Get Your App Ready for the Global B2B Market - Understanding the power of enterprise identity integration - Okta
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Get Your App
Whitepaper
November 2020
Ready for the
Global B2B
Market
Understanding the power of
enterprise identity integration
Okta Inc.
100 First Street
San Francisco, CA 94105
info@okta.com
1-888-722-7871Whitepaper Get Your App Ready for the Global B2B Market 1
Contents 2 Integrating B2B Enterprise Identities
5 Aspects of Federated ID Implementations
9 Leveraging Okta for Enterprise Identity Integration
13 User Model Use Cases
15 Facilitating Authentication and Identity Integration
16 Simplify ID Integration and Grow Your Business FasterWhitepaper Get Your App Ready for the Global B2B Market 2
Integrating
Integrating B2Bthat Enterprise
you grant them access to enterpriseIdentities
Seamless interactions with your enterprise partners and customers often require
applications or internal systems that you’ve
B2B Enterprise developed or are developing. But in a world where each of your enterprise partners and
Seamless interactions with your enterprise customers’ individual usersoften
mightrequire
alreadythat
be managing
you grantdozens
them of digitalto
identities, you
Identities
partners and customers access
enterprise don’t want to jeopardize their user experience by requiring them to
applications or internal systems that you’ve developed or are developing. But in a world where each of create yetyour
another
identity to access your application or shared resources. To foster healthy relationships
enterprise partners and customers’ individual users might already be managing dozens of digital identities, you don’t
and increase the adoption rate of your technical innovations and applications, you
want to jeopardize their user experience by requiring them to create yet another identity to access your application
need to create frictionless experiences that allow those users to use their existing
or shared resources. To foster healthy relationships and increase the adoption rate of your technical innovations
enterprise identities.
and applications, you need to create frictionless experiences that allow those users to use their existing enterprise
identities. There are a variety of ways to integrate your enterprise applications and internal systems
with your partners and customers’ identities. This paper discusses the most common
There are a variety of ways to integrate your enterprise applications and internal systems with your partners and
methods, exploring their different advantages and disadvantages.
customers’ identities. This paper discusses the most common methods, exploring their different advantages and
disadvantages.
LEVELS OF EFFORT
● Manual ID administration
● Self-service IDs
● Google/Microsoft IDs
Manual ID Google/
● Federated IDs administration Self-service IDs Microsoft IDs Federated IDs
Manual ID administration
Manually adding partner users and their passwords into enterprise applications
Manual ID administration Self-service
and internal systems IDs currently in use in enterprises. Although
is the oldest method
sometimes referredSelf-service
Manually adding partner users and their passwords to as the traditional method, the
allows individuals in fact
yourthat
B2Bit’s
andold and is still a
B2C
common way to connect partners to an enterprise system doesn’t make it the best choice.
into enterprise applications and internal systems is the relationships to self-register their own user accounts into
oldest method currently in use in enterprises.
TheAlthough
manual natureyour system. Since
of assigning individual
credentials users
not only are the
means only ones to have
administrators
sometimes referred to as the traditional method, the fact see their own personal identifiable information
knowledge of users’ credentials, there’s no guarantees that those credentials (PII), it’shaven’t
a
been intentionally
that it’s old and is still a common way to connect partners orsignificant
unintentionally exposed
step up to others.
in security overNeither enterprises
the manual nor their
integration
to an enterprise system doesn’t make it thepartners can affordmethod.
best choice. this level of inherent most
Additionally, risk. But if that’s methods
self-service not enoughalsoreason to
influence organizations to choose a newer, more secure enterprise identity
include built-in password recovery workflows. So, if users integration
The manual nature of assigning credentials not only
option, then the lackforget
of scalability in manual integration
their passwords, should be.
they can recover or The administrative
update them
means administrators have knowledge of users’
overhead of adding all those different users and managing their account
without administrative intervention and overhead. lifecycles from
credentials, there’s no guarantees that those credentials
beginning to end is not sustainable as you and your partners grow.
haven’t been intentionally or unintentionally exposed While self-service IDs might be fine for B2C relationships,
to others. Neither enterprises nor their partners can it creates a significant burden for your B2B partners
afford this level of inherent risk. But if that’s not enough since every user in the partner organization that needs to
reason to influence organizations to choose a newer, access your system needs to go through the registration
more secure enterprise identity integration option, process. These users also become responsible for
then the lack of scalability in manual integration should remembering or securely storing their newly created
be. The administrative overhead of adding all those credentials. Shifting these burdens to your business
different users and managing their account lifecycles customers’ and partners’ users runs counter to your
from beginning to end is not sustainable as you and your desire to nurture better B2B relationships through
partners grow. frictionless experiences.Whitepaper Get Your App Ready for the Global B2B Market 3
Self-service IDs
Self-service allows individuals in your B2B and B2C relationships to self-register their
own user accounts into your system. Since individual users are the only ones to see their
own personal identifiable information (PII), it’s a significant step up in security over
the manual integration method. Additionally, most self-service methods also include
built-in password recovery workflows. So, if users forget their passwords, they can
recover or update them without administrative intervention and overhead.
While self-service IDs might be fine for B2C relationships, it creates a significant
burden for your B2B partners since every user in the partner organization that needs
to access your system needs to go through the registration process. These users also
become responsible for remembering or securely storing their newly created credentials.
Shifting these burdens to your business customers’ and partners’ users runs counter
to your desire to nurture better B2B relationships through frictionless experiences.
An additional downside of self-service IDs is that if or when your partner relationship
ends, you need to make sure to eliminate each one of those self-service accounts to
ensure the security of your system and prevent unauthorized access. Often that requires
a manual administrative effort that consumes significant time, especially when your
dealing with large enterprises. There’s also the added security risk that with such a
daunting manual effort, it can be extremely difficult to verify that every account has
been properly removed.
Google/Microsoft IDs
Sometimes known as bring your own identity solutions, these identity integration
scenarios allow users to sign in with their Google or Microsoft credentials to access
resources shared with customers or partners. This method has grown in popularity in
recent history since it reduces friction in the overall experience. Neither your customers,
partners, or administrative staff need to expend effort in creating and managing new
user profiles.
Since a large user base exists for both the Google and Microsoft platforms, this method
can greatly simplify enterprise identity integration. But the fact is that not everyone
has Google or Microsoft identities. As a result, this method can leave out some of your
customers’ and partners’ users, including identities created in homegrown systems
or applications with unique user bases, such as Github or Fitbit. Due to these user
exclusions this method might not meet your needs for enterprise identity integration
on its own, but when combined with ID federation it can deliver some strong benefits.Whitepaper Get Your App Ready for the Global B2B Market 4
Federated IDs
Since federation provides the most frictionless experience for users and administrators,
an increasing number of enterprises continue to choose it for enterprise identity
integration making it one of the most preferred methods. Under ID federation you and
your partner or business customer mutually agree to allow their users to use their own
enterprise identities to access authorized applications or services that you provide
or share. It does this by pairing your different identity systems through a metadata
exchange. This allows you to create a single sign-on (SSO) experience for their users
while giving them a familiar user interface.
With the exponential growth of partner ecosystems, federation offers enterprises
the best option for integrating identities in a way that enhances collaboration with
partners. It simplifies integration in a manner that provides frictionless experiences,
facilitating your ability to quickly get your applications to market and adopted so you
can grow your business. That’s why it’s becoming a standard method of supporting
enterprise relationships. There are different ways to implement ID federation and
there are different aspects and use cases related to the technology that you should
be familiar with as you plan your enterprise ID integration strategy.Whitepaper Aspects of federated ID implementations
Get Your App Ready for the Global B2B Market 5
Delegated administration Security and lifecycle mana
Delegated administration allows another entity to manage An ID federation solution that provides
or administer their own users who access the application, management is vital to simplifying man
services, or resources you provide or share. This could your integrated IDs and keeping your e
Aspects of Delegated
include delegating some level administration
of administration rights to
your partners or business customers, such as the ability
secure. Through a central managemen
more easily enforce policies across all
Federated ID Delegated administration allows
to grant and remove their own users’ access rights to
users who access the application,
another entity
services,
to manage
that or administer
you authorize their ownor cus
your partners
the or resources you provide or share. This secur
Implementations
your applications. It could also extend to giving them For example, you could heighten
could include delegating some level
ability to define the login experience for their users. of administration rights to your partners or business
systems using multi-factor authenticati
customers, such as the ability to grant and remove their own users’ access rights to
Delegated administration could also be used to give your enforcing risk-based policies.
your applications. It could also extend to giving them the ability to define the login
partners or customers complete
experience access
for their users. over policy and Centralized management also makes it
user management. This could be achieved by leveraging access to users when a B2B relationsh
Delegated
a cloud-based solution administration
for user storage.could also
Such be used to give your
solutions partners
include or customers
the ability throughcomplete
ID federatio
access over policy and user management. This could be achieved by leveraging a cloud-
prove to be more cost effective than on-premises customer’s or partner’s identity system
based solution for user storage. Such solutions prove to be more cost effective than
solutions based on client access license (CAL) scenarios. system’s lifecycle management functio
on-premises solutions based on client access license (CAL) scenarios. Regardless of how
Regardless of how delegated administration is employed, users’ access to your application. Havi
delegated administration is employed, it’s an important part of the trust relationship
it’s an important part of the trust relationship that two effective means to grant and terminate
that two business entities enter into when creating relationships.
business entities enter into when creating relationships. is critical to your ability to prevent syst
breaches.
Parent org
Resource
Legacy integration with mig
Delegation
Some ID federation solutions can prov
access between cloud-based identity s
CompanyB CompanyB
legacy on-premises identity systems. T
Admin User a standards-based way of integrating d
systems, while providing a migration pa
Inbound
Federation proprietary system to a newer modern
does it without requiring you to create
org.idp.com
experience for the old legacy system a
App service.
Directory Support
Delegation
CompanyB CompanyB
Admin Useradministration Security and lifecycle management
ministration allows another entity to manage An ID federation solution that provides centralized
heir own users who access the application,
Whitepaper management isthevital
Get Your App Ready for Globalto simplifying
B2B Market management of 6
sources you provide or share. This could your integrated IDs and keeping your environments
ating some level of administration rights to secure. Through a central management point you can
or business customers, such as the ability more easily enforce policies across all the applications
move their own users’ access rights to that you authorize your partners or customers to use.
ns. It could also extend to giving them the For example, you could heighten security on sensitive
e the login experience for their users. systems using multi-factor authentication (MFA) and by
ministration could also be used to give your Security
enforcing and lifecycle
risk-based policies. management
stomers complete access over policy and Centralized management
An ID federation alsoprovides
solution that makes centralized
it easier to management
revoke is vital to simplifying
ent. This could be achieved by leveraging access to users when a B2B relationship ends. This might
management of your integrated IDs and keeping your environments secure. Through
solution for user storage. Such solutions a central
include themanagement
ability throughpoint you can more
ID federation easily
to tie into enforce
a policies across all the
ore cost effective than on-premises applicationsorthat
customer’s you authorize
partner’s identityyour partners
system or customers
to leverage their to use. For example, you
d on client access license (CAL) scenarios. could heighten
system’s security
lifecycle on sensitive
management systemstousing
functions multi-factor authentication (MFA)
terminate
how delegated administration is employed, and byaccess
users’ enforcing risk-based
to your policies.
application. Having a simple and
nt part of the trust relationship that two effective means to grant and terminate authorized access
Centralized management also makes it easier to revoke access to users when a B2B
es enter into when creating relationships. is critical to your ability to prevent system abuses and
relationship ends. This might include the ability through ID federation to tie into a
breaches.
customer’s or partner’s identity system to leverage their system’s lifecycle management
Parent org functions to terminate users’ access to your application. Having a simple and effective
Resource means to grant and terminate authorized access is critical to your ability to prevent
Legacy integration with migration
system abuses and breaches.
Delegation
Some ID federation solutions can provide bridged
Legacy
access integration
between cloud-based with migration
identity services and
legacy on-premises identity systems. This can provide
CompanyB CompanyB Some ID federation solutions can provide bridged access between cloud-based identity
Admin User a standards-based way of integrating disparate identity
services and legacy on-premises identity systems. This can provide a standards-based
systems, while providing
way of integrating a migration
disparate path from
identity systems, a providing
while legacy, a migration path from a
Inbound
Federation proprietary systemsystem
legacy, proprietary to a newer modern
to a newer system.
modern AndAnd
system. it it does it without requiring
does it without
you to create arequiring
separate you
logintoexperience
create a separate login
for the old legacy system and the new
org.idp.com
cloud service.
experience for the old legacy system and the new cloud
App service.
Directory Support
Delegation
SaaS
CompanyB CompanyB
Admin User
Flexible and secure user models
Whether it’s a mix of customer, employee, or partner users, the types of users you
need to account for when integrating enterprise identities vary from one relationship
to another. The makeup of your relationship’s user model will 4 be a key influencer on
how you address customer data access, data separation, and user experiences in your
identity integration strategy. To handle these different scenarios, an ID federation
solution that enables you to easily connect to different identity providers can give you
much needed flexibility when it comes to architecting your user structure.
The following are some of the most common user models that organizations deal with
when integrating enterprise identities:
• Customer and employee user models
• Customer, partner, and employee user models
• SaaS to multi-customer user modelsWhitepaper Get Your App Ready for the Global B2B Market 7
nd secure user models Customer and employee user models
mix of customer, employee, or partner When it comes to the customer identities you maintain for
nd
es ofsecure
users youuser
need models
to account for Customer
your B2B andand B2Cemployee
relationships, user
thosemodels
customer identity
ing enterprise identities vary from one profiles often need to be stored in a separate identity
mix of customer, employee, or partner When it comes to the customer identities you maintain for
o another. The makeup of your relationship’s system than where your organization stores identity
es of users you need to account for your B2B and B2C relationships, those customer identity
ll be a key influencer on how you profiles for its internal employees. This separation of
ing enterprise identities vary from one profiles often
Customer and need to beuser
employee stored in a separate identity
models
mer data access, data separation, and identity data helps you safeguard customers’ personal
o another. The makeup of your relationship’s system than where your organization stores identity
ces in your identity integration strategy. identifiable
When information
it comes (PII) from identities
to the customer unauthorized
you access
maintain for your B2B and B2C
ll be a key influencer on how you profiles for its internal employees. This separation of
se different scenarios, an ID federation relationships, those customer identity profiles often need to be stored in a separate
and data breaches, while enabling authorized internal
mer data access, data separation, and identity data helps you safeguard customers’ personal
enables you to easily connect to different identity system
employees, than
such as where
certainyour organization
marketing storesand
personnel identity profiles for its internal
ces in your identity integration strategy. identifiable information (PII) from unauthorized access
ders can give you much needed flexibility employees. This separation
IT staff, to access customer ofinformation
identity dataas
helps you safeguard
needed for customers’ personal
se different scenarios, an ID federation and data breaches, while enabling authorized internal
s to architecting your user structure. identifiable information (PII) from
marketing and administration purposes. unauthorized access and data breaches, while enabling
enables you to easily connect to different employees, such as certain marketing personnel and
authorized internal employees, such as certain marketing personnel and IT staff, to
are some
ders of the
can give youmost
muchcommon
neededuser models
flexibility IT staff,customer
access to accessinformation
customer information
as needed forasmarketing
needed for
and administration purposes.
Customer Employee
sons deal with when
to architecting yourintegrating enterprise
user structure. marketing and administration purposes.
are some of the most common user models
CustomerA
Employee EmployeeA
Employee
er and
ons employee
deal user
with when models enterprise
integrating
Federation
er, partner, and employee user models
Employee A Employee A
er and employeeuser
multi-customer usermodels
models Customer
Federation
er, partner, and employee user models
multi-customer user models Customer
Customer, partner, and employee user models
When you add partner users to a customer and employee
Customer,
Customer,
user partner,
model,partner,
you need and
andto alsoemployee
employee user
user models
segregate the models
storage of
the identities associated with the partner’s users. This
When you
When youadd
addpartner
partner users
users to atocustomer
a customerand and employee
employee user model, you need to also
multi-tenancy requirement should allow you to maintain
segregate the storage of the identities associated with the partner’s users. This multi-
user model, you need to also segregate the storage of
partners and partner portals in one tenant, customers
tenancy requirement
the identities should
associated allow
with theyou to maintain
partner’s users.partners
This and partner portals in one
and customer-specific apps in another tenant, and
tenant, customers
multi-tenancy and customer-specific
requirement should allow appsyou to in maintain
another tenant, and employees in
employees in yet another tenant. Your ID federation
yet another tenant. Your ID federation solution
partners and partner portals in one tenant, customers should give your administration team
solution
the should give your administration team the ability
andability to manage all apps
customer-specific three inuser types through
another tenant, andfederation.
to manage all three user types through federation.
employees in yet another tenant. Your ID federation
solution should give your administration team the ability
Customer Employee Partner
to manage all three user types through federation.
CustomerA
Employee EmployeeA
Employee Partner A
Employee
Federation Federation
Employee A Employee A Employee A
Customer Partner
Federation Federation
Customer Partner
5
5SaaS to multi-customer user models
Whitepaper Get Your App Ready for the Global B2B Market
Many software companies moving to the cloud want to
Leveragin 8
move away from on-premises solutions for storing user
identities and profiles. To do this, some create an identity
enterprise
provider, add their customers’ and partners’ users to it, integration
and then assign those users the appropriate resource
accesses. But this can be a complex undertaking for The applications you bui
SaaSsoftware
many to multi-customer user
as a service models
(SaaS) providers, especially create are the things tha
those that have a delegation subscription model that
Many software companies moving to the cloud want to move away business. That’s your exp
from on-premises
allows theirfor
solutions partners
storing or customers
user identitiesto resell
and services
profiles. To do this, someAnything that
create an distracts yo
identity
orprovider,
application licenses
add their to other
customers’ andcustomers or partners.
partners’ users to it, and then assign those
impacts users
your the to de
ability
Inappropriate resource
these complex accesses.
kinds But thisSaaS
of scenarios, can bevendors
a complex undertaking
have for many Having
outcomes. softwareto buil
as a service (SaaS) providers, especially those
to create unique user stores for all the downstreamthat have a delegation subscription
identity integration funct
model that allows their partners or customers to resell services oryour
application licenses
ability to achieve th
customers and partners, and then connect those user
to other customers or partners. where Okta can help.
stores to the parent identity provider that maintains the
In these
access complex kinds
information of scenarios,
for their SaaS vendors
cloud-hosted haveTo
software. to create unique
Throughuser
itsstores for cloud
identity
all the downstream
effectively implementcustomers
this userand partners,
model, and
the ID then connect those
federation user stores to the
solutions, Okta facilitates
parent identity
solution needs theprovider
abilitythat maintainsthe
to facilitate thegranting
access information
of for
fortheir cloud-hosted
all your B2B and B2C
software. To effectively implement this user
policy and user management to downstream customers model, the ID federation solution needs your
the task of building
thepartners
and ability towhen
facilitate the granting
appropriate. Thisofrequires
policy and
theuser management to downstream
connections for your diff
customers and partners when appropriate. This requires
ability to programmatically create an identity provider the ability to programmatically
even separate internal bu
create an identity provider and configure its connection back to the main parent resource.
and configure its connection back to the main parent can get to market faster a
resource. relationships by giving yo
secure and frictionless a
SaaS
and need.
Employee
SSO to SaaS
Customer A Customer B Customer C
Customer A Customer B Customer CWhitepaper Get Your App Ready for the Global B2B Market 9
Leveraging The applications you build and the web services you create are the things that bring
real value to your business. That’s your expertise. That’s your focus. Anything that
Okta for distracts you from that focus negatively impacts your ability to deliver expected
business outcomes. Having to build your own authentication and identity integration
Enterprise functionality disrupts and distracts your ability to achieve those business outcomes.
Identity That’s where Okta can help.
Integration Through its identity cloud and Okta’s Customer Identity solutions, Okta facilitates
enterprise identity integration for all your B2B and B2C use cases. It frees you from
the task of building your own authentication and identity connections for your different
partners, customers, and even separate internal business units. As a result, you can get
Okta
to marketInbound Federation
faster and foster better B2B and B2C relationships by giving yourConnect
OpenID partners and O
and customers the secure and frictionless access to your services they want and
With the onset need.
of the e
The inbound federation functionality in Okta allows your
the API economy, Open
Okta tenant to act as a service provider, granting external
are becoming the new
Okta Inbound
identities access to Federation
your Okta protected application
2.0 is an open standard
or website. While this is a role reversal of traditional
designed to support a
The
SSOinbound federation
solutions, it givesfunctionality in Okta allows
you consumption your for
endpoints Okta tenant to act as a service
provider, granting external identities access to creation, Connect
your Okta protected sits on or
application top of
authentication, enables just in time (JIT) user
website. While this isto
a role reversalconnections
of traditional SSO provide authentication.
and makes it easy terminate withsolutions,
other it gives you consumption
endpoints for authentication, enables just in time (JIT) user creation, Connectand take
makes a differen
it
enterprise entities. It also provides identity provider
easy to terminate connections with other enterprise entities. It also provides
than SAML.identity
They work
discovery (IDP discovery) functionality, which adds a
provider discovery (IDP discovery) functionality, which adds a rules and engine
accesstomanageme
your
rules engine to your login flow that directs users to the
login flow that directs users to the appropriate IDP login page based on setacriteria.
support wider variety
appropriate IDP login page based on set criteria.
experiences, and devic
OpenID Connect at ww
SSO Use Federation To discover how to con
with Okta Use with Okta
as the IDP as the SP using OpenID Connect
Authentication Guide.
Service 3rd Party
Provider IDP
Social
Okta allows you to implement inbound federation with
Okta allows you to implement inbound federation with either the Security Assertion
either the Security Assertion Markup Language (SAML
Markup Language (SAML 2.0) protocol or the OpenID Connect (OIDC).
2.0) protocol or the OpenID Connect (OIDC). IDP
For
For more
moreinformation,
information,visit
visitour
ourIdentity Providers
Identity API
Providers documentation page.
API
documentation page. Org2Org
SAML Pre-built Identity
For years SAML has been the gold standard for
In a recent study, 77 pe
federation in the enterprise space. It allows you to use
indicated that the abilit
a set of attributes to identify a user. It’s secure and easy
providers as well as the
to setup. While it is still a great solution and will work for
providers was equally b
most enterprise ID integrations, SAML 2.0 was developed
facilitating the creation
in 2005. Technology has changed a lot since then and it
provides pre-built iden
might not be the best choice in today’s fast paced, highlyeither the Security Assertion Markup Language (SAML
2.0) protocol or the OpenID Connect (OIDC). IDP
Whitepaper Get Your App Ready for the Global B2B Market 10
For more information, visit our Identity Providers API
documentation page. Org2Org
SAML Pre-built Identity provi
For years SAML has been the gold standard for
In a recent study, 77 percent of
federation in the enterprise space. It allows you to use
SAML
indicated that the ability to crea
a set of attributes to identify a user. It’s secure and easy
providers as well as the desire
to setup.For years
While SAML
it is still ahas beensolution
great the goldand
standard for federation
will work for in the enterprise space. It
allows you providers was equally balanced
most enterprise ID to use a set ofSAML
integrations, attributes to identify
2.0 was a user. It’s secure and easy to setup.
developed
While it is still a great solution and will work for most enterprise ID integrations,
facilitating SAML
the creation of custo
in 2005. Technology has changed a lot since then and it
2.0 was developed in 2005. Technology has changed a lotprovides since then and it might
pre-built not prov
identity
might not be the best choice in today’s fast paced, highly
be the best choice in today’s fast paced, highly mobile world. enterprise business providers, m
mobile world.
integrate with Google and Micro
nd Federation OpenID Connect and OAuth 2.0
For more information, visit our
With the onset of the exponential growth of apps and
eration functionality in Okta allows your documentation page.
the API economy, OpenID Connect and OAuth 2.0
ct as a service provider, granting external
are becoming the new SAMLfederation standard. OAuth
s to your Okta protected application
2.0 is an open standard authorization framework
e this is a role reversal of traditional
designed
OpenID to supportand
Connect a variety
OAuth of2.0use cases. OpenID
gives you consumption endpoints for
Connect sits on top of the OAuth 2.0 framework to
enables just in time (JIT) user creation, With the onset of the Together,
exponential growth
provide authentication. OAuth andofOpenID
apps and the API economy, OpenID
sy to terminate connections with other Connect and OAuth 2.0 are becoming the new federation standard. OAuth 2.0 is an
Connect take a different approach to federation
es. It also provides identity provider open standard authorization framework designed to support a variety of use cases.
than SAML. They work together to provide identity
iscovery) functionality, which adds a OpenID Connect sits on top of the OAuth 2.0 framework to provide authentication.
and access management using scopes and claims to
your login flow that directs users to the Together, OAuth and OpenID Connect take a different approach to federation than
support a wider variety of deployment models, user
login page based on set criteria. SAML. They work together to provide identity and access management using scopes
experiences,
and claims to and devices.
support You can
a wider learn
variety more about models, user experiences, and
of deployment
OpenID Connect
devices. at www.okta.com/openid-connect.
You can learn more about OpenID Connect at www.okta.com/openid-connect.
Federation ToTo
discover
Use with Okta discover how to connectenterprise
how to connect enterprise identities
identities using OpenID Connect with Okta,
as the SP using the Authentication
visitOpenID Connect withGuide.
Okta, visit the
Authentication Guide.
3rd Party
IDP
Social
to implement inbound federation with
ity Assertion Markup Language (SAML
the OpenID Connect (OIDC). IDP
mation, visit our Identity Providers API
page. Org2Org
Pre-built Identity providers
has been the gold standard for
In a recent study, 77 percent of IT professionals surveyed
e enterprise space. It allows you to use
indicated that the ability to create custom identity
s to identify a user. It’s secure and easy
providers as well as the desire for pre-built identity
t is still a great solution and will work for
providers was equally balanced. As such, in addition to
ID integrations, SAML 2.0 was developed
facilitating the creation of custom identity providers, Okta
logy has changed a lot since then and it
provides pre-built identity providers for the most common
best choice in today’s fast paced, highly
enterprise business providers, making it fast and easy to
integrate with Google and Microsoft out of the box.
For more information, visit our Social Loginurity Assertion Markup Language (SAML
r the OpenID Connect (OIDC). IDP
Whitepaper Get Your App Ready for the Global B2B Market 11
mation, visit our Identity Providers API
n page. Org2Org
Pre-built Identity providers
L has been the gold standard for
In a recent study, 77 percent of IT professionals surveyed
he enterprise space. It allows you to use
tes to identify a user. It’s secure and easy Pre-built
indicated thatIdentity providers
the ability to create custom identity
providers as well as the desire for pre-built identity
it is still a great solution and will work for
In a recentwas
providers study, 77 percent
equally of IT professionals
balanced. surveyedtoindicated that the ability to
As such, in addition
e ID integrations, SAML 2.0 was developed create custom identity providers asidentity
well as the desire for pre-built identity providers
facilitating the creation of custom providers, Okta
nology has changed a lot since then and it was equally balanced. As such, in addition to facilitating the creation of custom identity
provides pre-built identity providers for the most common
he best choice in today’s fast paced, highly providers, Okta provides pre-built identity providers for the most common enterprise
enterprise business providers, making it fast and easy to
business providers, making it fast and easy to integrate with Google and Microsoft
integrate with Google and Microsoft out of the box.
out of the box.
For more information, visit our Social Login
For more information,
documentation page. visit our Social Login documentation page.
Directory integrations Multi tenancy
SAML
Many organizations have made significant investments As software companies and service
into on-premises identity solutions with deep integrations the cloud, they are faced with the c
that pre-date many of today’s cloud applications. These SSO into their products and service
organizations don’t have to abandon their investments identity connections with their busi
Directory
or integrations to move tointegrations
the cloud. Tying into either business customers. Building those
their Active Directory or LDAP on-premises identity 7
authentication capabilities take tim
Many organizations have made significant investments into on-premises identity
stack, Okta provides directory integrations that enable delays their ability to deliver the co
solutions with deep integrations that pre-date many of today’s cloud applications.
organizations to take advantage of legacy solutions in added features with the immediacy
These organizations don’t have to abandon their investments or integrations to move
a hybrid on-premises and cloud deployment model. demand. That’s why many of these
to the cloud. Tying into either their Active Directory or LDAP on-premises identity stack,
So, as you look to integrate enterprise identities in your Okta. Using Okta and the Okta API
Okta provides directory integrations that enable organizations to take advantage of
enterprise customer and partner relationships, these creation functionality, software and
legacy solutions in a hybrid on-premises and cloud deployment model. So, as you look
directory integrations
to integratefrom Okta allow
enterprise yourincustomers
identities use Okta
your enterprise customer andas their relationships,
partner identity layer and
and partnersthese
to take advantage of your cloud offering access to their
directory integrations from Okta allow your customers and partners own Okta tenant, wh
to take
even if they advantage
need to orofwant
yourto continue
cloud using
offering eventheir
if they need to control
or wantvia ID federation.
to continue using their
on-premiseson-premises identity systems.
identity systems.
Consumers
For more information, visit our Supported
For more information, Directory Directory integrations
visit our Supported
integrationsdocumentation
documentationpage.
page.
Consumers
AD or LDAP
Consumers
Consumers
ConsumersWhitepaper Get Your App Ready for the Global B2B Market 12
y integrations Multi tenancy
zations have made significant investments As software companies and service providers move to
ises identity solutions with deep integrations the cloud, they are faced with the challenge of building
e many of today’s cloud applications. These SSO into their products and services, as well as building
s don’t have to abandon their investments identity connections with their business partners and
ns to move to the cloud. Tying into either Multi tenancy
business customers. Building those connections and
Directory or LDAP on-premises identity authentication capabilities take time and expertise, which
As software companies and service providers move to the cloud, they are faced with
provides directory integrations that enable delays their ability to deliver the core services and value-
the challenge of building SSO into their products and services, as well as building
s to take advantage of legacy solutions in added connections
identity features with thetheir
with immediacy
businessthat their customers
partners and business customers. Building
premises and cloud deployment model. demand. That’s why many of these businesses
those connections and authentication capabilities take turn toand expertise, which delays
time
ok to integrate enterprise identities in your Okta. Using Okta and the Okta API’s automated tenant
their ability to deliver the core services and valueadded features with the immediacy
ustomer and partner relationships, these that their customers
creation demand.
functionality, That’sand
software whyservice
many ofproviders
these businesses
can turn to Okta. Using
egrations from Okta allow your customers Okta
use and
OktatheasOkta
theirAPI’s automated
identity tenant
layer and creation
give functionality, software and service
their customers
to take advantage of your cloud offering providers
access to can use own
their OktaOktaas their identity
tenant, layer
while and
still give their customers access to their
retaining
need to or want to continue using their own Oktavia
control tenant, while still retaining control via ID federation.
ID federation.
identity systems.
Consumers
ormation, visit our Supported Directory
documentation page.
Consumers Consumers
AD or LDAP
Consumers Consumers
Consumers Consumers
Consumers
8Whitepaper Get Your App Ready for the Global B2B Market 13
User Model As previously discussed, organizations deal with a variety of user models when trying
to integrate enterprise IDs. In both B2B and B2C relationships, Okta has simplified
Use Cases this effort for a broad spectrum of organizations across all these different types of
user scenarios.
Customer and employee use case
Bazaarvoice has 750 employees accessing a suite of internal and external applications,
more than 590 million shoppers who use Bazaarvoice apps each month to speak to
brands, and 10,000 client users in 80 countries who log into Bazaarvoice apps to
capture consumergenerated content. Okta makes sure Bazaarvoice employees get
access to the applications they need, while giving its application developers an identity
and authentication platform they can leverage when building client applications.
Read the full story at www.okta.com/customers/bazaarvoice.
Customer, partner, and employee use case
As a global manufacturing firm, Flex has about 200,000 employees connected to
cloud and on-premises apps, thousands of suppliers with fluctuating access to its
supply chain, and more than 100 factories connected to its supply chain, customers,
and company. Okta provides Flex a unified identity platform that secures its supply
chain for its partner and business customers, while connecting its employees with
the apps they need.
Read the full story at www.okta.com/customers/flex
Okta plays a role in all three
of my initiatives: Cyber security,
business productivity, and best
of breed. It fits all three, so it’s
a perfect match.
Gus Shahin
CIO, FlexWhitepaper Get Your App Ready for the Global B2B Market 14
SaaS to multi-customer use case
Adobe uses Okta as its authentication layer for both internal employees and for its
Adobe Creative Cloud suite of software. That translates into more than 20,000 Adobe
employees using Okta for SSO into 300 enterprise apps, as well as thousands of Adobe’s
business customers using Okta to access the Adobe Creative Cloud suite of products.
Read the full story at www.okta.com/customers/adobe-systems
I don’t want to reinvent the wheel
in our identity stack. I want to use
what’s best in class in the market
and then apply the Adobe specific
requirements to that stack to get
something out to our customers
really quickly.
Scott Castle
Adobe Creative Cloud, Product Manager, AdobeWhitepaper Get Your App Ready for the Global B2B Market 15
Facilitating Okta provides a wide variety of SDK’s to help organizations quickly take advantage
of the power of the Okta Identity Cloud platform to securely connect businesses and
Authentication people to the technologies they need. Okta provides a wide range of SDKs to help you
get started in your preferred language, while the Okta Toolkit provides community
and Identity generated code and solutions that have helped thousands of enterprises take advantage
Integration of Okta and its highly secure, global redundant infrastructure. The Okta SDKs and
Okta Toolkit can be accessed at toolkit.okta.com.
In addition to its SDKs, organizations can take advantage of Okta services directly
through its API and the new API endpoint enhancements that Okta continues to provide.
Using the API, organizations can script the entire authentication process behind their
normal login pages. This includes being able to custom build admin pages or self-service
portals that organizations can use to allow partners to connect with the organization
without manual intervention from a support team.
acilitating
uthentication and ANDROID ANGULAR REACT iOS JAVASCRIPT
entity integration
VUE JAVA .NET NODE JS RESET
provides a wide variety of SDK’s to help
nizations quickly take advantage of the power of
Okta Identity Cloud platform to securely connect
esses and people to the technologies they need.
provides a wide range of SDKs to help you get
ed in your preferred language, while the Okta
it provides community generated code and
ons that have helped thousands of enterprises
advantage of Okta and its highly secure, global
ndant infrastructure. The Okta SDKs and Okta
it can be accessed at toolkit.okta.com.
dition to its SDKs, organizations can take
ntage of Okta services directly through its API
he new API endpoint enhancements that Okta
nues to provide. Using the API, organizations
cript the entire authentication process behind
normal login pages. This includes being able to
m build admin pages or self-service portals that
nizations can use to allow partners to connect with
rganization without manual intervention from a
ort team.Whitepaper Get Your App Ready for the Global B2B Market 16
Simplify ID Today’s expanding partner economy requires the ability to integrate with other identity
providers, while meeting customer expectations for secure and easy to use applications.
Integration But building identity integrations to connect with enterprise partners and customers is
a complicated and difficult endeavor that shouldn’t distract your valuable development
and Grow Your resources from focusing on the development of services and features that grow your
Business Faster business and meet customer demand. Okta lets you leverage its identity expertise and
services, so you can focus on what matters most to your business.
With Okta serving as the identity layer for your infrastructure stack, you can free up
your resources to focus your development efforts and resources on your business
initiatives, while fully addressing the needs of your partners and customers. Okta’s
Customer Identity solutions give you the tools and services you need to not only simplify
enterprise identity integration, but its futureproof approach and ongoing innovations
will give you the agility to evolve your product security and customer experience as
world and market forces evolve.
To take advantage of Okta or learn more about how it simplifies enterprise ID integration,
visit our B2B Integration page. To get started with a free trial, visit developer.okta.com.
About Okta
Okta is the leading independent provider of identity for the enterprise. The Okta
Identity Cloud enables organizations to securely connect the right people to the
right technologies at the right time. With over 6,500 application integrations,
Okta customers can easily and securely use the best technologies for their business.
To learn more, visit okta.com.You can also read
