Directories, Lifecycles, and Digital Transformation
Transcript
Details
Speaker 1: I would like to introduce Marc Jordan. He is our senior product manager for directories and integrations at Okta. Please give me a round of applause.
Marc Jordan: Hey, good afternoon, everyone. Thanks for joining us. I know this is the last session on the last day and I've seen some sleepy people here. If I haven't met you yet, my name is Marc Jordan. I'm our PM for our directory integrations, as well as some of our Microsoft integrations as well, so please come and talk to me about all things UD-LDAP and all things Desktop SSO and everything else after the session if you're that way inclined.
I’m going to start the session with an eye test for you people probably in the front end. We may make reference to some things that aren't yet released as part of this presentation so don't make any buying decisions or anything like that based on what I'm presenting to you today. Thanks so much. Moving on, today, we're going to talk about how Okta thinks about managing directories and how we think about integrations into Okta. What I'm then going to do is pass you over to Herminia who I'll introduce shortly who's going to take you through National Geographic's journey as they created this amazing Org2Org partnership with Fox. I'm going to go into a demo and show you just how easy it is with existing technology, how you can create these partnerships, how you can start to be productive from day one with your customers, with your contractors, with your partners, with all different populations as we've spoken about over the last two days.
Managing user lifecycle is challenging. I probably don't need to tell anyone here that and it gets more challenging when you've got a huge geographic footprint, so if you've got offices in EMEA or in Australia or in Asia Pacific and everywhere else, managing identity across all those different silos can be tough. It's also tough if you're undergoing mergers, acquisitions, partnerships, and all these different things. You need different populations to get different levels of access across all of your different tooling, across all of your different applications, services, and these other bits and pieces.
Sometimes, you just want to collaborate. Sometimes, you need to share a document. Sometimes, you want someone to see your SharePoint site. Sometimes, you just need someone to have an extra set of eyes from outside of your company from somewhere else and like getting the right level of access at the right time is critically important to your business but then making sure when that's no longer relevant that they don't have that access is equally important from a security perspective.
When I think about directory integrations today, I don't just think about AD and LDAP. These are very important and very important to the work that me and my teams do but we also think about things like consumers, getting our users that are in LinkedIn, in G Suite, in all of these other services into Okta and then out to applications is important. We think about business partners. We think about inbound SAML. We think about federation. We think about all these other tools and that's a directory as well. That's a source of user attributes.
Then, we think about HR systems. We think about HR as a master, things like Workday, Ultipro, SuccessFactors, and all these other bits and pieces and the goal of getting all this data into a single pane of glass is to get you access to your applications, so your SaaS applications, but as you've heard today over the last two days, it's much bigger than that, giving them access to F5 so they can access on-premises resources, giving them access to things like your CASBs to maybe your MFA providers and all these other bits and pieces are critically important.
We've got customers in the audience, customers that are here this week that just connect one AD instance to Okta and we think that's great. Keep it simple. They might have geographically located offices that are all in the same AD forest, in the same AD domain. That's fantastic. Sometimes, there's two. Sometimes, there's three. There's people here this week that have a thousand Active Directory forests connecting into Okta and doing this work and that's challenging. That's really, really tough.
In those circumstances, it's really important you choose a deployment model that meets your business needs. Sometimes, we talk about multi AD domains coming into Okta. We talk about multiple Okta orgs with multiple AD instances. Well, you might connect an AD to one, an AD to another, potentially have LDAP or an LDAP service hanging off one of your Okta instances and then choosing the best of breed SaaS applications to tie to those is equally important. Our business’s a work dashboard has … There's a huge number of customers that use both G Suite and Office 365 and so picking that deployment model is important.
Then, what it all comes down to it, we want to make sure that you continue to modernize. If you're looking to go to the cloud, you continue to get rid of that on-premise infrastructure that might be holding you back, that might be slowing you down. It’s just not necessary when you go to a pure cloud-based solution and as you've heard, and I can talk more about it as well, we're introducing things like our LDAP interface for universal directory where I can start to turn off my LDAP instances, potentially my AD instances depending on what I'm using them for, and connect directly to a cloud-based service to do all these authentication, these directory lookups and bits and pieces like that.
With all that said, I want to hand you over to Herminia who's going to take you through some of the work that National Geographic has been doing to create partnerships and really modernize their IT.
Herminia Gomez: Hello. My name is Herminia Gomez and I am lead systems engineer for National Geographic. I support identity access management and SaaS account lifecycle management. I work for National Geographic in various roles and divisions since 1997. Sorry about that. I'm here to tell you the story of National Geographic and 21st Century Fox joint venture. I want to tell you the role identity played in this venture and how Okta helped us make that transition but before I tell you this story, I need to paint a picture of what our environment looked like before and some of the challenges we faced after.
The first thing we have is we had PeopleSoft as our system of record or our profile master and it handled employees or staff through our PeopleSoft HRMS and also non-staff using a custom-built application where we managed contractors, vendors, partners, special accounts. We also had a third-party application that handled the account lifecycle, handled the creation at the pre-hire state. It also handled group assignment and also disabled the accounts 30 days after termination.
Of course, we had Active Directory and we had Okta that we used for single sign-on and provisioning. We also had an application on our intranet where we hold our contact information so it's served not only at our intranet but also our online directory for contacts. In this image or in this workflow, my responsibility was the identity manager so I handled the relationship with PeopleSoft as far as data and requirements changes. I also manage the tools for identity access management, which also manage our password system so users will log in to a site that will answer security questions and they will reset their passwords, unlock their accounts, et cetera.
I was the domain administrator so I handled all things Active Directory but we had a dedicated team that handle all things SaaS and they handle not only Okta but all of the SaaS applications. My experience with Okta was very limited. I helped with agent installations. As you know, we have to install agents on the domain controllers and on the member servers and I helped them whenever they needed to provision new applications and I helped them troubleshoot but my experience with Okta was limited to that.
21st Century Fox and National Geographic had a long-standing relationship. In 2015, they decided to expand that. They decided to put together the National Geographic Channel, the magazine, and now the outlets and create a new company called National Geographic Partners and this was a for-profit a company while National Geographic Society stayed as a nonprofit organization.
Okay, so they announced this joint venture. The first thing that comes to mind is that we're going to split but … When you think about splitting, 73% of National Geographic Society became National Geographic Partners. We had to move not only the servers and we also had to move our personnel over to the Fox Network. We were also told, “Hey, we're going to split but we still need to function as one company because we are the engine. National Geographic is an engine that feeds the National Geographic partners content so we needed to share services.
We had a lot of challenges. We had a lot of infrastructure changes one of the things that we … The first thing we learned was of course that we had to split but then we also learned that there were some applications that were going to be major applications that needed to be replaced. Give me one second. Give me one second. I apologize. I want to make sure that I give you this information, so I want to take you to what I call ground zero at that time when this was announced. We know we got to split. That's the first thing that comes to mind but then, management announces that they're going to give what's called a retirement package to individuals that had been working for National Geographic for x number of years.
You have to understand, in 2015, I had been with National Geographic for 16 years and I was considered a newbie. I work directly with at least eight or seven people that had been with the company before I was in elementary school and we had a dedicated team of SaaS administrator and guess what? They had been with the company for over 30 years. They took the package. Now, IT still has the same level of responsibility that they had before but now on top of that, we have to worry about this joint venture and splitting the company apart. Now, we have more than doubled the load of work that we had with less than half of our staff.
Other announcements were made. Replacement of PeopleSoft. We no longer need a system as robust as PeopleSoft and PeopleSoft was going to be replaced with Workday. As I mentioned before, the intranet is dependent on Active Directory and information that's coming in from PeopleSoft. We didn't know if Workday could fulfill that requirement and we didn't know if Workday could replace our non-staff registry, so we need to split, we need to share resources. Okay. I don't know if you ever had an IT meeting where you sit and you have a meeting about the meeting. We had a meeting about the agreement that AD trust, we all agreed it was going to be a solution. Okay, great. We can do this we can do this with AD trust.
As we're preparing for this, we're waiting for Fox to make that decision. Okay, let's move forward with this Active Directory trust. We waited for months. After months of waiting, they decided this does not fit our security posture. This opens up Fox Network, exposes too much of the Fox Network to National Geographic. I'm like, “What?” “No. AD trust was not the solution.” I go and I'm going to go over to our vice president, Dan Beaupre and I'm going to wait and say, “Okay, these people made a mistake. They're telling us we can't do this with Active Directory trust.”
I walk in, I'm ready to say let's push this and he looks at me and he says, “Have you considered Okta?” I'm like, “What? Okta can't do what's meant for Active Directory to do.” Then, he says, “Think about it. Go do your research. Ask questions and then come back. If you think Okta can do it, I'll go back and I'll argue and I'll tell them we need Active Directory trust.”
I did. I started researching. I called Okta Support. I think they hated me for the time that I was calling because I have a superpower. I have no shame in calling and harassing until I get what I want. I called Joe DiGregorio who was our account rep at the time and I asked questions and the more questions I asked, the more questions I had, the more creative my solution became. At the end of the day, I said, “Okay, I think Okta can do this. Okta is the solution to this problem.”
How did we do it? We did it in multiple phases and I think we called one phase 1a and then we had phase 1b but in truth, there’s four phases. The first thing I learned about, remember, we have to share resources. We have to have individuals from the Fox Okta tenant to be able to access resources from NGS tenant seamlessly. The first thing I learned about was inbound SAML. In addition to having Okta as the identity provider, you can also set up Okta as a service provider, so this allowed National Geographic resources to be accessible to the Okta tenant seamlessly single sign-on.
On top of that, we needed to replace PeopleSoft and AD as the profile master for our intranet and for our online directory. What we did we used Okta API calls, no longer needing to have that PeopleSoft view that we had set up and that Active Directory import into the application. We're now pulling the information directly from our National Geographic Okta universal directory. This replaced two applications, two components making it so much easier for our users.
Now, we have the access through inbound SAML but we still need to do that final stage. We need our users to be able to log in and we need to be able to replace those accounts and we need our Fox users to no longer be dependent on our NGS Okta information but come directly from the Fox Okta, so Org2Org. This is my favorite part of the configuration. The Org2Org application allows you to manage the user lifecycle from end-to-end, so if a user from Fox Okta logs into a National Geographic resource, fine, that's great. We got that going. What happens to that user when that user leaves Fox Okta? That account, through the Org2Org application, is automatically disabled.
You have to understand, for us at that time, it was so critical because the company, we had one company. Our users only had to come through one system. When we split, there was not as much communication or the communication between the companies wasn't established so that when a person left the company, sometimes, I didn't know that the user had left the company. I've actually ran into individuals like that person is on the directory. They left two weeks ago. I was chasing our managers around. “Is this person still employed at National Geographic? With Org2Org, I no longer have to chase people around. The accounts are deactivated automatically.
We have the lifecycle management, we have the single sign-on. My second favorite part is that we are now able to eliminate 800 accounts because they no longer need an Active Directory account to access our resources. They can go straight from the Okta tenants, from one Okta tenant to the other. The communication is established. The security is there, so now I can go into our Active Directory environment and I can disable and delete all of those accounts.
This is what our environment currently looks like at National Geographic. We replaced PeopleSoft and we have staff provisioning that goes directly into Okta and then those users are pushed into our Active Directory environment. We replaced our non-staff registry. We built a custom application in service now. We still have that third-party application that's handling the account provisioning for the non-staff registry, which is also pushing those users into Active Directory and then pushing them into Okta. Our users have the same experience. They log in into Okta and they access the resources.
Our NG Connect is no longer dependent on PeopleSoft or Active Directory. Identity and access is based on the Okta UD. Fox or our partners have a similar setup. They have a PeopleSoft to handle their employees. They have a third-party application to handle their non-staff and of course, they push the information into Active Directory and from there, it goes into Okta, access to resources.
This is the magic slide. Look at this. From National Geographic, our users continue to have that same experience. They log in into Okta and from Okta, they go into all of our resources. Same thing for Fox but look at the cloud. We just made the cloud bigger because now, we have shared services that both companies and both users can access seamlessly because to the user, it just looks like the same Okta they've always logged into.
The best part is no loss of functionality. The users have, that were formerly National Geographic employees that are now National Geographic partners, have the same experience, same functionality that they had before. Better security posture. I don't have to chase around our non-staff registry coordinators. You have to understand, I had individuals that they didn't even know what company they worked for. I had a person that called me and she was mad at me because she needed access to a resource and she told me, “No, I am a National Geographic Society employee.” I had to chase her down and prove to her, “No, you work for National Geographic Partners.”
I had this in reverse. I also had individuals that had called and said, “Hey, reset my password,” and as I chased them around, I found out, “Well, you’re no longer employed. Your contract was terminated.” I don't have to worry about any of that with the Org2Org application because Fox makes sure that when someone leaves the Fox company, that their account is disabled. Now, with the Org2Org application, the moment that account is disabled on the Fox side, it is disabled on the NGS side and we are more secured. I want to take this time, Marc. Let's show them how easy it is to set this up.
Marc Jordan: Thanks, Herminia. This is why I always go first, because Herminia is a tough act to follow. That was amazing. Thank you, Herminia. Yeah, please, but we're not done yet. What I'm going to do is I'm actually going to flip back to my presentation for a second. We're going to go through a demo here. I'm going to paint the picture of the demo just for a second. As you heard Herminia talk through, there was two companies involved there. We're going to have Atko Foundation and ContractCo as part of our demo today. I'll be the admin for Atko. Herminia is going to be the admin for ContractCo. Now, the need here is for ContractCo to get access to Atko Foundation resources. Pretty simple, and they're both using Okta today.
What … is we’re going to establish an Org2Org connector and we're going to get the people in ContractCo to be more productive and get them logged into G Suite so we can start collaborating on a document together. In the couple of minutes that we've got left, we're really going to dive into that and go through that detail with you. Without further ado, I'm going to flick back to my Okta tenant. I'm logged in. There's not a whole lot configured in here. The very first thing I'm going to do is go to my identity providers. I might zoom that in a little bit as well. Cool. All I've done so far is I've created an identity provider for ContractCo. I've said, you know what, I'm going to allow ContractCo to come into my environment. I’d take you through the some of the configuration that I've done there.
First and foremost, I want to draw your attention to this, if no match is found. Now, what this means is that if an existing user doesn't exist inside of my Atko Foundation tenant, I'm going to create it. I’m going to create it just in time just as they need that access, so no need for heavy provisioning or anything like that. I'm also going to look at the Okta username and say, “Hey, if this this is what I'm going to match on, so if the user name matches, I'm going to connect that user to their existing account. If it doesn't exist, I'm going to create a brand new one.”
Then, when I create it, what I'm going to do is I'm going to add them to a group and I'm going to add them to a group so they get the right level of access, the right level of security to ensure that they have the right access to the resources in my tenant. Let's quickly dive into what that group is doing. If I have a look at the ContractCo group in Okta, there's no one in there, so we're just starting this out. We haven't configured anything yet. This group is assigned to G Suite and they've been given licenses that match licenses and roles that match the permissions that they should have in G Suite. Remembering that the security that contractors, that partners may be different to what's required for my employees, so I've configured that here.
Then, lastly, what I've done is I've configured a directory integration here as well. This is an LDAP directory. In the Atko Foundation tenant, what I have is a directory that sits in my [inaudible 00:23:40] that controls my partner access so this is explicitly for my partners. What I've configured here is some of our brand-new functionality that's in EA today, which is our LDAP provisioning.
When a ContractCo user comes across into Atko Foundation, I'm then going to provision them down into an LDAP directory, so I'm going to create them. If they're an existing user, I'm going to update them and then as Herminia was saying, when it's time for that user to leave the company or leave the partnership, they're also going to be deactivated, so a full lifecycle management both in in Okta, in my SaaS applications, as well as in my on-premise applications. That's the configuration for the hub tenant, the Atko Foundation tenant. What I'm going to do is I'm going to pass you over to Herminia as she configures the Org2Org.
Herminia Gomez: Okay. I'm logged into the ContractCo tenant and I'm going to go in and I'm going to set up the Org2Org application. Sorry. I'm clicking logout here. Atko Foundation resource is our Org2Org app and we need to set this up, so let's go. The first thing we're going to do is we're going to set up the sign-on. As with everything else, Okta has wonderful inline instructions that you can use. I used it a lot and of course, you can always contact Okta Support if you need assistance.
The first thing we're going to do is we're going to set up a sign-on and I'm going to put in the hub ACS URL. This is the token information that is passed to allow single sign-on to the application. Click on edit. Then next, I am going to put in the audience URI and this is what uniquely identifies the user as a contractor user. Another thing that we have is our application user format. You have the option to set the format. You can use a default Okta username or email. In our situation, in our environment, we use the email. This is very important because if you are pushing that user to Active Directory, that user can have that same username right across the system, so they can log in to Okta and to Active Directory or to on-premise application using the same username information.
I'm going to go back and select Okta for that and we're going to click Save. Did I miss … I believe I missed something so let's go back on top. Sorry about that. Copy. Okay. We click Save. There we go. Next thing we're going to do is we're going to set up provisioning. This requires API token, which Marc has already provided also. We're going to copy that API token. Sorry about that. Enable API integration. Click on that and we’re going to paste the token. Test the credentials. It’s always good to do that and then click Save.
Now that we have the API token integration set up, now we can configure the Org2Org application. We click on edit and then we can enable … or gives us the ability to create a user, to update the user attribute so we can pass user information also, and of course to deactivate the user. Again, the password sync allows that user password to sync across the system, so this is where I said if you have users that are being pushed to Active Directory, think about the user experience. They don't have to remember a new username or a new user password but for this instance, we're not going to set that up and we're going to click on Save. Okay. Now, we have the Org2Org application, so what can a user do with that? Now, we're going to log in. I'm going to log in as a user, Sarah Riley while Marc logs in as another user and we're going to see if this works.
Marc Jordan: I mean, you might want to assign Sarah to that app before we get there so that she gets provisioning to enter our Org2Org.
Herminia Gomez: Oh, I do. I apologize for that. I did not assign her. I apologize for that. That would have never worked. Okay, so we already have a group that we have set up, the Atko Foundation resource project users and we're going to put in ContractCo just to uniquely identify the user and we're going to click on Save. Perfect. Thank you, Marc. Okay, so now we're going to switch the users and we're going to do a refresh. If I hadn’t done a refresh, it was not going to work and you would have seen me actively troubleshoot the system. Perfect.
Now, after I did the refresh, and I apologize, I keep playing with my mouse, you can see that Atko Foundation resource, our Org2Org, is now made available to the user. If I click on that, see Okta here working, the user is going to be provisioned through just-in-time provisioning because the user did not exist in the Okta Atko application and if I do a refresh, voila. Magic.
Now, I want to tell you about something that we did, which was for our configuration at National Geographic, we didn't set it up this way. What we did was we set up bookmarks, so the user doesn't go through the process of clicking on the actual Org2Org app. All of the apps that we have shared, you actually see the applications. They actually see these bookmarks and they go directly into the application, so that's also an option that you have. I think it's a better user experience. They don't have to go through that Org2Org app. It makes it simpler. Okay, so I clicked on Google Drive. It is loading. We're going to …
Marc Jordan: See, I've started a document that I want to share with Herminia. I've called it Atko and it's our new marketing campaign, so Herminia's going to jump into there and what we're going to do now is we're ready to go.
Herminia Gomez: He's logged in from Atko. I'm logged in from ContractCo and we're now sharing.
Marc Jordan: Simple as that. Awesome. That's how easy it is to create an Org2Org connector. We did just a little bit of stuff ahead of time to configure the inbound SAML just so we could smooth that out but realistically, it took Herminia and I a couple of minutes to create some users, get them provisioned, get the lifecycle management configured, and really just get into Google Apps to start being productive. We could have done that with 365 or Box or Salesforce or any of these other applications. End to end, that process looks exactly the same. That's the end of our demo and that's the end of our session. We're a little bit early so if anyone's got any questions or anything like that, feel free to put up your hand and wait for the mic. Otherwise, just come up and talk to us afterwards. We'll be here for a little bit. Thanks so much for coming.
Speaker 4: I actually have two questions for you. First question, for the Okta org setup, was that because NGP already had their own Okta org provision that you decided to use too or was that necessary to support the shared services model?
Herminia Gomez: It was because they already had the Okta tenant, so it's a communication between two Okta tenants.
Speaker 4: Okay, but same model would be achievable in a single Okta org?
Marc Jordan: Yeah, if you wanted to create users directly. The challenge with a single Okta org is potentially, you're going to have to connect two different Active Directories to the same Okta org and you might have different administrators, different segregation of GD or something like that so if you've got a partner that already has Okta that has their own administrative models, they can continue to use their Okta tenant and have that [inaudible 00:32:31] local management across without creating additional connections or potentially additional security.
Speaker 4: Okay, so it just kind of allows you to have almost like delegated admins like here's one group of admins that maintain this instance and here's a completely different set.
Marc Jordan: Yeah. That’s exactly right.
Speaker 4: Okay. The next maybe trickier question is, did you have any transfers between the two orgs wherein they were kind of terminated from one org but they became an employee of the other org? How do you not kill them in both systems?
Herminia Gomez: Yeah. We definitely did. In a situation like that, it depends on your lifecycle management tool, so we did have … Actually, we've had a number of people that have actually jumped between companies multiple times, so when the user is deactivated on the Fox side and then it's deactivated again on the NGS side, when we hire them, Okta identifies the fact that that account already exists if we have matching attributes.
In our situation, the matching attribute was email address but when … For example, we had an individual named Robert that he worked for National Geographic. He left but then he worked for Fox and then came back. It's no different than… What’s that called, the process? The import, the matching. The application is able to read the username and the last name and it matches and then, it matches on the email. Then, you just have to go in and reactivate that account because the account already exists. It's easier to just … It’s just a matter of activating and deactivating that account versus an account being managed by Org2Org or Active Directory. Was that clear?
Speaker 4: Yeah. It probably is too technical beyond that but thank you very much
Speaker 4: If you're using a Gmail address as your primary link, what kind of efforts do you have to undergo when some of the changes that are made … For a lot of organizations, you change your last name, it changes your email because the email is usually your full name at whatever.com.
Herminia Gomez: I haven't had too many of those, maybe one or two. From our environment, when the username information is changed and then it's synced up to Active Directory and it matches, so it depends if the user changed their email. Most of the time, they change their last name and they don't change that email. The system does recognize if the user has similar name, first name and last, and it will do what's called a partial match and I've seen that happen. I haven't had any other complexity outside of, hey, I see that this is a partial match. Do you want to link these accounts or do you want to create a new account for that user?
Marc Jordan: It's a good chance for a bit of a plug. We just enhanced our Profile Master User Lifecycle State or PMULS for short internally that has improved some of those matching rules. Say we can do like full matches or partial matches. You can figure whether you want to do like automatically confirm it or required administered intervention and things like that.
Herminia Gomez: It’s the same thing that happened with his question, so when the user becomes deactivated and even though they're not matching on email or the username, it will do that partial match and it will flag that user as, “Hey, I see that there's a record or a deactivated account that already exists. Do you want to match them or do you want to create a new account?” The partial match is what's useful.
Marc Jordan: Any other questions? Thank you so much for coming to our session. Again, we'll be here for a bit longer. I'm here all afternoon as well so if you see me in the hallway or want to catch up now, please do. I’d love to chat. Thanks
Transforming an enterprise is rarely a straightforward task, and reimagining decades-old business processes around employee onboarding and end-to-end lifecycle management is just one piece of that complexity. Learn how Okta can integrate with legacy software solutions and directories including Active Directory or LDAP and how Okta can help you modernize without disrupting the day to day operations. Join Herminia Gomez from National Geographic and Marc Jordan from Okta as they discuss how NatGeo reimagined their architecture, workflows, and business processes during a partial acquisition by 21st Century Fox in 2015.