Three Approaches for Storing and Managing Accounts for External End Users
Introduction
If you’ve rolled out an identity platform for your employees to make them more productive and secure, it won’t be long before you’ve got partners and customers with the same requirements. Luckily, any identity platform worth its salt is built to manage access for users of any type—internal or external—with the same level of ease. If you’ve got a requirement to share some of your internal files, folders, or resources to external users or to build a digital customer experience, such as a portal, you’re faced with a design decision about how to manage the users outside of your organisation.
This whitepaper describes your options for where and how to store external identities and how Okta Universal Directory can be used to manage them.
Scenarios
The main question to ask beforehand is: do you already have a place where you currently maintain those external identities?
If You Already Have an External User Store
If you already use an AD or LDAP to store your external users, then you just have to configure another AD/ LDAP integration on your Okta tenant.
Ex:
You can import the users, their attributes, their groups like you’ve already done it for your existing AD.
If You Don’t Already Have a User Store
You have 3 options here:
• Adding external users in your existing AD
• Creating a new AD/LDAP domain/instance/forest dedicated to those external users
• Create and manage external users directly in Okta Universal Directory aka Okta UD
1. Adding external users in your existing AD
Before considering that option, you may want to verify your current provisioning process and rules in place:
• Is there any “everyone in AD” group that may be used across access control rules or app assignation? If yes, you don’t want to risk allowing external users to access internal-only resources.
• Does the creation of a user in AD requires having a real email address/an inbox on exchange with your corporate domain? Those are external identities, you may not necessarily want to create an inbox for them, especially under your corporate domain.
If you still want to add those external identities in AD (assuming you answered “No” to the 2 questions above), you will have to find a way to easily differentiate internal users vs external users: a different domain, different OUs, different groups, etc.... This could increase the complexity of your current AD environment, on top of requiring your IT team/helpdesk team to be an AD admin to manage external identities.
Advantages:
• Minimal changes – Use systems and software that you already have
• Data control – Keep your customer data stored on hardware you own
• Single Control Pane – Active Directory becomes the one place to get a consolidated view of all users of all types, and manage them
Tradeoffs:
• Requires infrastructure upgrade – You may need to upgrade the infrastructure on which your domain controllers run, since the number of users may increase significantly
• Extra point-of-failure – Authentication depends on a persistent connection between Okta and AD
• Increased authentication latency – Authentication is delegated to AD in real-time, rather than executing directly on the Okta platform
• No REST API accessibility – While Okta UD provides REST APIs to manage users, Active Directory provides no such interface
• Potentially vulnerable to lateral movement – Customer accounts can be given privileged rights in your domain due to admin error or lateral movement
2. Adding external users in a new AD/LDAP
Creating a brand new AD/LDAP could require a certain effort: new server, new domain, new Firewall rules, new backup/failover server, handling load balancing, hardware + professional services costs, and implicates maintenance of those different components.
If you haven’t already invested that time + money in it, and if you don’t absolutely need it to be a AD/LDAP user store, then that may not be the best course of action.
Advantages:
• Data control – Keep your customer data stored on hardware you own
• Delegated administration – The operator of the customer application can manage the app directory without permissions to manage internal employee accounts
Tradeoffs:
• Multiple administration interfaces – There are multiple points of control for your end users. While Okta can consolidate a view of the users, management is delegated to the directory interfaces themselves.
• Requires infrastructure – You will ne