Integrated User Management

Active Directory User Authentication

Synchronized User Rights Management

Managing systems users can be a challenging aspect of implementing a GPS tracking and telematics system. Employees routinely come and go and the IT department or the GPS program manager is constantly struggling to keep up with employee changes. Additionally, this process may take time which leaves a window of opportunity for a disgruntled employee to access the system.

Integrated user management works from existing systems to automatically manage users in the GPS fleet management portal. Changes made in your normal employee management system are reflected in the portal when user access rights are checked between the systems. When you block an employee on your system, it immediately blocks the user on the GPS portal.

Microsoft TechNet Magazine

Azure AD is the latest “flavor” of Active Directory. Azure AD utilizes cloud technology thus avoiding the server in the closet just for ADFS. Read more here.

Azure AD Points

Active Directory Federation Services

Active Directory Federation Services, also known as ADFS, was introduced in Windows Server 2003 R2 to help organizations set up and participate in a standards-based identity federation.

IT organizations can use identity federations to make decisions based on identity data from other organizations, while also sharing selected information about their own users’ identities. You can think of a federation as an agreement between two organizations with some common purpose, often structured so that each partner retains the management of its own internal affairs. In this context, identity is defined by a set of statements or claims about a subject (you can read more about this in Joshua Trupin’s article in this issue, or in Kim Cameron’s “Laws of Identity”whitepaper). So the common purpose of an identity federation is the sharing of identity information and identity authentication responsibilities. ADFS enables this decentralized identity sharing by implementing the WS-Federation protocol along with standards such as WS-Trust and Security Assertion Markup Language (SAML).

Major Benefits of ADFS

ADFS provides an identity federation solution for organizations looking to share identity information with their partners in a secure manner. Using the trust policy for an ADFS Federation Service, you can manage your trust relationship with partners and map partner claims to claims understood by your organization’s Web applications.

By relying on partner claims to initiate Web application sessions, responsibility for partner account management remains with the partner. The partner knows when its new employees are hired, shift roles, and are terminated. And ADFS enables federation partnerships to be managed in a central place, reducing the headache of adding and removing partnerships. ADFS also helps organizations share identity with partnerships using the same trust policy. When establishing a partnership to use another organization’s Web applications, ADFS provides a central place to manage and audit the employee identity information that is shared with that partner.

Identity Federation with ADFS offers solutions to a number of potential issues.

Partner Account Provisioning – Partner organization has just hired a new employee and would like that employee to access Web applications offered by your organization under the existing partnership agreement. Instead of requiring a new account managed by your organization, ADFS enables your organization to accept digitally signed claims from the partner organization. These claims from the partner organization can confirm that the requestor is indeed an employee of the partner.

Partner Account Credential Management – With a new local account for the partner employee, you’d normally need to have some method of managing the credential she uses to authenticate. With ADFS, your organization no longer needs to revoke, change, or reset that credential, since the credential is managed by the partner organization.

Partner Account Management- Suppose an employee in a partner organization has a new role that requires access to a different set of your Web apps. With ADFS, your partner always sends claims that reflect the employee’s current roles and permissions. Since ADFS allows you to use the partner’s claims to control access to your applications, the employee’s access is updated immediately.

Partner Account Deactivation- What if an employee with access to partner resources is fired? With ADFS, the employer can remove access for this employee across all other partner organizations. Without this functionality, the employer would have to contact each partner organization separately and the ex-employee would continue to have access until this was accomplished.

Partner Changes- Imagine that a partner organization has begun aligning itself with your top competitor. Your organization decides to terminate the partnership to avoid any further information disclosure. With ADFS, the termination of the partnership can be effected with a single trust policy change. Without centralized partner management, individual accounts for each partner employee would need to be deactivated a much lengthier process.

ADFS Best Practices

Imagine for a moment that, as the local ADFS guru, you are asked to spearhead configuring your company’s 30 business partners as account federation partners. Setting up a single partner following the ADFS Step-by-Step Guide wasn’t too difficult, but what about configuration on a larger scale? There are important concerns for organizations looking to scale the number of partners further out in ADFS. Best practices for addressing these concerns include understanding the technical requirements of your partnering process, using a consistent structure for organization claims, and using the ADFS Object Model (OM) Application Programming Interface (API).

Standardization – Your organization may have a large set of business and legal requirements for setting up federation partners, but the ADFS technical requirements are fairly simple. Whether your organization will be functioning in the account or resource partner role, you’ll need to agree with each partner on the actual names for the claims that will be exchanged across organizations. If you are a resource partner with numerous account partners, it may be fairly easy to develop a standard set of mappings and ask your account partners to conform as part of the partnership. As a resource partner, you must also make sure you obtain each account partner’s token-signing certificate, which must be configured when creating the partner in the ADFS trust policy.

Flexibility – When organizing claims in trust policy, there are some constraints to be aware of. For organizations looking to leverage NT Token-based applications, at least one group claim must map to each security group that the organization plans to use for authorization decisions on account partner users. The claims and mapping system in ADFS allows for some flexibility and abstraction in claim assignment on the resource. For example, in situations where multiple different claims from a partner result in the same claim on the resource side, ADFS allows multiple claim mappings to refer to the same claim. Because the claims intended for claims-aware applications often do not map to Active Directory groups, there is, even more, flexibility for those applications. Flexibility in the ADFS claims model allows for many solutions.

Automation – For organizations with complex workflows and business processes and high partner churn, the ADFS OM API offers an alternative to the manual configuration process. The OM API allows programmatic access to trust policy construction and editing. Organizations with existing custom tools for handling business processes can integrate ADFS trust policy editing into the partnering process tools directly. As partner volume and churn increase, this can also be preferable to allow for some automation as well as extended partner-analysis functionality.

Read more about the ADFS OM API at go.microsoft.com/fwlink/?LinkId=66063.

Matt Steele – is a Program Manager on the Active Directory Federation Services team at Microsoft. Matt is currently working on ADFS product integrations and supporting the design of future identity and access technologies. View

Azure AD or ADFS Setup

ADFS is free if you are using Active Directory 2008 or newer. It is an “add-on” which enables access to your network from outside your network. Don’t worry, ADFS is secure and a standard Microsoft service used by thousands of large companies world wide. If you are unfamiliar with setting up ADFS the Fleetistics help desk service provider can provide IT consulting services and do this for you. Let your account manager know if you need this service from IGTech365.com.

Secure Process

Fleetistics will provide a set of groups which all users are assigned to in the customers Active Directory (AD). AD then passes this information to ADFS which acts as the secured gateway to external access. When a user attempts to login to the MyFleetistics portal, the request generates a token which is sent to the customers ADFS for authentication. Upon authentication, a token is returned which is matched to the request and the user is able to login with the groups access rights assigned.

Industry First AD Integration

Fleetistics is proud to be the first in the industry to offer user management through integration of Active Directory. Through the use of Active Directory groups, user access to features of the MyFleetistics portal can be centrally managed using the same familiar tools and processes already in place within your organization.

Single Sign On (SSO)

SSO provides immediate access or denial to a company network or connected services such as MyFleetistics. The great benefit is that if your company is already using Active Directory SSO eliminates all the user rights management from within the GPS program. This means when someone joins or leaves your company and their status is updated in AD it instantly mirrors that access in MyFleetistics.

This eliminates a major administrative burden on GPS program administrators trying to keep informed and updated with every employee change across the entire company.