Hitachi ID Identity and Access Management Suite includes connectors for a variety of SaaS applications, including Salesforce.com, GSuite, Office 365, Concur, SuccessFactors, Workday, WebEx, AWS, ServiceNow and more.
Integrations with additional SaaS applications is easily added. For those applications that expose a web services user management API (using SCIM or a proprietary interface), this API can be used. In other cases, where there is no API, Hitachi ID Identity and Access Management Suite can emulate a web browser and click through administrator web pages.
Acting as a SAML identity provider (IdP)
Hitachi ID Identity and Access Management Suite includes a Security Assertions Markup Language (SAML) identity provider (IdP) . This allows users to sign into a variety of federation-capable apps using a Hitachi ID Identity and Access Management Suite login process, rather than using app-specific credentials.
The sequence for this externalized authentication will be as follows:
- A user accesses application at URL A.
- URL A (the service provider (SP) ) redirects the user to Hitachi ID Identity and Access Management Suite at URL B.
- The user enters their login ID into Hitachi ID Identity and Access Management Suite.
- Hitachi ID Identity and Access Management Suite prompts for appropriate credentials. Different users may be asked for different sequences of credentials, based on their group memberships and/or identity attributes.
- Hitachi ID Identity and Access Management Suite generates a SAML 2.0 assertion, indicating who the user is and what they are allowed to access.
- The user is redirected back to URL A, with the signed assertion.
This mechanism takes full advantage of Hitachi ID Identity and Access Management Suite policy engines:
- How users are authenticated is controlled using authentication chains, which support contextual selection of a suitable login process and multi-step logins, for example combining CAPTCHA, sending the user a PIN and asking for a password.
- Hitachi ID Identity and Access Management Suite can evaluate user membership in user classes and inject assertions about what the user should have access to in SAML assertion it sends to service providers. This adds role-based access control to applications that support receiving authorization information in SAML assertions.
Office 365 and Azure AD
Hitachi ID Identity and Access Management Suite can manage passwords on Microsoft Office 365 using the included agtoffice365 connector, which uses the following mechanisms to communicate with an Office 365 domain:
- Microsoft Online Services Sign-in Assistant.
- Microsoft Online Services Module for Windows PowerShell.
The Office 365 connector can enumerate accounts and mailboxes, create, move and delete accounts and mailboxes, set permissions, rename logins, reset passwords, etc.
The Office 365 connector can also create and delete groups and mail distribution lists, manage group/list memberships and read/write user attributes.
Hitachi ID Identity and Access Management Suite includes an Azure AD connector. This is a full featured connector, supporting operations relating to passwords (test value, reset, check/clear lockout, set expiry date), to accounts (enumerate, create, set attributes, move, rename, enable, disable, delete) and to groups (enumerate membership, attach/remove account, attach/remove group-as-member, read/write attributes, create, delete).
Note that a separate connector is provided for Office365, even though this SaaS product actually uses Azure AD as its Identity and access management (IAM) back-end.
Hitachi ID Identity and Access Management Suite can manage Salesforce.com passwords, using either the old-style, proprietary SFDC web services API or the new SCIM API.
Password management integration includes the ability to enumerate accounts, test current passwords and administratively reset passwords.
Identity and access management operations include creating, moving, changing and deleting SFDC user IDs and assigning or revoking entitlements, such as profiles (one per user, permission sets, roles and public groups).
Hitachi ID Identity and Access Management Suite includes a connector for managing accounts and passwords on Google G Suite. This is done over a web service exposed by Google and requires that Hitachi ID Systems customer have an API-enabled login ID on their Google applications domain.
To the extent that G Suite accounts use their own passwords, rather than federating authentication to an IdP, the relevant Hitachi ID Identity and Access Management Suite connector can also set, validate and clear lockouts on these passwords.
A connector is provided to read a list of employees and their attributes from Workday, via its web services API. This data is typically used to drive automated onboarding and deactivation of access on other systems and applications.
Hitachi ID Identity and Access Management Suite includes an outbound connector for applications that expose a System for Cross-domain Identity Management (SCIM) API. It can be used to enumerate accounts and groups, create, delete, enable and disable accounts, verify and set passwords, assign and revoke group memberships, etc.
Only a few SaaS applications currently support SCIM as a mechanism to manage their identities and entitlements. SalesForce.com is a notable example among these.
Almost no applications on the market are able to issue SCIM messages,
so Hitachi ID has not prioritized exposing an inbound SCIM interface.