How DevOps Can Bring SSO to Open Source Tools – It’s Easy with Datawiza
If your organization is concerned about application and data security or already on a Zero Trust journey, you’re likely implementing a modern Identity as a Service (IDaaS) solution – such as Microsoft Azure AD, Okta, Auth0, Google, or Amazon Cognito – as the foundation for protecting data with multifactor authentication (MFA) while also improving the user experience with single sign-on (SSO).
The irony of this journey is that the developers implementing the IDaaS solution don’t reap all the benefits of their effort. That’s because their open source tools, such as Kibana/Elastic, Kafka Manager, Spark UI, Grafana, Kubernetes Dashboards, and Jenkins, can’t easily be integrated into the new environment.
Doing nothing about this, is not an option. Leaving these open source tools outside your controlled IDaaS environment means they can’t be centrally managed for user access and authorization – which leads to potential security gaps. In fact, you may still be relying only on a VPN to manage user access, but doing this requires significant administrative time as development teams change and access permissions and policies need to be updated, diverting resources that should be dedicated to more strategic tasks.
One solution for integrating open source development tools with an IDaaS solution is to turn to the commercial vendors behind the tools to see if they provide the required SSO integration. Unfortunately, even if they
The next option, since you have the developers and the tools, is to DIY your own SSO proxy or identity-aware proxy. However, this approach has serious limitations as well. Integrating one application with an IDaaS solution can take days or weeks, and integrating each additional application requires nearly the same effort. Further, since your developers are likely not security experts, the risk of introducing vulnerabilities remains high.
Avoiding an open source vendor’s SSO licensing fee
A small security managed service provider (MSP) with approximately 30 employees relies on Okta for user authentication and authorization. As an MSP, the company needs to comply with SOC 2 security control requirements, which means SSO must be enabled for every application, including its open source tools, such as Kibana/Elastic. The enterprise license for Kibana/Elastic includes SSO; however, the MSP does not need any other of the advanced features that come with the enterprise license. The company tried talking with the vendor behind Kibana/Elastic, but there was no option other than paying the full license fee of $11,000/server/year. Since the MSP has seven Kibana/Elastic servers, it considers paying an “SSO tax” of $77,000 per year to be “insane” and is determined to find an alternative.
Eliminating the Cost of DIY SSO
A global network security leader has a very different challenge. This company relies on a much wider variety of open source tools, including Kibana/Elastic, Spark and Kafka Manager, to build advanced solutions for machine learning and AI-based threat detection. The company is using a VPN to control who can access these tools, but there is no easy way to add or subtract users. The company wants to integrate all of its open source tools with Okta and initially considered a DIY approach using the free oauth2-proxy, another open source tool. However, using this tool is far from straightforward and takes significant time to onboard just one application. The company has also realized the tool does not support Okta SSO integration for applications running on AWS EMR, which means a DIY approach would require significant resources and not solve the problem at all. Once again, the company is determined to find a different approach.
Enter the Datawiza Access Management Platform
No matter the reason, Datawiza makes it easy to integrate open source tools with an IDaaS solution. The Datawiza Access Management Platform, the industry’s first cloud-native Access Management as a Service (AMaaS), helps companies improve security and implement a Zero Trust architecture by providing a no-code/low-code solution to connect applications and services to a modern IDaaS platform.
The combination of Datawiza and an IDaaS solution enables SSO and MFA for every application in your environment, including open source tools, and provides policy-defined, URL-level access controls based on detailed user and device attributes, such as group, role, IP, or browser. With Datawiza, one license lets you integrate all the applications in your environment, and integrating each application takes minutes instead of days or weeks, so users quickly enjoy the benefits of SSO – without the need for custom coding or using additional open source tools like oauth2-proxy – for each application. And because Datawiza was built by cloud and security experts, it automates security configuration during the integration process to reduce the potential for errors that could lead to security gaps and other risks.