Please enable JavaScript.
Coggle requires JavaScript to display documents.
Federation Documentation - Coggle Diagram
Federation Documentation
Customers
-
Internal users: CD Apps, various departments
-
Examples
Deployments (greenfield)
Cheqroom
-
Contacted Cheqroom technician to confirm if OIDC is an option? They replied with no, so we proceed with SAML
Lisam
-
Licensing team already communicated that they desire SSO. Vendor is aware of licensing's desires and was able to better communicate the technical requirements
Lisam initially provisioned users with the wrong domain (jw.org), but because we are early in the process, they are going to change it
Migrations (brownfield)
Figma
Licensing is main contact, but initial request was from AVS. They submitted a ticket, and we happened to ask Natasha (Licensing), who helped reevaluate the work because Figma is used my more departments.
-
Concerns regarding when to schedule the migration, supporting that process, planning communication and potential rollback strategy
Bluebeam
Licensing initially requested SSO from Orchestration. They did not understand that federation doesn't necessarily include SCIM (System for Cross-domain Identity Management) or license management.
-
Already using manually created accounts, but they have the option to use a smaller subset of users for testing. However, they don't support a testing environent.
Trimble
Vendor communicated the workflow. We would provide them a list of accounts, and they would migrate the accounts from jw.org domain to bethel.jw.org in their application. Then we agreed we would schedule a date to deploy the federation. However, they deployed the federation without notifying us.
Users reported that they had issues signing into the application. Some could still use jw.org instead of bethel acct. Others were asked to create new password.
-
Communication with this vendor was very difficult (slow to respond). Stella (licensing) was very diligent with communication.
-
In this case, there was an existing business relationship with Watchtower Licensing and Trimble. However, when we discussed SSO, we learned that Trimble didnt communicate internally between their technical team and their account manager team.
Questions
-
-
-
-
How do we communicate that potential services (SSO, SCIM, rich data claims, license management, etc) are not necessarily included in every form of federation?
How do we do a test for a migration? Does the vendor support a new testing environment, or do we have to test with a small set of users in production? How do we capture what their process is?
Improvements
-
Our reusable modules do not always support specific features of the applications. At times we need to release a new version of a tf-module
We do not want to be responsible for user lifecycle management, which corresponds to users not being defined in our code. That means that access should be defined by groups managed by a trusted source (hub, ad, etc)