ActiveRoles Server: Securing the registry

It is always important to safeguard access to powerful AD groups, such as Domain admins, Enterprise admins etc. Tools like ActiveRoles Server can make that a breeze. ActiveRoles Server itself also have an almighty AD group, which gives members full access to everything within ActiveRoles, including the Active Directories it is managing! It is therefor vital that you safeguard this group and only add a bare minimum of users. It is also recommended that the group is given a non-related name, to protect it from intruders. However, by default, is possible to view the name of this group directly in the registry of the server running ActiveRoles. The group name is listed here: HKEY_LOCAL_MACHINE\SOFTWARE\Aelita\Enterprise Directory Manager\DSAdministrators.

The guide below will show you how to change this:

  • Open the ActiveRoles Server Console
  • Right click Configuration
  • Click Properties
  • Go to the Object tab
  • Click Advanced Properties
  • Set checkmark in ‘Show all possible attributes’ and ‘Include attributes with empty values’
  • Search for “edsvaDSAdministrators” and double click it to edit
  • Enter the domain\group name and click okay:

  • Click OK 3 times
  • Restart the “Quest One ActiveRoles Administration” Service



Posted in Uncategorized | Tagged , , , | Leave a comment

Shaping the Future: How IT Leaders are Turning Responsibility into Opportunity

As organizations in every industry increasingly lean on their IT teams to support critical business services, CIOs are facing bigger responsibilities than ever before. Thanks to the rise of infrastructure and software as a service, CIOs can embrace these new duties as opportunities to shape the future of their organizations. Instead of rebuilding platform layers from scratch, IT teams can now assemble modular services into complete solutions. This frees up time and resources to focus on unique product features, whether that involves making employees more productive, bringing greater value to customers, uncovering new revenue, or all of the above. So how are real-life CIOs transitioning into the role of “chief business enabler”? There’s no better place to look than our customers.

We sat down with IT leaders at FICO, Informatica and Rotary International to tell us how they rely on services like Okta’s in order to spend more time improving user experience and driving revenue. Hear what they have to say in the video below, and in the highlights we put together here:

  • Tony McGivern, CIO, FICO: “Okta has freed up resources that allowed us to stop focusing on internal IT and start focusing on the FICO Analytic Cloud and solutions that generate revenue. In this new age, if you’re going to work with cloud based providers, those cloud based providers are going to become part of your business.”
  • Lisa Moorhead, Director of IT Applications, Informatica: “One requirement we looked at when embarking on our e-commerce initiative was making it seamless for the end user. It needed to look like Informatica, so we used Okta APIs in order to handle all the user management, registrations and forgotten passwords – all behind the scenes while letting the user still feel like they’re inside the Informatica property.”
  • Peter Markos, CIO, Rotary International: “That’s the future for Rotary. We’re crowd-sourcing application functionality. Okta is helping us lower barriers to adoption and making it easy for any Rotarian to say, “I know how to use this functionality!” They use the same ID and password and get right to the good stuff and the value, as opposed to having hurdles to jump through.”


Posted in Uncategorized | Leave a comment

New Office 2016 SSO Support and Office 365 Provisioning Enhancements

It’s no secret that Office 365 has been on fire lately. With the recent release of Office 2016, Office 365 users can get business done more effectively, with new collaboration tools, integrations and full support for Windows 10. And as we shared in our recent Businesses @ Work report, it’s overtaken the likes of Google Apps and Salesforce as the most used cloud service within the Okta Application Network (OAN).

With that in mind, Okta has been laser-focused on Office 365. We worked closely with Microsoft as they upgraded the Office desktop suite to using SAML for modern authentication. (In fact, Okta has supported SSO for Office 2016 since Day 1!)

As we assist businesses in migrating to the cloud service, we’ve noticed many of our customers who use Okta instead of ADFS want to complete the picture and also replace DirSync (now known as Azure AD Connect).

Our new round of Office 365 Provisioning Enhancements, now in beta, lets businesses easily swap out Azure AD Connect and use Okta instead in a number of scenarios. Admins can provision extended user profiles, along with distribution groups, contacts and resources like conference rooms. With this, you get all the benefits of modern directory integration from Okta – real-time updates, granular control, one place to configure everything across on-prem and the cloud and automatic high availability, at scale.


Posted in Uncategorized | Leave a comment

IDM:Clean and IDM:Organize

‘Clean’ and ‘Organize’? What does housekeeping have to do with identity management?

All IT projects have a common Achilles heel: implementation. No matter how quick the process is, it always feels too long, and a rushed implementation can cause headaches for years to come. Relevant organization and stakeholder involvement can also be a pain to properly identify, quickly resulting in wasted work effort and hours that could have been put to better use. Just think of your average corporate software policies and how most administrators handle upgrades (reluctantly); these are issues that require significant investment to overcome.

As identity and access management specialists, we have regularly thought long and hard about how we can improve the implementation process of various systems. As mentioned, skipping steps to speed up the implementation will easily result in an unsustainable garbage-in-garbage-out scenario. Bad data is something we really want to avoid. By replacing steps with software rather than skipping them, we came up with a way to achieve the highest level of data quality possible and speed up the implementation at the same time. Our results are known as IDM:Clean and IDM:Organize.

So what do these tools actually do?


Cleaning up involves putting things away, removing garbage and sanitizing the area. IDM:Clean does the same for various systems by eating through data dumps pulled from them and generating a report with recommendations that can be carried out manually or through import files. Primary systems like AD, SAP, Dynamics AX and NAV are the major targets for this process.

IDM:Clean can be configured to check for things like redundant permission groups, empty or unused groups, separate groups with identical users, groups that are made up entirely of disabled or inactive users, users that have not used the system for a long time, and a host of other things.

The tool will generate two files based on whatever parameters are selected. The first file is a written report, or executive overview, that explains the results and makes suggestions based on them. The second output is an Excel file that includes every finding with the ability to filter, sort and make changes just like any spreadsheet.

After qualifying, processing, correcting and approving the content in the Excel file, the relevant system can either be updated manually or using an import file generated by feeding the relevant changes back into IDM:Clean.

Whether you want to implement an IDM/IAM/IAG tool afterwards or not, making sure your systems are clean is always a relevant endeavour. For example, how is your AD doing? How many groups do you maintain and how many users do you have? Are your active users really active? Do you know who has remote access and if they still need it? Which consultants and contractors do you still work with?

In all likelihood, you probably have several active accounts for consultants or partners that you have not worked with for a while. You may also have active accounts for users that stopped working for you months ago. In addition, the number of groups can sometimes end up being more than that of users!

In short, it is hard to maintain control. A traditional cleanup of AD can be like trying to weed a rainforest with a pickaxe. That is one of the reasons why we developed IDM:Clean as a stand-alone tool. The benefit? With around 15 000 users, an acceptable cleanup might take around 3–6 man-months of labour depending on the complexity and state of the system. IDM:Clean can bring the total number of hours down to a third of that with greater reliability and peace of mind that everything is being caught.

A traditional cleanup project often looks like this, requiring some sort of cut-off:

Our process, on the other hand, simply looks like this:


When dealing with identities, systems can become highly complex and difficult to manage without a clear overview. A good way to handle this is with an Identity and Access Management (IAM) tool. If you are planning to implement one such as our in-house IDM365 solution, we can help you further.

With the clean data output from IDM:Clean, we are able to profile current users through pattern matching. By looking at users, permissions and attributes such as business units, departments, locations and so on, IDM:Organize is able to propose easy-to-understand umbrella groups and access profiles that fit logically into roles or job functions assigned to users.

Just like IDM:CleanIDM:Organize can be configured in many different ways to make the patterns more flexible or specific. For example, one user may only be missing a single permission that is part of another group. Depending on the requirements, IDM:Organize may suggest that the user be moved into that group with enough information that a manager or executive can decide whether it would be appropriate or not.

This process has a profound influence on implementation time as well, easily reducing it by about 50%. Rather than having to go over each and every worker with their manager, finding out what their roles are, what access they need and so forth, managers can simply look over their workers and provide names what it is they do. In addition to saving you a lot of time, having the software generate an overview report for managers to review puts you in a much better position moving forward.

Traditionally, this is what organizing roles and permissions looks like:

Here is how we do it:

More information about IDM:CleanIDM:Organize, and the IDM365 solution can be found here. More information on IDM365 and MIM can be found here.


Posted in Uncategorized | Leave a comment

IDM365 is in the Cloud

Are you struggling to make your application, or application portfolio, scalable, failover ready, and/or compliant with IT environmental certification? If so, the following will be of interest to you.

The challenges mentioned above are namely issues that cloud providers, such as Microsoft Azure™, have placed serious focus on.

Why talk cloud from our perspective as an IDM/IAM/IAG specialist? To begin with, identity and access management, access governance, as well as maintenance of the structure involved, all present some universal challenges that extend to the cloud. There are many interesting concepts and issues that need to be taken into consideration first before implementing a cloud strategy. This involves thoroughly investigating and defining how identities will be provisioned in a smooth and secure way.

As a global vendor of identity and access management, we have had to look very thoroughly into the many facets of cloud integration – investigating the market, varied requirements, and possible partners – in order to decide on a cloud strategy. Our choice came down to Microsoft Azure™, and here are a few reasons why:

How does Microsoft Azure defeat the challenges?

Challenge 1: Your application needs the ability to adjust so that usage spikes will not affect end users.

Azure fully supports dynamic changes to the machine power underneath your applications. You can monitor usage, configure alerts and define rules for scaling up and down. Check out Troy Hunt’s great article about rapidly scaling websites with Azure for a more in-depth look at why this is important.

Challenge 2: Your application has a guaranteed uptime requirement that means it needs to stay alive even if a hosting machine unexpectedly crashes.

Azure guarantees full uptime for applications built using Azure Web Apps and Azure SQL Database services. For more information about how these services prevent application downtime, check out the “Azure Business Continuity Technical Guidance” article on the Microsoft Azure documentation website.

Challenge 3: Your application’s infrastructure and processes need to comply with certain official IT environmental certifications.

IT certification varies greatly depending on the industry you are in and the kind of data you are storing. Azure is one of the only Cloud platforms with an outspoken strategy on wanting to comply with all the various certification models such as SAS 70 and HIPAA. Being compliant to these standards can be very costly and troublesome, but Azure already has you covered. You can see an overview of some of the considerations Microsoft has dealt with, as well as the certifications they have already achieved in last year’s overview entitled “Microsoft Azure Security, Privacy, & Compliance” found on the Cloud Security Alliance (CSA) website.

What is outlined above are the major challenges a Cloud solution will solve for you, but that is far from all. The cloud opens up many possibilities that simplify problems or eliminate them altogether. Some of these possibilities will be covered in another article.

IDM365 and Azure – Better Together

We know how the above challenges can place a daily burden on owners of all kinds of applications, so we have done our best to make the IDM365 implementation a painless process no matter the infrastructure. To that end, IDM365 has been made fully compatible with Azure, allowing it to be deployed directly into your new or existing Azure cloud setup. Implementing our product with Azure will therefore not only solve your challenges with identity and access management, but do so in a way that is fully scalable, reliable, and compliant across the board.

More information on IDM365 and MIM can be found here.


Posted in Uncategorized | Leave a comment

Best Practice IAM Implementation

Identity and Access Management is a broad concept that can have an enormous impact on business. By providing complete user identity life cycle management using automation as a backbone, IAM tools not only take a huge burden away from IT, but also enhance the business’s ability to control users and ensure compliance. With a proper attribute and role based IAM solution, users can be given the exact access they need without all the manual setup and auditing. By handling things electronically, IAM tools remove a lot of paperwork and are able to provide up-to-date reports as long as they log all actions and changes properly.Identity and access management solutions provide information and control while saving money for the business.With all these features, IAM tools quickly become an integral part any IT, CIO or CISO’s toolbox. A proper IAM tool can seamlessly interact with all IT systems in your environment and ensure fast roll-out and decommissioning of any such system. But the trick to implementing an IAM solution, as I see it, is to prioritise in stages the benefits you want to achieve in the short and the long term. Here is my advice when rolling out an IAM tool:

Understand your business needs: Establish how far you need to implement the IAM solution; one size does not fit all here. Ensure that the various phases of your IAM project are tied to quantifiable business results.

Review your policies (risk, management and workflows): Check that internal policies and department responsibilities are up-to-date and defined properly.

Don’t rush in: Successful IAM implementations can take up to three years – don’t try and cut corners, as clearing up the mess may be difficult and potentially wreck your bottom line.

Scale it: Don’t do too much at once. Get an easy win first, rather than tackling a major task from the beginning. An early win is essential to ensure buy-in stays strong.

Collaborate: Cooperation is the key to a successful deployment. Make sure you get the right people on board across the business: involve system administrators, managers and executives, as well as end users. Do not use a siloed approach.

Training, education, practice: Provide focused instruction to both users and IT staff, and ensure that regular refreshers are scheduled.

Future-proof your plans: Don’t fall into the trap of vendor lock-in. Instead, look for the most flexible solutions. The best way should allow future integration without too much pain.


Depending on your reasons for implementing an IAM solution, you need to look for short-term benefits and long-term ROI. Let the benefits stack up rather than trying to grasp them all at once. Trying to force a fast full-scale implementation can increase the risk of failing and a lack of buy-in. By taking things one step at a time, IAM can still be implemented faster than you think as each step prepares you, and everone involved, for the next one. First year benefits could include AD cleanup, a user identity overview, license alignment of certain systems, self-service password reset options, automated provisioning and HR reporting.

By connecting one system at a time without rushing access and policy setups, onboarding, offbording, identity control and management can slowly be transitioned from IT to business users in a safe and stable manner.

More information on IDM365 and MIM can be found here.


Posted in Uncategorized | Leave a comment

The (Security) Times, They Are A-Changin’ – Make Way for MFA and the New Security Era

Three years ago, a WIRED cover story declared the password dead. This was just after the famous personal identity hack of the reporter, Mat Honan.

“Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account,” the article explained. “The age of the password has come to an end; we just haven’t realized it yet.”

Fast forward three years and, yep, we have realized this new era of security. Many companies fell victim to data breaches since that 2012 WIRED cover story, and security has quickly risen to the top of businesses’ minds. It’s become crystal clear that passwords alone are not enough protection.

In fact, 51 percent of top executives are concerned about security as a challenge in adopting digital technologies. And they’re doing something about it: As our Businesses @ Work report found, the classic “security question” (What’s your mother’s maiden name?) is becoming less and less popular as a form of verification, dropping 14 percent since April 2014. We’ve also seen a 40 percent increase year-over-year of companies moving to protect their apps with MFA.

If the WIRED story got anything wrong, it’s the myth that you need to make a tradeoff between convenience and privacy. At Okta, we believe strong security doesn’t have to come at the expense of great user experience, as long as you have the right tools in place – including MFA to protect your apps and corporate assets.

There are four key ingredients to a security environment that’s both effective and convenient for users:

Contextual access: Access policies should allow, restrict, require step-up authentication, or deny access based on the user, device and other considerations like network, location or type of application. For example, a company should automatically require step-up authentication if an employee requests access from a device they’ve never used before.

Wide selection of second factors (that people actually want to use): Encourage easy, secure access for everyone by offering user-friendly factors like push notifications, SMS, and hardware tokens like YubiKey.

Proactive protection: Data-driven proactive security is the best kind of security. By controlling access based on historical user behavior, organizations can detect suspicious activity and also avoid unnecessary verification prompts. For example, there’s no need to require a remote employee to verify his identity every day from his home office – but it is wise to prompt for MFA if he or she logs in from a new remote location.

Integration with all apps and VPNs: For ultimate security, integrate with a broad set of apps and network infrastructure – both cloud and on-premises – to centrally enforce MFA and protect applications that don’t natively support second factors. Data breaches cost an average of $3.8 million, so eliminate all coverage gaps to reduce your chances of getting hacked.

An IT environment that’s not only secure, but also user-friendly? You can have it all. Learn more here.

Posted in Uncategorized | Tagged , | Leave a comment