A strong yet simple security Identity, Authentication, and Authorisation system is the foundation to modern IT. We want users to be able to access their applications from anywhere securely, simply. We want 2-factor authentication that gets the job done without getting in the way.
However, an unfortunate side-affect of Identity can be a hidden cost. The most obvious way for many organisations to implement Identity involves creating an entry in Microsoft Active Directory. However, if you have a set of users who are more casual, perhaps only using a small number of applications, creating entries in Active Directory can trigger a named-user license cost, uneeded, unwanted.
So, how can we allow these part-time or casual users access to a subset of applications safely, securely, without adding a lot of cost? Federation. We provide an OpenID Connect federated authentication layer, using an upstream of Active Directory (for our full-time users), and, to Google (or other social logins) for our part-time or non staff users.
The end user experience is identical: they login, no separate password or identity needed, optionally with 2-factor authentication.
The administrator experience is the same: assign roles to identities.
The Accounts Payable experience, however, is much improved. No named-user licenses are created solely for the purpose of simple authentication. We have succeeded in our goal: without increasing cost, we have provided uniform identity and authentication, strong, secure.