the ability to define Dynamic roles based on the combination of user attributes with the ability to auto-provision account and application entitlement
The solution also provides the ability to define static roles to entitlement definitions that can be mapped to access request workflow.
Automated Target Application Account Provisioning
CI support hundreds of provisioning connector that supports the entire user provisioning use cases of:
Create
Modify
Suspend
Restore
Delete
Entitlement/group assignment and revocation
Change password
The provisioning connectors are available across the tenant as part of the application store and the administrators can be easily configured by the administrators.
Rule-based Role Assignments
Cross Identity supports business or organization roles and supports the dynamic assignment of users to these roles. Users can create rules based on various user attributes so that users can automatically be assigned to specific roles when added to Cross Identity or when any of the existing user attributes are changed.
Role-based Access Control
Cross-identity supports three types of roles:
Static Role – IAM admin or authorized person can create a static role manually based on the organization's requirements. IAM admin can add multiple application entitlements in the static role. When an end-user requests a static role, Cross Identity sends the requests via a connector to target applications, creates a respective account, and adds appropriate entitlements. The solution supports defining segregation of duty checks on the static role. The SOD is evaluated during the access request process.
Dynamic Role - Dynamic roles can be created automatically based on a Cross Identity admin-configured rule. For example, the admin can create a rule that if the user's job title = is security Architect and Job location is equal to the United States, he will get the Security Architect Role. So, all users whose job title and Location match the rule will get the role automatically. It can be used for birthright provisioning. When the user gets the role, Cross Identity requests the target application via a connector to provision the accounts and entitlements. It helps to create accounts and entitlements automatically without manual intervention.
Built-in/System Defined – Roles created by default and used for operating the Cross Identity System, including admin role, helpdesk, etc.
Cross Identity supports the setting of role-based access controls.
Admin can define if an Application is available for SSO on the user's dashboard by authorizing the Application based on Roles and user attributes.
For example, if the Admin defines users who are Role "Sales" members, they can do SSO to Salesforce. If a user, John is not a member of the " Sales " role, he will not see the Salesforce application SSO icon on the dashboard.
Admin can also restrict what menu options are available to the users during self-service based on roles.
When HR Data is read from an authoritative source, Cross Identity can automatically provision and de-provision application access based on roles.
Users of the Help Desk role can only perform Helpdesk password-related operations.
Only Managers and Application owners can perform workflow and certification tasks based on roles.
Account/Entitlement Provisioning
Birthright Account/Entitlement Provisioning
All users joining an organization get access to specific systems and applications as part of default application access for everyone (such as an AD account to login to OS and join the domain, an Email account, Office 365, etc.).
Organizations have different access to users based on the overall processes and organizational rules. Cross Identity can grant conditional birthright provisioning based on those rules that enable access to different systems and applications.
Promotions and Transfers
Cross Identity automatically adjusts user access across business applications based on promotions or transfers. The necessary accounts relevant to the user's new role are automatically provisioned. Those accounts that are no longer relevant to the user's new role are automatically de-provisioned. Provisioning and de-provisioning follow the rules defined in the relevant applications configured for the role.
Request Based Account Provisioning
Cross Identity supports the ability to request access to the published entitlements, Roles or application accounts.
Users can select the duration of the time the access is needed and provide the appropriate comments.
These requests are sent to the relevant authority for approval based on the multi-level approval workflow configuration. Upon approval, the request will be provisioned automatically.
Cross Identity allows the user to track and manage the request. Users can browse the name of the pending approver:
Approver: An approver can approve, reject or forward the request. The approver can also change the duration of the time that the user has requested access.
Cross Identity supports the ability to notify the approver and the requestor of the status of the action that has been taken.
Once the request is approved, based on the type of access, for example, if it's a business role that has been requested, CI will provision the mapped application accounts and entitlements. If the requesting access is a direct entitlement, CI will provision the entitlement in the requesting target application account.
Request Based Role Provisioning
Cross Identity allows users to request membership roles within Cross Identity. Based on the configuration in the multi-level approval workflow defined while defining the role, these requests are sent to the relevant authority for approval. Upon approval, the users are provided membership to the requested role and accesses linked to that role are automatically provisioned.
The user can initiate an Access Request using the Launchpad or the mobile app. Users can also see the status of their request on the Launchpad or the mobile app. Approvers can approve or reject access requests in the desktop or mobile Launchpad.
Suspension and Restoration
Cross Identity automatically suspends users marked as Suspended in the integrated SoT – CSV, Active Directory or HRMS. Based on the user's status in Cross Identity, their accounts in the various target applications are suspended.
When users are marked as Restored in the integrated SoT, Cross Identity automatically reactivates all their accounts and enables all their accesses.
Contractors/Sponsored User Management
CI provides the manager and the administrator the ability to onboard or register contractors, vendor users or sponsored users by requesting to create new Identities in CI.
Optionally CI provides CSV file-based bulk import of users.
All other lifecycle operations like dynamic role assignment, birthright provisioning, termination, self-service functionalities, access requests and access recertification are also supported.
De-provisioning/Termination
Cross Identity automatically detects this event when a user leaves the organisation from integrated SoT. It removes user access across all business applications, thus eliminating the need for it to be done manually. This feature allows organizations to achieve statutory and regulatory compliance and ensures adequate security.
Support for Application account attribute transformation
Target application account attribute mapping
Cross Identity supports and provides a simple script-based process that enables manipulation and derives and propagates Cross Identity user attributes to target application accounts.
Multi-Level Approval Workflows
Cross Identity allows administrators to configure multi-level workflows for access requests to applications or roles. Admin can choose a role as the approving authority at each workflow level. Additionally, the admin can specify if all users or only one user of a role need to approve the request.
These workflows can be configured for each application and role.
Approval Delegation
CI supports the ability to delegate the approval task within CI, for example, requesting approval and access certification. In this, CI supports the ability to forward the approval request or configure the out-of-office delegation where access request approval and access certification approval are delegated to the other user. Cross Identity also supports the ability of an authorized user/manager/admin to assign roles and entitlement to any other user with or without approvers to meet the requirement of the delegate.
User Profile Management
The end user can manage the Identity profiles below:
Allows managers to revoke user’s role access and Application Access
CI allows managers to revoke the role, application and/or entitlement access of his/her users through CI End User Portal.
Access Governance
Consolidated Access View
Cross Identity lets administrators get a real-time view of user access across business applications.
Enable administrators to see the account user holds across business applications, and they can take appropriate actions if anything is out of place.
Orphan or Dormant Account Reporting
Cross Identity detects orphan and dormant accounts across business applications and allows administrators to act appropriately.
Once detected, an orphan account can be:
Assigned to a user on specific criteria defined by the administrator
Assigned to a user manually by the administrator
Auditing - Dashboard and Reporting
Cross Identity provides an intuitive dashboard to view everyday events such as:
Cross Identity provides a variety of pre-configured reports for assistance during audits and Statutory and Regulatory compliance.
End-User events – Authentication, Application SSO, Change Password, etc.
Administrator events – Create Identity, Create Workflow and so on.
System Events – User Import, Account/Entitlement Recon, etc.
Various options to filter out data – Easy to use, but powerful Interactive UI for defining filtering logic.
Options to merge various Identity entities (User, Roles, Applications, Entitlements) events and data records to generate meaningful custom reports.
Access Review and Certification/Attestation
Supports four different access certification campaign definitions:
Entitlement Campaign – Ability to combine entitlement across various applications into a campaign that must be certified.
Role Certification Campaign – Ability to combine business roles across different applications into a campaign that must be certified.
Application Account Campaign – Ability to select applications that must be certified for a campaign. All the chosen applications' accounts will be included in the campaign.
User Identity Account Campaign – Ability to group users based on roles and attributes to trigger user end date extension.
Access Certification Connectors: Cross Identity leverages the IGA connector to perform reconciliation, retain and revoke action via connectors that will be provisioned and integrated as part of the project implementation.
CSV File-based Certification Connectors: For applications that are not integrated via the IGA connector, Cross Identity supports a simple CSV file-based approach to reconcile users' entitlement data and run the certification campaign.
Cross Identity supports the manual fulfilment approach where CI initiates a fulfilment task that the application administrator can mark as complete.
Cross Identity also includes Access Review. Campaigns can be launched from the Cross Identity system. In a typical review campaign, the following steps are involved:
Before the Access Review campaign begins, Cross Identity runs an Account and Access reconciliation report.
The campaign begins when the system sends the report to all the managers with details of their subordinates' access:
In the tool, managers are given a deadline to finish the review. They must indicate the accesses to be accepted and rejected. This approach enables the addition of two levels of approval.
Once the Manager Review is completed, Cross Identity follows this process:
The reviews are sent to the second approver.
<OR>A report is prepared by Cross Identity, compiling all the proposed access terminations.
The system then completes the access removals through the User Lifecycle module. This step is called closed-loop remediation. This step is optional.
After the review cycle is completed, Cross Identity generates the following:
A comprehensive list of accesses was removed.
The latest orphan account list. This list enables the organization to take action to reduce the orphan accounts by re-assigning them or eliminating them, thus efficiently utilizing licenses.
The Access Recertification module provides all the necessary reports and closes the campaign.
Segregation of Duties(SoD)
Cross Identity also provides a Segregation of Duties feature enabling the administrators to segregate responsibilities to prevent misuse of critical combinations of tasks in the process. SoD Policies can be defined for:
Static Roles
Applications
Entitlements
Notes:
Dynamic Roles cannot be defined in SoD policy.
Defining SoD Policies
The SoD Menu is present on the End User Portal and will be enabled only for the admin users. The SoD Policy configuration menu will be made available only to the admin users and SoD owners. SoD reviewers will not have the ability to access SoD policy configuration menu.
The sub-menus under the SoD module would be:
Summary
SoD Policies
SoD Violations
The following will be the access control for each role:
Role/Menus | Summary | SoD Policies | SoD Violations |
---|---|---|---|
Admin | ✔ | ✔ | |
SoD Owner | ✔ | ✔ | ✔ |
SoD Reviewer | ✔ | ✔ |
SoD Admin can view the Summary (Dashboard view) of the violations and view/edit the SoDPolicies.
SoD Owners have the same control as the SoD Admin; and can also review the violations.
SoD reviewers will only be able to view the Summary and perform the review of the violations.
SoD Owners and Reviewers will be configured in the below screen:
Offline SoD Campaigns
Offline SoD Campaigns mainly include the execution of a SOD campaign to identify prevailing violations pertaining to the policies created and run the campaign and trigger reviews for the violations to respective SoD owners/reviewers.
The campaign can also be previewed by the SoD admin/owner to identify the number of violations before triggering the SoD policy.
The SOD Campaign screen would look like below:
Online SOD Campaign
SoD violations of the requestor will be highlighted to the approver in case of Access Requests, and the reviewer in case of Access Certification. In case of violation during Access Request, the reviewer grants a limited-time access to the requester. Violation can be mitigated during the request/ review process.
The SoD policies will also be auto-triggered for the concerned application at the time of reconciliation. Also, if a user has been added to a static/dynamic role that grants access to applications and entitlements, the SoD policies will be auto-triggered. The above process allows the roles and entitlements of the existing users to be in check and prevents the users from getting unauthorized or elevated access.
SOD Delegation
The SoD Owner/ Reviewer can delegate an entire policy to another SoD Reviewer. This option will be available on the SoD Policy page under the Reviewer section.
The Out-of-Office Delegation menu captures the delegated SoD reviewer for the policies assigned to the logged-in reviewer. If the SoD task is delegated, the delegated user will be able to see the Pending Activities of the SoD Reviewer and Owner. In both cases, notifications are triggered to the reviewer if the review tasks have been delegated.
SOD Summary
The SoD Summary provides an overall view of the violations that are available in the system as a dashboard. The dashboard widgets will display the information based on the policies assigned to SoD Owner and SoD reviewer. Whereas the admin will view a summary of all the active SoD policies in the system.
Pay-per-Use (PPU) Consumption Portal
Cross Identity offers two types of licensing models for Cross Identity:
User-based License- User-based License is the conventional license model where customers can purchase Cross Identity licenses based on the number of users in the system.
Consumption-based License - In this model, the customer pays according to the usage of the product.
Consumption-based (Pay-per-use) Licensing Model
Pay-per-Use (Consumption-based license) module is an innovative license model. Customers do not need to purchase CI licenses based on the number of users. Instead, they can get a bundle of user licenses without any payment. The pricing will be determined based on the consumption of the Cross Identity solution. This model uses the below events to determine the consumption of the customer:
Application Access
MFA Usage
Password Reset
User Management Events (Create, Update and Delete)
Access Request
Access Review
Each of these events will have a price defined when the customer purchases a Cross Identity subscription (as shown below).
Based on the usage of these events, the monthly price will be calculated, and the customer has to pay only that price – Pay-Per-Use Model.
Pay-per Use Consumption Portal provides a summary of various Identity and Access management-related events that occurred in the Cross Identity. It enables you to drill down the details of those events based on the User’s Department (Business Unit) and provides a summary of the consumption billing. This includes monthly billing details, billing trends and event-wise billing reports. Users can generate various reports based on events, and department of event status for the "Report" section.
Event Dashboard
It shows 8 widgets:
License Usage
License Assigned by Departments
Application Access
User Login Events by Departments
Password Reset Events by Departments
User Management Events by Departments
Access Request Events by Departments
Access Review Events by Departments
Usage by Departments
You can click on any widget to view further micro details.
Billing Dashboard
Reports
Other Features
Application Store
Cross Identity provides a centralized app store accessible by all users. The App Store includes 1500 plus SAML applications, 2000 plus web applications and 100 plus IGA application connectors.
SoT & IGA Connector Framework
Cross Identity’s Connector Framework provides interoperability between Cross Identity and IGA and SoT applications/systems. The Cross Identity IGA connector enables provisioning & de-provisioning to the accounts and entitlements that are maintained by the integrated target applications/systems.
SoT connectors allow CI to pull user identity data from the integrated SoT systems.
CI supports various mechanisms to develop custom IGA and SoT connector/s:
REST API based
SDK or API or CLI-based
WebService Based
LDAP-based (JNDI)
Database-based (JDBC)
CSV-based
RPA-based (if the target application does not support any of the above options)
Notifications
Allows administrators to define event-based notifications and alerts. It could be any IAM event:
End-User events – Authentication, SSO, Change Password, etc.
Administrator events – Create Identity, Create Workflow and so on.
System Events – User Import, Account/Entitlement Recon, etc.
The option to choose multiple send-out notifications – Email, SMS
Alternatives to schedule these notifications
The option to choose the recipients of these notifications - Users and user groups
The proposed solution is committed to industry-leading security and operational practices. Following are the Security highlights of the Solution:
Data in Motion – All the communication will be over the secured channel (TLS v1.2)
End-user access to the Cross Identity (CI)
CI to Active Directory
CI to Provisioning Agents to Applications (Depending on the integration feasibility)
Data at Rest – The solution encrypts a pre-defined set of sensitive information and supports encryption of any additional required attributes.
Intra component communication
Intra-component communication is communication between the browser to the app tier and from the app tier to the database or directory server over a secured SSL channel.
Target application communication
Communication from CI to the target application is over a secured SSL channel.
Logging event details
CI maintains a read-only audit trail for every action performed by the administrators.
Account lockout on excessive invalid login and reset attempts.
CI supports SAML and OAUTH Signature validation and encryption and decryption support for SSO transactions, enabling integrity checks.