Managing the “I” and “A” of Partner IAM

July 26, 2016

This is the last in a four-part blog series on identity in the modern enterprise. Over the course of this series, I've shared expert insights from Mary Ruddy of Gartner and Ping CTO Patrick Harding into the role of identity and access management (IAM) in digital transformation.


In the first blog, we defined digital transformation and the role of identity in today's enterprise. To gain a deeper understanding of IAM for different user groups, our second blog honed in on employee identity and the third focused on customer identity. To close out the trio of key user groups in the enterprise, that leaves us with partner identity for today's discussion.


Mary believes that partner identity is all about enabling appropriate access to your suppliers and distribution channel. This presents unique challenges because it involves your partners' employees instead of your own. Managing access is tricky when you don't know which employees are current and which have left the organization.


Mary says that federated identity is the typical means of ensuring this kind of secure access. For your largest partners, this means they authenticate their own users and pass you a SAML "token" to gain access to your applications. Most often, this means your partner has a single sign-on (SSO) solution in place, including a federation server. You, in turn, must enable your applications to accept SAML "tokens" as a means of authentication. If your partner doesn't have those capabilities, you can provide a cloud-based identity solution that allows the partner to synchronize with their Active Directory, or even just manage users in a cloud directory.


You'll likely have many partners along this spectrum, so enabling appropriate access also requires flexibility. Some will insist on being the identity provider, and others couldn't do so even if they wanted to. Mary explains, "You as an organization need to be able to handle working with multiple identity providers that you're hosting, as well as accepting identities generated by other organizations. You need that kind of flexibility today."

Patrick agrees and sees a shift toward enterprises pushing the responsibility of identity management back onto their partners. He provides the example of retailers and manufacturers who, in some cases, have maintained partner identities for years. When you're maintaining third-party identities in this way, you're at serious risk. He says it's not uncommon to hear about cases where ex-employees still have access to proprietary applications, and they've ordered and shipped product fraudulently to the tune of millions of dollars.


Looking forward, Patrick believes organizations will give their partners the responsibility for authenticating their users. This can be done by leveraging SSO technologies that allow partners to seamlessly access enterprise applications, without having direct access to those applications.


This puts the onus on the partner to ensure that any user who leaves their company is deactivated from their Active Directory, automatically removing access rights in your partner systems. And, Patrick explains, it provides benefits all around. For starters, it delivers a better experience for partners because their users can sign on once and get seamless access to all the supply chain applications they use.


It also often results in cost savings for your organization. Because you no longer have to manage credentials with your partners and deal with time-consuming things like password resets, you can reduce administrative costs. And by having your partners manage user authentication, you limit the potential for fraudulent activity.


We hope this has been an insightful discussion, and that you now are better armed with the knowledge you need to solve identity in today's modern enterprise. Go to our webpage to learn more about partner identity and discover how IAM supports digital transformation.