Avatar

Top 5 reasons to keep your Identity and MFA providers in sync

By now, you may have heard about SecureX, Cisco’s new integrated platform that simplifies the security experience. SecureX is built into the Cisco security portfolio, and connects your entire security ecosystem for simplicity, better visibility, and greater operational efficiency. SecureX sign-on is one of the key features of SecureX – it’s giving users instant access to the platform and all of their applications and data, while keeping the identity provider (IdP) and multi-factor authentication (MFA) in sync.

Is your organization using an IdP and MFA provider? You can make life easier for your SecOps team, while strengthening your organization’s cybersecurity posture, improving compliance and increasing visibility without adding tasks to your team. This post will describe a new automated process that can do all these for you.

Background

With SecureX sign-on, we are using several identity providers (like Okta, Auth0, Azure AD and Cisco security) as our applications need and see fit. We chose Duo to be our multi-factor authentication (MFA) provider as it gave us great visibility into our customers’ security posture and is a very flexible MFA. Now we needed to have our Identity and MFA Providers in sync.

An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network.

Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).

Multi-factor authentication reduces the incidence of online identity theft, because the victim’s password would no longer be enough to give a thief permanent access to their information.

Why do my Identity and MFA providers need to be synchronized?

Here are 5 reasons to keep them in sync:

  1. General security hygiene. Keeping user names and deletion in sync to avoid two split brain databases is always a good idea – you never know when you are going to try to research an issue.
  2. User deletion. For both compliance and security reasons, if I delete a user, I want him gone from all my databases. Almost every IDP has 50% ghost accounts and cleaning them up is important.
  3. Reset user’s credentials. The number #1 reason for calls to our call centers are lost phones and mistaken registration. Allowing for a simple way to reset from one place that permeate everywhere.
  4. Policy is king. Keeping the data in sync allows me to create dynamic policies that traverse the single provider.
  5. Reporting. Providing meaningful reports, with groups in place I can show specific admins how their domains look like.

Why not use SCIM?

System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, or IT systems.

User identities synchronization can be achieved using the SCIM specification, however not all MFA providers want to use or can use SCIM. This SDK keeps users synchronized between service providers in this case.

How this works

How this works - Sequence Diagram

A user can update his profile details in the IdP service.

An admin can perform the following actions in the IdP service:

  • Create/delete a user
  • Create/rename/delete a group
  • Associate/disassociate a user to a group
  • Disable/reenable a user
  • Reset MFA for a user

Supported Identity Providers

This list is expected to grow with time

  • Okta
  • Auth0

Supported MFA Providers

This list is expected to grow with time

  • Duo Security

Deployment

The Webhooks endpoint can run anywhere, even on-prem.

Deployment scripts to AWS, Azure and Google Cloud are provided via Terraform.

Supported Cloud Providers

  • AWS
  • Azure
  • GCP

Show Me the Code!

The source code is available at https://github.com/cisco-sbgidm/idp-hook-updates

Getting Support

If you have questions, concerns, bug reports, etc., please open a Github Issue against the project.



Authors

Oded Peer

Technical Leader - Engineering

Security - Special Projects