Bridging the Identity – User Experience Gap

Productivity and user experience: They fit together like a hand in glove.

An increase in one cannot be had without a positive, fruitful experience in the other. If the workflow is streamlined, and the user experience is fast and engaging, then an increase in productivity seems to occur organically. However, if a user experience is slow and cumbersome, then productivity can – and usually does – suffer.

It shouldn’t matter from where application access is attempted. It shouldn’t matter what device is used to attempt application access. It shouldn’t matter the location of the applications being accessed. Regardless of user or app location, or the device from which application access is being attempted, the user experience should be simple, speedy, and consistent.

Multiple logins when attempting to access applications interrupt user experience. It slows down application access, can delay and limit productivity, and can create frustration for the user. It also requires users to come up with and then recall numerous usernames and passcodes. Even multi-factor authentication requires users to create and remember usernames and passwords. This can lead to user “password fatigue”, forcing users to develop, remember, and use various usernames and passcodes.

When driven to create and use multiple usernames and passcodes for application authentication, users tend to fallback on using simple passcodes, or the same passcode for most – if not every – authentication and login for which they are asked. This weakens application security, and in many cases, simple, non-complex, easy-to-remember passcodes are the entry point hackers use to breach applications and networks, raise havoc, and cause millions of dollars in lost and stolen data.

The explosive growth and adoption of cloud and SaaS based applications has also brought about a vast increase in the number of required application logins and authentications. Each cloud and SaaS application requires its own user identity and authentication. Plus, with businesses migrating existing, data center applications to the cloud in droves, the number of user names and passcodes users need to produce, memorize, and then recollect has risen dramatically, leading to more instances of “password fatigue”, a lessening of application and data security, and an increase in threat potential.

The concept of single sign-on (SSO) – the ability to use a single ID in place of multiple, varying usernames and passwords to access multiple applications, networks, and clouds – has been around for some time. When applications were in one location – in the data center on the network – SSO was easy and simple. Kerberos, NTLM, or SPNEGO – and in some cases, even cookies – could be employed to drive SSO. However, with the deconstruction of the network perimeter, the increase in applications not on the same or on a networked domain, a new, improved standard with more robust security to protect usernames and passcodes now communicated outside, in the wild, was required. Enter Security Assertion Markup Language, or SAML. 

SAML is an industry standard for securely communicating user information between an organization and a service provider; a service provider can include a cloud and SaaS application providers. SAML encrypts the communication of user information to ensure its security. As a user, as part of an organization, requests a service – such as access to a cloud or SaaS application – the service provider (cloud or SaaS application provider) requests the identity of the user. The identity provider – the user and/or their organization – provides their user credentials to the service provider. This federates the user and organization as the identity provider (IdP), and the cloud or SaaS application provider as the service provider (SP). This identity federation creates and enables a single sign-on between the user and organization, and the service provider.

The ability to ensure secure, differentiated application access – based on a variety of identity-, context-, and environment-aware attributes – with a simple, yet powerful user experience, regardless where the application is located, the user is located, and the device the user has is vital for today’s mobile-first, cloud-first organization. This construction of a secure, identity federation drives increases in user productivity, while decreasing support issues and user dissatisfaction with their experience.

F5’s BIG-IP Access Policy Manager (APM) builds an identity bridge between users and their organizations, and applications, networks, and clouds. BIG-IP APM ensures that sign-in is singular, seamless and adaptive, ensuring users need only input their secure credentials once, while accessing applications anywhere they may reside.

Ensuring the secure transport of user credentials outside of the moving target of today’s enterprise domain is paramount to ensuring the security of the organization, its applications, and data. BIG-IP APM secures the transport of SAML messages by supporting SAML artifact binding. This support also reduces SAML message flow through web browsers, while extending SSO support to automatically submitted forms not supporting JavaScript. It not only enhances SAML security, but simplifies SSO, addresses browser restrictions, and alleviates the potential for communication errors.

There are certain applications that users access multiple times daily. Email is one of those applications. So, enabling single sign-on for email apps such as the various Microsoft Outlook applications is paramount. BIG-IP APM, through its support of SAML Enhanced Client and Proxy (ECP) profiles, supports SSO for client-based applications, working with Microsoft Office apps like Microsoft Outlook, simplifying a user’s daily workflow, and enhancing their experience, increasing user productivity and application usability.

To access applications, it shouldn’t matter if a user has Windows or Mac OS device, an iPhone or other iOS-based device, or an Android device; access should be consistent, regardless of device or OS platform. F5 BIG-IP APM, with BIG-IP Edge Client delivers SAML-based authentication for secure remote access from mobile devices, and other forms of remote and mobile access. BIG-IP APM ensures secure mobile connectivity and communications while simplifying the mobile user access experience and enhancing user productivity. It also helps to limit “password fatigue”, alleviating security risks and eliminating support calls, saving time, cost, and above all else, corporate reputation.

Identity federation and SSO to applications that provide multivalued attributes – that is, more than one database value – such as WebEx, for example, can prove difficult. BIG-IP APM addresses this problem, simplifying single sign-on to and support for many well-known applications.  

When it comes to enhancing user experience and increasing usability and productivity, not much can match extending identity federation and single sign-on as part of comprehensive, secure, differentiated authentication and authorization to applications, wherever they may live. F5 BIG-IP APM’s identity federation and SSO capabilities simplify, strengthen, and secure access authentication and authorization to networks, clouds, and applications – wherever they may reside – regardless of the device used.

 

Published Sep 10, 2015
Version 1.0
  • Almost all the vendors support OpenID Connect and OAuth 2.0. How about F5? Use cases include having the F5 authenticate users against an external OpenID Provider and the use of OAuth 2.0 to secure the F5 APIs. Even the next version of ADFS supports OpenID Connect. Tool support for OpenID Connect is increasing by the day. I don't see that kind of support for SAMLp, especially when you're in the business of hosting APIs.
  • OAuth 2.0 is on the roadmap I believe. Hopefully it will be implemented faster as SAML has been...