Best practices for migrating from on-prem to cloud-based SSO

Last updated: 18 October 2017

According to industry analysts, SafeNet Trusted Access, Cloud based SSOidentity-as-a-service will be the majority delivery model for new purchases of cloud single sign on and access management solutions within the next few years. High maintenance costs, IT administration overheads and a shortage of skilled professionals are turning organizations to the cloud in an effort to outsource commodity IT services such as storage, content delivery and multi-factor authentication. With the proliferation of cloud applications in the enterprise, cloud SSO and access management solutions are no exception.

So what do you do if you’ve already invested in an on-premises cloud single sign on solution? You can run two solutions in parallel or wait out your license until it expires. Alternatively, you can migrate to a cloud-based SSO solution without losing your current investments. We’ve provided some key pointers below.

#1 Follow a proven technical migration path
Instead of ripping and replacing your current on-prem cloud SSO solution, seek a solution that offers a proven technical migration path that lets you keep your current investments in 2FA tokens and servers, while you gradually migrate to a new cloud-based single sign on solution. Centrally managing cloud access policies from one solution lets you produce a single audit trail that shows who is accessing which application and when, so that you have complete visibility from day 1. This makes security and compliance audits that much easier.

#2 Import your current 2FA authenticators
Standards such as the RADIUS and OATH OTP authentication protocols enable you to import your current OATH-based or RADIUS 2FA tokens to a cloud-based single sign-on solution.

For RADIUS-based 2FA authenticators and servers, the RADIUS server can be integrated with your cloud-based single sign-on solution to enable central management of all your 2FA authenticators and access policies. RADIUS token details such as User ID and serial number are imported as well.

In parallel to using your RADIUS-based tokens until they expire, new authenticators can be issued from your cloud solution to enable SAML-based contextual authentication and cloud single sign-on. This lets you continue to use your RADIUS 2FA tokens and servers for VPN clients and other RADIUS-based applications, while new 2FA authenticators are used for SAML authentication to cloud-based apps such as Salesforce, AWS and DropBox.

OATH OTP authenticators can be directly imported into your new solution by importing the unencrypted OATH authenticator seed files.

#3 Automate Provisioning Workflows
To migrate to a cloud-based single sign on solution with minimal disruption to users, leverage RADIUS tokens’ expiry dates to automate the provisioning of new permissions and tokens. Similarly, group-based access policies make it easy to define policies based on user role, e.g. Sales, R&D, C-Suite, 3rd parties, etc. so that any changes in your user repository automatically trigger the appropriate workflow. For example, users who are added, change roles or are suspended in your user store (e.g. Active Directory) can trigger the appropriate workflow for provisioning, modifying or revoking permissions and tokens.

Ready to learn more? Get started by watching how to eliminate 3-year token renewals with SafeNet Trusted Access, download the 4 Reasons to migrate to SafeNet Trusted Access infographic or join the webinar on Best Practices for Migrating from On-Prem to Cloud-based SSO.

Leave a Reply

Your email address will not be published. Required fields are marked *