When and why to trust SCIM, SSO JIT, and SSO Role Mapping
By Jean-Claude Kuo
Security and compliance are no longer valid reasons to stay on-premises
Cloud-first organizations now outnumber on-premises ones by 3:1. Despite broad adoption, uncertainty about security still chains some organizations to an on-premises solution.
If security and compliance concerns have blocked efforts to move your organization to the cloud, it’s time to reevaluate. Let’s examine modern cloud security by looking into the trusted user management capabilities in the latest release of Talend Cloud.
If your organization is already in the cloud, you’re probably using these capabilities but you may not know them by name. Read on to become an expert on various authentication capabilities and understand when to use them.
Authentication capabilities add security and reduce administration
System for Cross-domain Identity Management (SCIM) and Single Sign-On (SSO) Role Mapping capabilities should set any CSO’s or CISO’s mind at ease. That’s because with SCIM and SSO Role Mapping, users can easily authenticate themselves in the cloud. This eliminates the need for end users to remember yet another set of credentials, and cuts down on effort needed to manage user access lifecycles.
The SCIM Open Standard is so widely adopted that it’s likely that your organization’s IT is already leveraging it. Market solutions for identity and access management such Okta or Azure Active Directory (Azure AD) offer native integration with SCIM services — including ours — making life simpler for IT and helping data project teams stay focused on what matters.
Talend in the cloud includes out-of-the-box access to audit logging and SSO with Just-in-time (JIT) provisioning features. We support SCIM 2.0, which allows for seamless and native integration with enterprise identity and access management systems such as Okta or Azure Active AD.
How SCIM is different from SSO JIT — and why it matters
SSO JIT is very handy to set up, because it will automatically provision new users upon first successful login. That is why it’s called "Just in time". It's a great system for smaller organizations or for simple project structures, which is why we’ve made it an option in Talend in the cloud.
When Just-in-time user provisioning is enabled, what happens under the hood is that a new user is created in your Talend Cloud tenant and inherits a default role profile. Because every single new user will inherit from a same unique profile, we recommended as security best practices that you adopt an approach of least privilege by default. This means that an Administrator will have to review roles assigned to users, then adjust the permissions to give additional project access when required.
If a project member leaves a project, the Administrator will once again need to intervene and manually revoke access. Regular review of user access is a common control in compliance frameworks.
In large organizations, however, IT teams are tasked with managing a myriad of business applications, all while people are moving from team X to Y in a constant rhythm. It’s critical to keep track of who has access to what, and why, in an efficient manner. Manual processes like the one outlined above just don’t scale.
SSO JIT is ultimately inefficient and error-prone, and can introduce risk to a compliance program. At enterprise scale, SCIM offers a better solution by automating user provisioning while keeping user information changes in sync and handling deprovisioning operations, using a central system across all business applications.
Very cool, but wait — what about SSO Role Mapping?
While SCIM comes handy for user provisioning and lifecycle management, it does not substitute for an authentication mechanism such as SSO, whether that’s SAML2 or OIDC flavored.
SSO Role Mapping makes it possible to map a user attribute, such as the Enterprise AD Group, to Talend’s fine-grained role and permission model. Upon a successful SSO authentication, a Talend Cloud user will be automatically assigned to the corresponding role profile. That will authorize them to access the right project to deliver on the right outcome, without the need for manual inputs by an Administrator.
In the same way, a simple update from the Enterprise AD side of the user attribute can change or revoke the access to Talend Cloud. This ensures that access to Talend Cloud projects is limited to authorized personnel — preventing misuse of the data and information.
Leverage Talend's SCIM and SSO Role Mapping features to move to the cloud
If laborious user administration processes and implications for security and regulatory compliance have been cited as reasons against cloud adoption, those arguments are out of date. SCIM and SSO Role Mapping put cloud security on par with on-premises without requiring extra effort.
Talend’s SCIM and SSO capabilities aren’t just reasons to move to the cloud. If you’re already a Talend user, they’re also the means to move from Talend on-premises to Talend Cloud. First, you can use SCIM to bulk import users and roles ahead of time. Then you can use SSO Role Mapping to maintain consistency with previous Talend Administration Console Role Mapping settings.
Streamline security and compliance with less time and effort
Talend, a Qlik company, prioritizes your security and compliance, and we’re proud to say that Talend Cloud’s security offers parity with on-premises solutions.
The enhancements in Talend’s latest release improve cloud user management and help strengthen adherence to enterprise security requirements and compliance with regulations such as HIPAA, PCI, CCPA, and GDPR. SCIM and SSO capabilities give you the ability to centrally manage and provision users and roles using popular enterprise identity and access management systems — with flexibility for whatever size your organization is now and wherever you are on your data maturity journey.
Explore the user documentation and API specifications for an even deeper dive into the authentication capabilities of Talend in the cloud, or contact a Talend representative to learn more.