Home | Products | Optimal Federation & Identity Services
ON-PREMISE FEDERATED IDENTITY & ACTIVE DIRECTORY FEDERATION SERVICES
An on-premise federated identity management system that provides seamless and secure access to thousands of applications using Single Sign-On technology. Integrated with our Virtual Identity Server (VIS), OFIS provides multi-factor authentication and authorization from any data store.
Register for a Free Trial Today!
Interested in the features and benefits of Optimal IdM? Request a demo! Request Demo
About On-Premise Federated Identity Management Systems
OFIS is an on-premise federated identity management system that provides seamless and secure access to thousands of applications using Single Sign-On technology. Integrated with our Virtual Identity Server (VIS), OFIS provides enterprise two-factor authentication and authorization from any data store. OFIS is an on-premise offering from Optimal IdM that provides everything you need in a federated single sign-on solution. With it, users — whether on-premise, cloud hosted or federated — have seamless access to applications in the cloud and/or on-premise. OFIS is much more than just a self-service password reset tool for Active Directory. The application’s built-in entitlements framework engine provides an easy to use and powerful claims based authorization solution. Application administrators define entitlements and specify both who can request access to them, and who can approve/deny access. Using the web interface, users’ requests are routed via email and delegated to administrators to approve or deny. As users authenticate, these additional entitlement/claims are added to the claims sent to the application.
“I want to take a moment to say thank you! The Optimal IDM team have been great partners with Sears Hometown and Outlet Stores as best demonstrated recently by your introduction to us of TypingDNA, biometric/behavioral, authentication method. With its recent implementation we now have all of our users on multi-factor authentication and were able to do so without inhibiting the user experience. Our users can simply type their email and password and sign in with the TypingDNA authentication occurring in the background transparent to them. Only real change for some of them is using their email instead of their username to login. As an organization, we are benefiting from a higher degree of security while maintaining a great user experience!”
Features of Optimal Federation & Identity Services
Optimal Federation & Identity Services provides federated identity management solutions, including ADFS deployment with additional out-of-the-box (OOB) authentication methods such as: traditional user id and password (basic), Windows Integrated Authentication, single-sign-on (SSO) to and from other systems, as well as Department of Defense Common Access Card (CAC) authentication.
VIS allows organizations to rapidly and easily deploy applications to users existing in multiple Active Directory forests or directories.
– The VIS Schema Manager™ eliminates the need to extend the Active Directory schema for third party LDAP applications.
– VIS allows you to rapidly deploy applications to users existing in multiple Active Directory Forests without any forest trusts making VIS a premier cloud active directory solution.
– VIS simplifies your identity management deployment by accessing data at its source directly.
– VIS provides multiple views of data, allowing for easy discreet application views of enterprise data.
Reduced IT Costs
By providing a federated single sign-on for your users, OFIS increase the value of your existing Microsoft environment. Both applications:
– Leverage the existing investment in Microsoft technology, extending it with increased functionality.
– Are developed in .NET technology and is designed to seamless integrate with your Microsoft environment.
– Continue to grow with an organization’s needs.
– Are proven solutions for Microsoft applications such as SharePoint and MIIS/ILM.
Meet Audit and Compliance Initiatives
A complete federated identity provider, OFIS can help you answer questions such as:
– Who has logged in and when?
– What changes were made to data and when?
– Who was added to the Administrators group today?
– What changes did “Bob” make?
Application Framework
The OptimalCloud is pre-integrated with thousands of applications, providing seamless, one-click access. Search our Application Network to find your application today. If you do not see the one you are looking for, please let us know so that we can get it added to our network. Applications are added every day. Questions about our cloud-based active directory service? Contact Optimal IdM today.
Directory Integration
There is no need to waste time consolidating data. The OptimalCloud can instantly authenticate and surface identity data from multiple-forests and any identity stores.
Directory Integration
The OptimalCloud integrates with our Virtual Identity Server to provide authentication and authorization from any data store (LDAP, Active Directory, database, etc.) In fact, some of our customers have hundreds of Active Directory forests. We can even provide a blended merged view of a user with data coming from multiple data sources.
Cloud Directory
The OptimalCloud also includes our cloud directory. The cloud directory is a great place to host your external identities such as customers or partners. You no longer need to manage an on premise directory for these users. [wpex more= “Read more” less= “Read less”] Using the web portal you can easily manage the users, groups, entitlements and more from one easy to interface.
Quick & Easy Deployment
The OptimalCloud is a quick and easy deployment. We provide complete white glove service, creating the private cloud tenant and installing the on premise software as well. Your private cloud in days, not months.
Real-Time Sync
If you are in hybrid mode, The OptimalCloud will instantly synch new users that are created on premise quickly and securely to the cloud. As changes occur to the on premise users and groups, these changes are synched as well. This insures that The OptimalCloud is always up to date. [/wpex]
User Management
From our custom entitlements engine to self-service administration, the OptimalCloud offers administrators a complete user management system that includes a robust Delegated Administrative Identity Management system.
Compliance Reporting
With the Optimal Cloud, data is auditable and trackable. This provides you with a complete centralized audit trail of all user/group management and application activity. The OptimalCloud includes dozens of reports that provide both high level dashboard metrics as well as detailed audit reports. [wpex more= “Read more” less= “Read less”]
Centralized Audit Trail
The OptimalCloud tracks and audits all activity. For example, we track failed and successful authentications, all SSO events, all application access, etc. You can easily see who authenticated, when and to what application. Reports can be easily filtered to provide the exact data you are looking for. For example, you can run a report for a given user over the past 30 days, to see exactly what that user has done.
Custom Reports
The standard reports included allow you to slice and dice the information the way you want it. Want a pie chart instead of a bar chart? Easy, just select it from the menu. Want to drill into a specific application or user? Easy, just filter it using drop down menus.
Cloud Reports
The OptimalCloud includes dozens of reports, already built and ready to run. There are dashboard reports that present high level metrics such as application usage over time, or authentication failures over a period of time. The data is real-time, so you can use the reports to monitor current activity or use for auditing past usage.
Export the data
The OptimalCloud’s reporting system even gives you the capability to export the data to CSV, Excel, PDF, an image, or even HTML. You can use this export for use as an audit back up or even importing into another log system.
Any Device
All of the reports are designed to work on any device, so whether you want to review a report on your laptop browser or with your tablet or smart phone. Get the report you want now, on any device. [/wpex]
Federation Protocols
Optimal Federation & Identity Services work as stand-alone services or integrated with an existing STS, including ADFS 2.0, ADFS 2.1 and ADFS 3.0. Other WS-Federation and SAML 2.0 federation systems are also supported. For more information on Optimal IdM’s Federation & Identity services, contact Optimal IdM today or request a free trial of services to see what solution is right for you and your business.
Register for a Free Trial Today!
Interested in the features and benefits of Optimal IdM? Request a demo! Request Demo
Cloud vs. OFIS Comparison
Understanding costs differences between Identity as a Service (IDaaS) and On Premise Deployments
Background
Usage of the cloud has become more and more prevalent, even for areas that were classically on premise deployments. For example, the cloud Identity as a Service (IDaaS) market has grown substantially over the last few years. A major reason for the cloud adoption is that organizations have started to understand the true costs of maintaining an on premise identity deployment. Historically organizations didn’t realize the true cost of maintaining the solution until after it was purchased and deployed. [wpex more= “Read more” less= “Read less”] Once deployed, employees needed to be trained and become “experts” to be able to fully support and maintain the environment and unfortunately many identity management deployments are complicated. Over time organizations have started to realize that by leveraging cloud based solutions they can effectively outsource these deployments to organizations that specialize in certain areas. For example, Optimal IdM’s cloud solution (TheOptimalCloud.com) is being leveraged by our clients who recognize that we are federation experts and can more easily deploy, maintain and monitor their federation infrastructure. This allows their staff to focus on what they are doing now and not have to become Federation experts. Optimal IdM has created federation connections to hundreds of applications (relying parties) and we have had to make many tweaks along the ways. For example, one cloud application that we have integrated with is case sensitive in their URL’s, even though the federation specifications call for case insensitivity. Another application did not properly deflate their SAML2 authentication request[1]. It is difficult to identify the actual cost in terms of man hours that your staff will deal with each and every one of the applications that you integrate with, but in our experience, there will be many hours spent troubleshooting and debugging. Using The OptimalCloud means that your staff spends no time on configuring or troubleshooting any of these applications. [1] “SAML requests or responses transmitted via HTTP Redirect have a SAMLRequest or SAMLResponse query string parameter, respectively. Before it’s sent, the message is deflated, base64-encoded, and URL-encoded, in that order. Upon receipt, the process is reversed to recover the original message.”
Cost Comparison – Cloud vs On Premise
Up Front – One Time Costs
UP-FRONT COSTS
ONPREMISE
CLOUD
EXPLANATION
SERVER HARDWARE
$60,000
$0
Cost of the server (hardware) (10,000 per server @ 6 servers)
SERVER SOFTWARE
$9,000
$0
Typical cost of Windows Server OS and Client Access Licenses ($1,500 X 6 )
BACKUP HARDWARE & SOFTWARE
$2,000
$0
Typical cost of a backup solutions and backup software
ANCILLARY SERVER EQUIPMENT
$1,500
$0
UPS (battery backup), Switch, Rack, etc.
SSL Certificates
$400
Included
SSL Certificates*
On premise identity management software
$100,000
Included
No need to purchase on premise software.
TOTAL UP-FRONT COSTS
$292,900
$8,500
*If vanity certs are needed there will be a cost
Monthly Costs
MONTHLY COSTS
ONPREMISE
CLOUD
EXPLANATION
PROACTIVE MAINTENANCE & MONITORING
$9,375
$1,000
75% of the cost of 1 Full time employee ($150K a year). This is blended as the service would need to be available 24 x 7 x 365. For the cloud there is a $1,000 per IdP/SP setup. This assume an average of 1 per month
OFFSITE/ONLINE BACKUP COSTS
$300
$0
Typical offsite or online backup costs
Energy costs for 6 georedundant servers (see footnote)
$365
Included
CLOUD HOSTING COSTS
$0
$4,000
Monthly Base Service Charge
Monthly Support and maintenance for on-premise software
$1,667
$0
Annual support and maintenance
TOTAL estimated MONTHLY COSTS
$11,707
$5,000
Total Estimated Costs – Over a 3 Year Period (One-time Costs Plus 3 years of Estimated Monthly Charges)
TOTAL COSTS
ON PREMISE
CLOUD
EXPLANATION
TOTAL COST OVER a 3 year period
$714,340
$188,500
Total Cost of Ownership over estimated life/analysis period
As you can see when comparing the cost of doing an on premise to our Cloud Identity as a Service offering, DLA Piper will save a substantial amount of time and money. Detail of the 3 year costs
Monthly Costs
On Premise
Optimal Cloud
$11,707
$5,000
Yearly Costs
On Premise
Optimal Cloud
$140,480
$60,000
Yearly Costs
On Premise
Optimal Cloud
$292,900
$8,500
3 Year Costs
On Premise
Optimal Cloud
3 Years of the monthly charges
$140,480 * 3 = $421,440
$60,000 * 3 = $180,00
On Premise
$292,900
$8,500
Total
$714,340
$188,500
Other factors to consider
Lost Revenue due to downtime
InformationWeek shed light on a 2011 study done by CA Technologies which attempted to provide an estimate of what downtime costs businesses on a broad scale. Of 200 surveyed businesses across the USA and Europe, they found that a total of $26.5 Billion USD is lost each year due to IT downtime. That’s an average of about $55,000 in lost revenue for smaller enterprises, $91,000 for midsize organizations, and over $1 million+ for large companies. You can see how important uptime is when it comes to production level systems, and why considering downtime costs is a hidden factor which shouldn’t be skimmed over.
Providing a 24 x 7 x 365 fully Geo Redundant Service
Optimal IdM’s cloud service is a fully managed 24 x 7 x 365 service that has guaranteed Service Level Agreements (SLA’s). Each day millions of users depend upon Optimal IdM’s cloud based federated identity management solutions for the authentication and security needs. This is our core business and competency and we excel at providing the best service at the best possible price.
Cost of Identity and Access Management as a percentage of Total IT budget
he article here https://www.csoonline.com/article/2129591/metrics-budgets-10-identity-management-metrics-that-matter.html explains that “Within the IT security community, identity- and access-management (IAM) initiatives are considered high value, but are notoriously problematic to deploy. Yet despite IAM’s complexity, it represents 30 percent or more of the total information security budget of most large institutions, according to IDC (a sister company to CSO’s publisher).” With the OptimalCloud, the costs are significantly lower with a quicker adoption time as well.
Energy costs estimated from this article
According to this reporter’s numbers, which use an average kWh cost for energy from the US Energy Information Administration as of January 2013, she figures that an average in-house server in the USA (accounting for both direct IT power and cooling) sucks up about $731.94 per year in electricity. [/wpex]
Frequently Asked Questions
Does OFIS provide audit capabilities?
Yes. All activity is optionally logged to a Microsoft SQL server database. This includes: who authenticated, when, how, to what application and with what claim values. There are audit reports that come out of the box for an administrator to run.
How can I control who has access to what applications using OFIS?
Using the built in Entitlements system of OFIS, an administrator can create custom claims that users can request access to. When a user requests access, the built-in workflow sends the request to either a delegated administrator or a claims administrator for approval or denial. If approved, this additional claim is added (claims are augmented) to the list of claims after authentication. These claims can be utilized to create very granular fine grained access to not only applications but also specific permissions such as a SharePoint document library. [wpex more= “Read more” less= “Read less”]
What applications does OFIS provide authentication?
OFIS is a 100% full Federation solution that can provide access to any application that supports the federation standards. This includes both on premise applications as well as Cloud applications such as Sales Force, Concur, Office 365, etc.
Does OFIS provide any way to host other identities such as partners or customers?
Yes, this is built-in to the solution. Users can be created manually using the web interface, or they can self-register using the built-in self-registration module that includes workflow approval of users.
Does OFIS provide 2 factor authentication?
Yes, OFIS provides 2 factor authentication to common two factor systems such as Radius, Telesign, and PhoneFactor.
I was starting to implement AD FS, but I need to authenticate users that are not in Active Directory (AD). Can OFIS help?
Yes. OFIS uses our VIS product to authenticate to any data store, LDAP directory or database quickly and easily.
Can OFIS work with AD FS (ADFS)?
Yes, OFIS can work alongside ADFS if desired. Many customers use OFIS as an alternative to AD FS.
What authentication options does OFIS provide?
OFIS uses our VIS product to authenticate to any data store, LDAP directory or database. OFIS supports forms based authentication, Windows Integrated, Client Certificates as well as Common Access Card (CAC) authentication.
Is OFIS offered as a hosted solution?
YES, OFIS can be deployed on-premise, in our hosted cloud, or a combination of both!
Does OFIS support the SAML 2.0 Protocol?
YES, OFIS support the SAML 2.0 Protocol as well as WS-Federation (Active and Passive endpoints).
Can OFIS act as both an SP/RP (Service Provider/Relying Party) and IdP (Identity Provider)?
YES, OFIS can be configured to trust other IdP’s (internal or external) as well as trust SP/RP’s (internal or external). [/wpex]
Resources
Data Sheet: Optimal Federation Identity ServicesRead More
[wpex more= “Read more” less= “Read less”]
Custom Reports
Optimal Federation & Identity Services work as stand-alone services or integrated with an existing STS, including ADFS 2.0, ADFS 2.1 and ADFS 3.0. Other WS-Federation and SAML 2.0 federation systems are also supported. For more information on Optimal IdM’s Federation & Identity services, contact Optimal IdM today or request a free trial of services to see what solution is right for you and your business.
