igroup ltd: Whitepaper Single Sign On to the Cloud INTELLECTUAL PROPERTY DISCLAIMER This white paper is for informational purposes only and is provided “as is” with no warranties whatsoever including any warranty of merchantability, fitness for any particular purpose, or any warranty otherwise arising out of any proposal, specification, or sample. No license, express or implied, to any intellectual property rights is granted or intended hereby. igroup Ltd disclaim all liability, including liability for infringement of proprietary rights, relating to implementation of information in this specification. Igroup Ltd do not warrant or represent that such implementation(s) will not infringe such rights. Product or company names mentioned herein may be the trademarks of their respective owners.

About igroup ltd igroup is an ISO 9001 certified organisation and a Microsoft Gold Certified Partner with our specialist competency in SharePoint. The SharePoint services we offer include development, hosting, consultancy, support and training. Our Managing Director, Steve Rastall has been named in Insider Magazine’s ‘Top 25 Up & Coming Entrepreneurs’ and we have also won a HOT 100 Fastest Growing Companies award. Since we were founded, we have at least doubled sales revenue every year via organic growth. For more information about the products and services offered by igroup ltd, please visit our website: Or contact us using the following address and telephone number: Copyright igroup ltd 2015

Background: Trending to the Cloud Copyright igroup ltd 2015 According to a 2014 survey by PC World, the majority of businesses now have a cloud strategy, with cloud adoption most prevalent in smaller enterprises with less than 250 employees. Around half of the businesses surveyed quoted the reduction in the requirement for internal IT resource as a key driver behind their move to the cloud, while almost all businesses stated that the security benefits of the cloud (94%) or the reduced risk of outage (96%) were a key factor. The types of cloud service used by businesses were very similar regardless of size. Web hosting, , productivity solutions and data backup were cited by all business sizes. In smaller organisations of less than 20 employees, services such as help desk or monitoring to the cloud, whereas in larger organisations, content filtering was a top use of the cloud. One of the key barriers to greater cloud adoption among larger organisations was the need to manage legacy systems and a perception that integrating such systems into a cloud environment was difficult or expensive. Single Sign On – the ability for users to seamlessly interact with applications in the cloud or hosted locally, and for data to be effortlessly be transferred across systems is a key requirement for true cloud adoption, and this appears to be one of the main barriers to larger organisations developing a true cloud strategy. At igroup, we recognise this issue, and have developed solutions to help businesses develop federated single sign on solutions to connect legacy applications with the cloud. Source: PC World,

Single Sign On: The Challenge For many businesses, the key barrier to migrating fully to the cloud is the need to maintain access to legacy applications. This is particularly the case with larger organisations which may have bespoke software in place to manage elements of business flow. While it may be possible to host such applications in a bespoke cloud environment, this may require substantial investment in development resource to handle the various changes. In most cases, the solution chosen by business is to maintain a hybrid environment with most functionality migrated to the cloud, and some core applications hosted locally. From a user perspective, there is an immediate inconvenience of having two separate systems in place: A requirement to log into each piece of software separately and maintain the access details for each application. From the wider business perspective the issues are much more complex. Separating the applications in this way restricts the flow of data from one location to another, and also creates security issues as log in details must be maintained and kept up to date in multiple locations as staff permissions change due to restructuring, changes in individual roles, or leaving an organisation. A single sign on (SSO) prevents these issues, but for inexperienced staff it can be difficult to implement. Copyright igroup ltd 2015 Cloud Applications Legacy Application s

Single Sign On: Approaches The process of migrating to the cloud is typically managed as a large project by an organisations IT team. They will review the requirements of the business in terms of resource and software then work with an external cloud solutions provider such as Cloud Point to build the environment to the specification required. Once the environment has been developed and software solutions created, the process of moving data and user information to the cloud begins. This is typically the most complex and resource intensive part of the cloud migration process. Cloud migration is generally achieved through the use of a number of different tools including agentless tools which are used to remove data from legacy storage systems and data bases and replicating the structure in the cloud. A common issue that igroup’s team have experienced in the past is that the data formats required for cloud compatible applications such as SharePoint 2013 are not always compatible with those used in older applications such as SharePoint While systems such as Lightning Tools Meta Man are helpful in the migration process, they cannot be totally relied on, and manual intervention is always required. The difficulty in developing a true single sign on means that many organisations will end up using one of the following partial systems which both offer limited functionality. Copyright igroup ltd 2015 Cloud Infrastructure Applicatio n Data User informatio n

Active Directo ry App The most common option adopted by businesses is to maintain 2 or more separate identities for users when interacting with local legacy applications and the cloud. Under this model, user interaction is as follows: 1: User logs into Cloud hosted application with one ID 2: User accesses On Premises Application with one ID 3: There is no connection between the two services The lack of synergy between the local and cloud user accounts means that data cannot easily be shared between the two locations, and as a result, applications cannot work well together. This solution puts significant limitations on the deployment of key cloud benefits such as collaboration, information access, and business intelligence metrics being accurately compiled across an organisation. Active Directo ry App Copyright igroup ltd 2015 Option 1: Separate Identities

Copyright igroup ltd 2015 Middleware or VPN Sync’d Data (Delayed) Active Directo ry App Active Directo ry App Middleware or VPN A common pseudo solution to the requirement for single sign on is to use linked user stores with Active Directory. This model has similarities with Option 1 in that separate user identities are maintained locally and in the cloud, however they are synchronised and a user can use the same log in details for both areas. This model uses the following process: 1: User logs into a local application 2: User data is verified using a local Active Directory / User Store 3: User logs into a cloud application 4: User data is verified using a cloud Active Directory / User Store 5: Data is synchronised between the user stores via VPN or Middleware application. Unfortunately, this model does little to solve the issues of data sharing created in the previous model, as the users are still separate entities. Additionally, the solution relies on the synchronisation between the separate user stores which can result in a delay in information being updated and create a security hole. Option 2: Linked User Stores

Copyright igroup ltd 2015 Active Directo ry App ADFS Option 3: Federation (ADFS) Federation is the preferred solution and provides true single sign on for users across local and cloud applications. This provides a seamless experience for users and properly allows for data to be attributed to an individual and shared across multiple applications. Federation uses the following process: 1: User provides sign-in information. 2: App provides log in details to Active Directory via ADFS. 3: ADFS provides token enabling user to access information. 4: App provides requested data to user & token for re- use. 5: User able to access application (within pre-set time limit). 6: Local Applications accessed using same data store. Federation has the benefit of having a single, rather than multiple stores of user information under which only the tokens required for each applications can be stored. This provides a major security benefit for an organisation as only one copy of a user exists and permissions can be granted in a single location. This also provides a seamless user experience under which information can be accessed and shared across different applications simply.

Summary: Our Approach As SharePoint specialists, igroup have acquired extensive experience in the complexity of migrating organisations from legacy systems to modern cloud applications. Through this experience we have been able to understand the needs of business when it comes to cloud migrations including security, flexibility, and interoperability. As one of the UK’s leading specialists in SharePoint, we have assessed many different platforms for migration, and our internal team has developed ADFS based solutions for both large and small organisations to enable them to combine systems across local and cloud infrastructure to provide better security and access to information for staff. Our Clients include both national and international businesses and government organisations including many FTSE 100 businesses. For more information about how igroup and our partners can aid you in a transition to a more modern IT Infrastructure, please visit our website. Or contact us using the following address and telephone number: Copyright igroup ltd 2015