SSO and MFA to Address Allianz’s Unique Problem of Managing Security and Usability for Its Users
miniOrange x Allianz
With around 159,000 employees worldwide, catering to over 122 million customers in more than 70 countries, Allianz Group needs no introduction. Headquartered in Munich, Germany, its customers benefit from a broad range of personal and corporate insurance services, ranging from property, life, and health insurance to assistance services, credit insurance, and global business insurance.
What Allianz Was Looking For
Is to improve its security posture by implementing single sign-on and 2FA for both types of users accessing their Atlassian applications (Jira and Confluence). They were posed with the unique challenge of managing security and usability for both their internal and external users.
The company wanted to delegate the internal user authentication to the IDP, which would handle the 2FA for those users. Yet the external users would still be required to log in with their application credentials, and the 2FA would be handled on the Atlassian application itself.
The Solution We Provided
Our solution for the requirement involved utilizing Crowd SAML SSO, combined with Atlassian connectors, to extend SAML functionality to the Crowd-connected applications, namely Jira and Confluence.
We also suggested implementing our Jira 2FA add-on to enforce two-factor authentication for external users, while exempting internal users who are already authenticated through SSO. This is because 2FA for internal users is managed by the IDP itself.
How It Works
- The Crowd SAML SSO Plugin acts as a SAML Service Provider and is used to enable trust between Atlassian applications and central IAM applications.
- The Crowd SAML SSO plugin takes care of the SAML Request, SAML Response, and user’s session management across all the Atlassian applications, and using the SSO connector for Jira and Confluence, the users will be able to invoke SSO directly from the Atlassian applications themselves.
- The user authentication will be done by the IAM, and Crowd will still be used to manage users and their groups (permissions) for all the connected Atlassian applications.
- Additionally, the 2FA add-on was installed on Jira to enforce 2FA for all users. It handled the security of all the external users, but affected the usability for the internal users, as they were asked for 2FA twice, once on the IDP itself and then again on the Atlassian app.
- To improve the user experience for the internal users, we provided another feature that skipped 2FA if the user logged in via SSO.
The End Result
- Centralized access control: With Crowd SAML SSO, the user authentication is moved to central IAM without losing any of their existing user permissions.
- Improved user experience: By providing a single sign-on experience, users would seamlessly access multiple applications without having to re-login for different applications. It improved the user experience and reduced the likelihood of password-related issues.
- Strong security: The solution we proposed has the ability to enforce 2FA for non-SSO users while skipping it for SSO users. The Crowd SAML SSO leverages the security features of SAML and the IDP to provide strong authentication and authorization controls.
- Scalability: Crowd SAML SSO is easily scalable, it would allow our client to add or remove applications as needed without having to worry about managing multiple login credentials or access controls.
By fulfilling the requirements of Allianz, we were able to include them in our journey of innovation. Being a software security company, we know the importance of an organization’s security and, hence, build secure, quality products for our clients along with world-class support. So, get on a discovery call with us at +1 978 658 9387 or email your queries to email@example.com, and we would be glad to take it forward from there.