Integrated User ManagementActive Directory User Management
Synchronized User Rights Management
Managing systems users can be a challenging aspect of implementing a GPS tracking and telematics system. Employees routinely come and go and the IT department or the GPS program manager is constantly struggling to keep up with employee changes. Additionally, this process may take time which leaves a window of opportunity for a disgruntled employee to access the system.
Integrated user management works from existing systems to automatically manage users in the GPS fleet management portal. Changes made in your normal employee management system are reflected in the portal when user access rights are checked between the systems. When you block an employee on your system, it immediately blocks the user on the GPS portal.
Microsoft TechNet Magazine
Azure AD is the latest “flavor” of Active Directory. Azure AD utilizes cloud technology thus avoiding the server in the closet just for ADFS. Read more here.
Active Directory Federation Services
Major Benefits of ADFS
Partner Account Provisioning – Partner organization has just hired a new employee and would like that employee to access Web applications offered by your organization under the existing partnership agreement. Instead of requiring a new account managed by your organization, ADFS enables your organization to accept digitally signed claims from the partner organization. These claims from the partner organization can confirm that the requestor is indeed an employee of the partner.
Partner Account Credential Management – With a new local account for the partner employee, you’d normally need to have some method of managing the credential she uses to authenticate. With ADFS, your organization no longer needs to revoke, change, or reset that credential, since the credential is managed by the partner organization.
Partner Account Management– Suppose an employee in a partner organization has a new role that requires access to a different set of your Web apps. With ADFS, your partner always sends claims that reflect the employee’s current roles and permissions. Since ADFS allows you to use the partner’s claims to control access to your applications, the employee’s access is updated immediately.
Partner Account Deactivation– What if an employee with access to partner resources is fired? With ADFS, the employer can remove access for this employee across all other partner organizations. Without this functionality, the employer would have to contact each partner organization separately and the ex-employee would continue to have access until this was accomplished.
Partner Changes– Imagine that a partner organization has begun aligning itself with your top competitor. Your organization decides to terminate the partnership to avoid any further information disclosure. With ADFS, the termination of the partnership can be effected with a single trust policy change. Without centralized partner management, individual accounts for each partner employee would need to be deactivated a much lengthier process.
ADFS Best Practices
Standardization – Your organization may have a large set of business and legal requirements for setting up federation partners, but the ADFS technical requirements are fairly simple. Whether your organization will be functioning in the account or resource partner role, you’ll need to agree with each partner on the actual names for the claims that will be exchanged across organizations. If you are a resource partner with numerous account partners, it may be fairly easy to develop a standard set of mappings and ask your account partners to conform as part of the partnership. As a resource partner, you must also make sure you obtain each account partner’s token-signing certificate, which must be configured when creating the partner in the ADFS trust policy.
Flexibility – When organizing claims in trust policy, there are some constraints to be aware of. For organizations looking to leverage NT Token-based applications, at least one group claim must map to each security group that the organization plans to use for authorization decisions on account partner users. The claims and mapping system in ADFS allows for some flexibility and abstraction in claim assignment on the resource. For example, in situations where multiple different claims from a partner result in the same claim on the resource side, ADFS allows multiple claim mappings to refer to the same claim. Because the claims intended for claims-aware applications often do not map to Active Directory groups, there is, even more, flexibility for those applications. Flexibility in the ADFS claims model allows for many solutions.
Automation – For organizations with complex workflows and business processes and high partner churn, the ADFS OM API offers an alternative to the manual configuration process. The OM API allows programmatic access to trust policy construction and editing. Organizations with existing custom tools for handling business processes can integrate ADFS trust policy editing into the partnering process tools directly. As partner volume and churn increase, this can also be preferable to allow for some automation as well as extended partner-analysis functionality.
Matt Steele – is a Program Manager on the Active Directory Federation Services team at Microsoft. Matt is currently working on ADFS product integrations and supporting the design of future identity and access technologies. View
©2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
Azure AD or ADFS Setup
ADFS is free if you are using Active Directory 2008 or newer. It is an “add-on” which enables access to your network from outside your network. Don’t worry, ADFS is secure and a standard Microsoft service used by thousands of large companies
Fleetistics will provide a set of groups which all users are assigned to in the customers Active Directory (AD). AD then passes this information to ADFS which acts as the secured gateway to external access. When a user attempts to login to the MyFleetistics portal, the request generates a token which is sent to the customers ADFS for authentication. Upon authentication, a token is returned which is matched to the request and the user is able to login with the groups access rights assigned.
Industry First AD Integration
Fleetistics is proud to be the first in the industry to offer user management through integration of Active Directory. Through the use of Active Directory groups, user access to features of the MyFleetistics portal can be centrally managed using the same familiar tools and processes already in place within your organization.
Single Sign On (SSO)
SSO provides immediate access or denial to a company network or connected services such as MyFleetistics. The great benefit is that if your company is already using Active Directory SSO eliminates all the user rights management from within the GPS program. This means when someone joins or leaves your company and their status is updated in AD it instantly mirrors that access in MyFleetistics.
This eliminates a major administrative burden on GPS program administrators trying to keep informed and updated with every employee change across the entire company.