- To understand the options you have to integrate with PolicyStat
You have the option to integrate PolicyStat with your Active Directory via LDAP or LDAPS, as well as SAML 2.0 SSO authentication. Please review the different integration solutions below.
Ideal Solution: Integration with AD via LDAP(s) and SSO authentication.
- AD integration provides the daily provisioning and de-provisioning of accounts. Having all employee accounts allows the customer to leverage the full functionality of the application.
- SSO Provides Authentication that potentially (not always depending on the IDP) bypasses the login. Extra layer of security from the your IDP. Supports Just In Time (JIT) account provisioning and updates.
- AD Only: Provides the second most level of value. All user accounts present and update daily.
- SSO Only: (With Bulk Upload) Provides all accounts initially. Requires admins to maintain user accounts long term and not ideal for clients who intend to use acknowledgements. Admins responsible for deprovisioning stale accounts.
- SSO Only: (No Bulk Upload) (worst) Requires Admin to create accounts initially needed for implementation and would then be responsible for deprovisioning.
AD Integration Methods:
- Secure LDAP (LDAPS) User attribute data is encrypted and sent using the external LDAP port 636. The benefit is that a VPN would not be required for security purposes. Client would need a security certificate to use port 636.
- Standard LDAP using port 389 that would require a VPN for security. The downside is that the VPN configuration can take time and requires 6 tunnels due to cloud hosting.
SSO Integration Methods:
- Any IDP that supports SAML 2.0
- Some Examples:
- ADFS version 2-4
- Ping Federate
Regardless of integration method chosen, we would request a service account for testing the configuration to ensure proper functionality.