Users can view and access their applications through the customizable application portal. While applications granted by the Cloud Access Manager administrator appear automatically on the application portal page users can also add their own bookmarks to their favorite applications. In addition, users can access their Password Wallet from the application portal, to change the credentials that have been stored for a particular application, or configure auto-form fill behavior.
If you have multiple directory forests in your organization that need access to the same applications, or if you need to provide access to users in different organizations, you can do that with Cloud Access Manager. Cloud Access Manager can federate with any identity provider that can accept and process a SAML or WS-Federation authentication request.
Cloud Access Manager will extract the claims from the incoming assertion and use them to make authorization decisions based on its role configurations. At logon, Cloud Access Manager will allow the user to select the identity provider that they belong to. Using cookies, Cloud Access Manager will remember which identity provider was chosen.
You can configure Cloud Access Manager to require two-factor authentication for all users. When a user accesses Cloud Access Manager, in addition to their normal username and password, they will be prompted to enter a one-time password (OTP). To allow a user to supply a valid OTP they must physically possess an authentication device, this provides the additional assurance that the user attempting to log on is indeed who they claim to be.
Cloud Access Manager has the potential to only require two-factor authentication for users when the perceived threat level is above a certain threshold. This functionality requires the Security Analytics Engine which will determine the threat level based on a number of factors such as the location from which the user is logging in, the time of day, or if the user is running a different internet browser than expected.
NOTE: The strong authentication option requires One Identity Defender or another third-party strong authentication solution that supports the Remote Authentication Dial-In User Service (RADIUS) protocol.
When an authorized user needs access to an application for the first time, a new account must be set up for that user. Traditionally, as part of the hiring process, application user accounts are pre-emptively created for each user, whether they really need access to those accounts or not. This approach to user account provisioning can cause so-called authorization creep, where individuals are given access to systems that they may not even use and those privileges are never removed from the users.
Alternatively, accounts are provisioned manually as and when required. This promotes the principle of least privilege, by only giving your users access to resources that they need to do their job, but to do this manually for a large user population and a large number of applications is a significant management overhead.
Cloud Access Manager’s just-in-time user account provisioning feature means that your users can access the applications they need at the point they need them with the minimum of administrative effort. For applications that are licensed per user, this can deliver significant savings since user accounts are no longer created unless they are actually used.