What is The OptimalCloud

Optimal IdM has several award-winning SSO solutions. Currently, the most popular is our SSO Federation Broker technology that we call The OptimalCloud. The OptimalCloud is the choice of many top companies world-wide based on our ability to customize your environment to your unique business and regulatory compliancy needs.

We’ve built The OptimalCloud as a heterogeneous, vendor-agnostic Federation Broker. It’s referred to as a “broker” because we don’t require account synchronization to flow between our OptimalCloud and other identity stores on-premise.

Out of the box The OptimalCloud includes support for basic authentication, including ADFS deployment, X509, Kerberos (Windows Integrated Authentication), Department of Defense Common Access Card CAC Card authentication as well as additional send factor authentication capabilities such as Email and SMS. We also offer a strong authentication service (MFA/2FA) and support certain biometric functions.

Optimal IdM supports OTP public key hardware, smartcard, software OTP for tablets and PCs as well as other types of tokens — e.g. RSA, Gemalto, etc. Optimal IdM also supports custom authentication methods.

 

Architecture Flexibility

Further, The OptimalCloud version 4.2 provides support for deployments as a Federation Identity Provider (IdP) or as a Service Provider (SP). This allows our customers more deployment scenarios and prevents vendor-lock-in from proprietary dependencies. We embrace open federation standards, such as:

  • SAML
  • ws-Federation
  • ws-Trust
  • Shibboleth
  • OpenID Connect
  • oAuth2
  • SCIM 2.0 compliant API (for user management)

Additionally, because The OptimalCloud is deployed for each of our customers as a single tenant, we can customize the implementation to include additional support for legacy apps, custom workflows, and unique business regulatory and compliancy issues. Those types of customizations cannot be done in competitor’s multi-tenant, shared cloud environments.

This type of flexibility allows our solution to deployed in B2E, B2B, B2C and Government to Citizen scenarios.

 

When is SAML not really SAML?

Internet authentication protocol standards are sometimes advertised in business applications you buy, but when you try to federate with them, they don’t work. That’s simply because some applications implement these standards incorrectly.

Customers have come to us with broken apps and need some type of customization to support these federated apps. The OptimalCloud is made for this. We can customize SAML assertions and specific parameters.

In fact, most of our customers have a need to customize their deployment for regulatory compliancy reasons or from internal security and/or business rules.

The OptimalCloud can handle ‘broken’ apps without any re-engineering to the app. We’ve seen these issues countless times for customer apps that require all kinds of non-standard activity—e.g. assertions in a very precise, particular order, apps that require a lookup for group object, yet don’t check the member attributes, etc.

 

A List of Federated Applications We Support

The OptimalCloud currently federates with more than 5,000 applications of all varieties. Sometimes we are asked for a catalog, or list, of applications we federate with. While we welcome that conversation, we think that better questions are:

  • How much time does it take to federate an application that’s on your list?
  • How much time for one that isn’t?
  • How much federation and configuration expertise will this require of my administrators?

The OptimalCloud is built for simplicity. We can onboard a federated application not in our list in a matter of a few minutes—literally. Most importantly, though, it’s done through a simple web request to us and a couple clicks. We do the configuration on our side—no expertise needed on yours.

 

Sliding Sessions

Session management is a part of access control for web authentication. Most customers use some type of sliding sessions.

A session is a sequence of events (or requests) and the corresponding response paired with a single user. An authenticated session is normally supported by a sliding window. For example, a banking webservice may support up to 10 minutes of inactivity before requiring you to re-authenticate. It’s called a sliding session because it is based on some type of countdown of inactivity before logging you out.

The OptimalCloud supports both fixed duration and sliding sessions. In addition, The OptimalCloud supports Single Logout Protocols supported in SAML 2 and WS-Federation. When a session is closed it will perform the SLO steps for relying parties and identity providers involved in that session. This is customizable.

Currently, there is no current industry standard for SLO for OAuth2 and OpenID Connect, but Optimal IdM is able to support SLO for OAuth2 and OpenID Connect through simple customizations. Optimal IdM can customize our solution so that you don’t have to alter, or dumb down, your business processes to adapt to new technology.

 

MFA Support

Optimal IdM has been named as a finalist for the 2018 Cybersecurity Excellence Awards for both “Identity Management” and again separately for our MFA solution. Additionally, Optimal IdM has been named “Best Multifactor Authentication Solution” of the 2017 Government Security News (GSN) Homeland Security Awards (HSA) Program under the Cyber Security Products and Solutions category.

Optimal IdM has full featured, MFA support via the following:

  • One Time Password
  • OTP via EMAIL
  • OTP via SMS
  • OTP via Voice
  • Open TOTP Standard
  • PUSH Notifications
  • BasicAuth + PUSH
  • Native REST WEB
  • Our Custom API
  • Passwordless
  • Biometrics with Optimal IdM’s free iOS and Android app.

Additionally, Optimal IdM has a free iOS and Android authenticator app.

Our full-featured MFA supports complex scenarios, such as:

    1. Fine Grained AuthN policies – while Optimal IdM does support Coarse Grain AuthN (e.g. Role Based Access for simple decision models), we also support Dynamic, Attribute Based Access Control for real-time decision making at the Federation Broker level and require absolutely no synchronization. Therefore, we can immediately deny access for simple off-boarding/fire scenarios or off of attribute based decisions (manually entered or dynamically generated off of decision criteria) to deny access or provide step-up, risk-based AuthN decisions—like MFA.
    2. MFA per app or per user – Many MFA solutions have multiple limitations such as on-premise or cloud only, all-or-nothing MFA, or per-app MFA. Optimal IdM can get as granular as per user decisions for MFA. Our step-up AuthN – risk-based AuthN can be configured dynamically based off of fine-grained controls (ABAC) to evaluate higher risk access and trigger MFA.
    3. Social Media Login AuthN – leveraging an end-user’s social identity in Google, Facebook, LinkedIn, etc. (whether it’s an employee, partner, customer, or government citizen)

 

Differentiators

  • Adaptive Authentication/Authorization – we can configure rules that govern risk during user authentication, such as requiring step-up authentication to MFA for certain functions — or denying access when certain conditions exist, such as coming from an untrusted network. Optimal IdM can support these functions dynamically, in real-time and these adaptive access rules are processed in our policy engine at a granular level — on an application by application basis, per user or globally, if you prefer.
  • Extensible Full Federation platform – Leverage your current infrastructure; don’t replace it. Many customers leverage our platform for their Office 365 deployment and then extended it to provide SSO to legacy on-premise applications, or other cloud applications. Optimal IdM supports all Federation protocols and federates with thousands of other applications – out of the box.
  • Expertise – We extend your datacenter with our staff of federation experts. Federation expertise is often difficult to find in the marketplace. With The OptimalCloud, you don’t have to; leverage our staff to manage and maintain a platform that scales to global levels — on demand.
  • Time-to-Deploy – Our solution is usually up and operative in a couple hours. No agents to deploy in your environment, just a few simple configuration parameters and we’ll do the rest on our side. Even onboarding new applications, outside of the more than 5,000 that we already support, take as little as a few minutes each for our customers—we do the configuration of the Federation Broker for you.
  • Granular Reporting – The OptimalCloud product offers granular reporting. You can see who is using what applications and how often. Optimal IdM leverages the power of cloud reporting and visualizations. Detailed reports can be sliced and diced in many ways as well as being exported to different formats. For example, import into SPLUNK or SQL, download to Excel or leverage Power B.I.
  • Vendor Agnostic – We are a heterogeneous platform support all of the current Federation standards such as ws-federation, ws-trust, oAuth, OpenID Connect, Shibboleth, SAML 2.0. As new standards or updates to specifications are made, we automatically add these to the platform.
  • Cost – We can provide this global service, faster and cheaper than attempting internally. No per/user per/month pricing to penalize you for growth.
  • Private & Secure – Each of our customers run in a separate, single, secure tenant in Azure/AWS/Google. This means that there is absolutely no other customer sharing the services and no chance of identity information being exposed by another tenant. We are one of very few SaaS vendors that provide support for both encryption in transit and encryption at rest
  • Security – Our products are used and trusted by some of the most secure government agencies, running on both un-classified and classified government networks worldwide.
  • Customization – because your SaaS/IDaaS cloud service is fully dedicated to only you, it can be customized to your specific business needs. Customization are not possible in competitor’s shared, multi-tenant environments

 

CIAM

Proper Customer Identity and Access Management (CIAM) enables organizations to capture, identify, manage and secure customer identity and profile data as well as scale on-demand and control access to applications and services.

  • Register customers’ identity
    • We can provide end-user self-service registration
    • We support registration via social profile logins, such as LinkedIn, Facebook and Google ID
    • Federate with trusted sources of other Identity Providers
    • We support bulk imports of users from disconnected systems
  • AuthN customers
    • We can provide SSO via Federation as IdP or SP/RP
    • We can force MFA per application/service or based on risk factors (Risk-based authentication)
  • Manage IDs your way
    • We are a single point of Identity Policy Management allowing for unified access policies
    • A single point of logging and collection
  • Control Access to applications and services
    • A single point to control access based on granular policies by nearly any user attribute or dynamic real-time application of policy
  • Scale on demand
    • We have a cloud-based model for immediate capacity provisioning handling millions of AuthNs
  • Protect and Secure User’s Data
    • We are one of very few SaaS vendors that provide support for both encryption in transit and encryption at rest for our IDaaS/SaaS model

Contact us at sales@optimalidm.com to see why Optimal IdM’s CIAM solution has been chosen over our competitors.