ADSelfService Plus multi-factor authentication for cloud apps

The proliferation of cloud applications has attracted unwanted attention from hackers, who now focus most of their efforts on data in the cloud. Hackers can easily trick someone with a valid username and password into disclosing their credentials through a phishing attack. The traditional way of authenticating users through usernames and passwords just isn’t cutting it anymore.

Securing cloud logins

ADSelfService Plus, an Active Directory self-service password management and single sign-on (SSO) solution, protects access to cloud applications with multi-factor authentication. By enabling SSO between ADSelfService Plus and SAML 2.0-enabled cloud applications, you can easily secure users’ identities in the cloud. When SSO is enabled, users must always authenticate themselves in ADSelfService Plus—first using their username and password, and then using another factor chosen by you. Only then will end users be able to access cloud applications. ADSelfService Plus supports multi-factor authentication for both identity provider (IDP) and service provider (SP) initiated logins.

How it works

Identity provider initiated (IDP) login:

• In IDP initiated SSO, users first log in to ADSelfService Plus using their Windows Active Directory domain credentials to prove their identity before they can access cloud applications.
• Next, users must authenticate themselves using Duo Security, RSA SecurID, a smart card, RADIUS, an SMS/email-based verification code, or Google Authenticator.
• Once successfully logged in, users can access cloud applications from the Applications tab. All they need to do is click on an application's icon to open it in a new tab. Best of all, the user is automatically logged into the application.

Service provider (SP) initiated login:

• In SP initiated SSO, users first access the cloud application by entering its URL directly in a browser. The cloud application then redirects the user to the ADSelfService Plus login page for authentication.
• Users will need to enter their Active Directory domain credentials to prove their identity.
• Next, users must authenticate themselves using Duo Security, RSA SecurID, a smart card, RADIUS, an SMS/email-based verification code, or Google Authenticator.
• The user is now directly logged into the SSO-enabled cloud application.

A comprehensive set of authentication factors

ADSelfService Plus uses the tried and tested Windows Active Directory domain credentials as the first factor of authentication. For the second factor, ADSelfService Plus supports native factors such as SMS/email-based verification codes and third-party authentication providers such as Duo Security, RSA SecurID, RADIUS server, and Google Authenticator.

Policy-based access to cloud apps

ADSelfService Plus single sign-on helps you activate multi-factor authentication for cloud apps based on your on-premises Active Directory’s OU and group structure. You can customize different authentication factors for different users and even control access to cloud apps by configuring OU and group-based policies.