Complete guide to HelloID: SSO, IAM, IdP and more

Employees. While they are extremely valuable and, in most cases, simply vital to an organisation, they do pose the biggest safety risk. Besides the security point of view, they take up most of the Service Desk’s time as well. Two things that may not seem connected, can be managed and improved by one and the same tool: HelloID by Tools4ever.

Generally speaking, Workspace 365 uses Azure AD to offer several functionalities, such as Single Sign-On and Multi-Factor Authentication. We also integrate with HelloID, so you can choose to use this as an complementary service on top of Azure AD and utilise its additional benefits and functionalities.

In short, HelloID is an Identity as a Service (IDaaS) cloud platform. This means that Tools4ever offers a set of products and solutions that help you to manage for instance user’s passwords and identities. For users, this simply means that they get a platform from which they can easily access their applications and resources. But that is not all they do. In their own words, HelloID offers a complete Identity Ecosystem, allowing you to manage Access, Single Sign-On, Self Service, Data, Delegation and User Life Cycles from one dashboard. In this blog, I’ll get into all these elements.

Identity and Access Management (IAM)

A big part of what HelloID does, falls under the category of (or can be linked to) Identity and Access Management (IAM). This term describes the processes within an organisation that focus on administering and managing users and their access to applications and resources. Simply put: IAM makes sure that the right user has access to the right applications and resources, at the right time, preferably with a minimal amount of manual effort.

So how does that work?

Identity Provisioning and Management

It all starts with Identity Provisioning, also called Identity Management (IdM). Imagine you start a new job at a new company. You’ll get a specific role, which will come with certain responsibilities and tasks, for which you will need specific applications and resources. When a new person is entered into the HR system or in the IdM system itself, the IdM system will automatically create a user account in the Identity Provider (IdP), in most cases the Azure Active Directory but it can also be HelloID itself. This user account will automatically be granted access to the applications and resources that match their role in the organisation. The IdM system will keep managing this throughout the entire End-User Lifecycle, meaning from the moment a person is hired, through responsibility changes, until they leave the company. With every step, the provisioning will change accordingly, or when you leave the company, will be deleted and deny you all access.

Access Management

So, if Identity Provisioning can grant you access to applications and resources, what does Access Management do?HelloID does not only act as an IdP, they can also act as a Service Provider, a middle-man, as it were, if you’re already using another IdP. HelloID collects the information from your IdP, e.g. Azure Active Directory or Active Directory Federation Services (AD FS), and uses it to allow you to manage these automated permissions based on the data in your own IdP.

Extended policies

HelloID allows you to add extended access policies. With these extended access policies, an administrator can determine who and under what conditions gets access to the portal or it’s applications. These conditions could be for example the IP address, time, device or location. With these policies, you could for instance prevent someone from accessing the portal with an unknown IP address or from accessing a specific application from their mobile phone. This may sound familiar to you. If not, you should definitely take a look at our Conditional Access.

Single Sign-On

Besides allowing the automation and management of people’s access to applications and resources, HelloID also allows you to simplify access with Single Sign-On (SSO), even to the cloud applications that aren’t designed to be SSO accessible.

Nowadays, many people are overwhelmed with the amount of passwords they have to remember. Way too often, this results in people writing their passwords on sticky notes or using the same password for all applications, which poses a security risk. Or people simply forget their credentials and get locked out, resulting in them having to ask the Service Desk for help to get them back in. Seems like a waste of time, doesn’t it?

HelloID offers users a “one and done” login experience with Single Sign-On. This means that they only login once to their HelloID dashboard, and from there they can access all their applications without having to login again, resulting in them only having to remember one password. Even if the application itself doesn’t provide SSO capabilities, HelloID can SSO into the application.

You might wonder, is this safe? Doesn’t this mean unauthorised people can gain access more easily, since they only have to obtain one password? The answer is no, because the Administrators can not only set extended policies on the access, but also require 2-Factor Authentication for every login.

2-Factor Authentication

2-Factor Authentication is very similar to the Multi-Factor Authentication you can get in Workspace 365. The principle is the same: you can add an extra step to someone’s login, to ensure that the person trying to login is actually the person the account belongs to. With HelloID, you can choose to set 2-Factor Authentication by default, meaning that every time someone wants to login to the HelloID platform, they have to authenticate themselves via for example email, by text or token. Here, HelloID also supports third-party tokens, which means that if you already use 2-Factor Authentication by a party other then HelloID, you can still use it in your HelloID portal and you don’t have let past IT purchases go to waste.

You can also choose to only use 2-Factor Authentication based on the extended policies which were discussed earlier. This way, you could for instance make sure that people immediately login when they’re on their company desktop inside of the office, but when they login from anywhere else, for example their laptop at home, they have to use 2-Factor Authentication to access their applications.

Service Automation

Besides Identity and Access Management, HelloID offers the possibility to simplify the process of requesting recourses and applications for employees as well as the IT Service Desk. They do this with Self Service Workflow Management.

Self Service Workflow Management

Let me give you an example: you need access to an application. In most cases, you’d ask approval from your manager, who’d forward the request to the IT department. This is a lot of communication for one simple request, let alone the fact that the IT department typically deals with several of these requests each day. Making this a very time-consuming and burdensome process, which results in many requests not getting approved, even if they should. This leads to a lack of oversight on the rights on apps and resources, both for the IT department and for managers.

Enabling HelloID Self Service allows employees to choose and add IT services themselves from a product catalogue, an inventory of request-able resources, and looks like a web shop. For services that require more attention, for instance because they might pose a security risk or they’re costly, permission from a manager can be requested, who can easily approve or deny the request. When a request is approved, HelloID will handle the rest and will make the necessary changes to provide the employee the access to the requested resource, making the entire process more efficient.

This is not only very convenient for the employee, but it significantly reduces the amount of time they have to wait, if they even have to wait at all. It also substantially improves the process for managers. Both employee and manager can always get a clear overview of the applications and resources they have in use and have access to, and can easily view the status of pending requests. Managers get instant insights into which employees are using what.

Relieve the Service Desk

Sounds great, doesn’t it? Yet we haven’t even discussed the benefits of the Self Service Workflow Management for the IT department, which are actually quite substantial. By handing a large amount of control to the managers, the Service Desk’s workload is reduced, giving them more time to focus on more important and complicated matters and improving their productivity.

Keep control

Occasionally, a little more control is needed. And that is exactly what HelloID offers. For example: HelloID gives you the possibility to temporarily approve access to resources, which can be useful in instances such as delegating tasks when someone’s on vacation. It also supports Segregation of Duty (SoD), which means that you can make sure that when a user gets access to one application, the access to another is automatically denied. All these measures will help you to keep compliant.

Data Management

As mentioned before, HelloID gives managers instant insight into what people have access to what applications and resources. But that’s not all it gives insight into; in fact, it’s much, much more. HelloID fully automates the process of Data Management on the file system, making your work easier, more efficient and giving you clear insight into all your important data.

Instant reports and auditing

HelloID provides you with instant access to always up-to-date reports, to satisfy your audit requirements and make sure that you are always informed on subjects including:

• User activity (such as their location)
• Failed sign-in attempts
• Application usage
• User history
• Sign-in history

People don’t say “information is power” for nothing. With these reports, HelloID allows you to make smart and informed decisions.

HelloID and Workspace 365

HelloID and Workspace 365 share the ambition to simplify how organisations interact with IT. While we focus on different areas to accomplish this, in the end we both simplify complicated processes and allow people to work easily, efficiently and more productively. Together, we can do this even better.

For one, our integration of HelloID opens up a wide range of new Single Sign-On connections. For you, this means that you can access even more applications with one single click. It also means that you can use the applications from HelloID with all their benefits, such as the extensive data reports and access management, and combine it in Workspace 365 with all your other applications, live information, email, documents, social intranet and more.

For example, by connecting to an HRM service, you can make sure that Workspace 365 always has the correct user data and authorisations. It’s also possible to integrate the Service Automation product catalogue within Workspace 365. This enables users to request products and authorisations themselves, straight from the place where they will use these applications: their workspace. Furthermore, it’s even possible to embed dynamic forms. These can be used to for instance request additional authorisations, (temporary) guest accounts, request password resets and more.

HelloID is one of the products we integrate into the adaptive workspace, which is what makes the workspace so adaptive. We want to offer every user a personalised experience with the apps and services they want to use. Also, we want people to be able to use their existing systems in combination with Workspace 365. Basically, we want people to be able to work the way they not only need to work, but the way they want to work.

All these systems and technologies may sound complicated, and behind the scenes they probably are, but for the people who use it – the administrators and users who access the HelloID portal – it’s actually not. That’s the whole point: enabling people to use and manage these complicated processes in a very easy and clear way. A point we’re very familiar with at Workspace 365.

Are there any more integrations you’d like to know about or that you’re missing in the adaptive workspace? Contact us or send us a feature request!