Pre-Conference Workshop | The IAM Experience Your Users Really Deserve

I
Hello. Hello. Hi, good morning. Good morning everyone. Hello, 1, 2, 3,
Only
The flights. So if I have to do that, I just dialing. This is gonna be like a very handsome thing. It will be like an intro 10 minutes perhaps. And then I will give the, I will pass it to the, actually to the people who are gonna start programming. Some stuff just gonna be, be at the end of that moment. I gonna like show how, how to do it and then I have to share it. Definitely. Is that gonna be a problem with the microwave? We need it here as well. If possible. Yeah. That's why I was trying to do it through teams, but I saw that you were already like,
What's
That only video actually. They just have to see me live, like what I'm coding or that
Your eyes
Came across with
My eyes. And I know here. Good. I see. Love welcome.
Welcome coming. All right. Got that. So fast ago we just fixing the last things, but we are almost on all of them. Let's see. Let's see. I hope there is some people online, so, so as long as they're in life so far all. Thank you. Thank you.
I want
Your eyes and I, yeah,
I
Have it. Doesn't good morning.
Okay.
It's a little bit different today. It's gonna be like that a little bit, huh? Okay. All set.
We can start. So, so welcome everyone. Good morning. I hope. I think we are like a few minutes later. Four minutes. It's not that much. We just we're having some struggles with the, with the techniques. I'm a technical guy. I'm senior solution engineer from nows, Okta. So, you know, there has been a lot of changes lately. We started as a science solution zero. We did very well. Now we are joining Okta. We are part of Okta. We have a bigger, larger spectrum of users. We are not only covering right. S what we were doing as a focus before, but also taking care of workers workforce, obviously. So that makes us locked up blue zero, a company that can target can cater any user in my encounter in the, the IM is based so very happy to be here today. I did prepare session related to Zam.
So it's gonna be focused on the product unit zero still. It is gonna be a little bit different. I will just start with an introduction of Zam. Very basic, just putting some, some, some, some strength, taking a look at whats. It is at all talking about the, the points that we suit to care about. But as I, as I was saying, it's gonna be a little bit different today. I wanted to sort of, don't go like for four hours through slides, but I wanted to make you get a feeling of the product itself. And I wanna, I want you just to do a little bit of HandsOn if it's possible. I know here are the people in the, in the audience in mind of not, they might not be prepared, but I hope at home you have laptop on hand and then you will be able sort of like to start integrating and say, checking how easy it is with Alexei zero, just to implement an IM solution on top of your product on top of your website, for example.
So that's, that's the thing, just letting you know a little bit different, but it's gonna be very enjoyable. I will go through as an introduction. Then I will sort of like comment what we want to integrate. First. I will stop. I will give you 10 to 15 minutes. Then you will have time just to go through the SSI yourself. After that 10, 15 minutes, I will come in. I will show you how to do it. So if you sort of like got some problems, you can see how you can solve it. And we can do that. Like for a couple of times on the slides, you will see, like, I have a couple of links. One of them is very important. It is called the lap itself with the lap itself. When you click on that, you will go through all the models that I will be pointing out throughout the presentation.
So you, it is a regular website, very easy to use with the information you need to have just to do the integration. So that's just, just to setting, setting the stage a little bit, because I know the session is a bit different as a, I'm already repeating too many times, but I hope it's gonna be okay at the end of the day. What I want to show is how easy it is with the product to integrate with your websites. And you will see, we don't even need the four hours that we will be spending here. We will be spending here, but just a few clicks. You will get the information out of the box on the platform and it's going be for you a breakthrough, or I hope so, because it was for me when I joined Alexei zero, actually. So yeah, with further IDO, I will start with, with intro, as you can see, we will, we, we call it like the IM experience your user really deserve.
And then subtitle, which is also important for the session is the how to secure multitenant, B2B, SaaS applications. Why the title? Well, you know, I mean, we talk a lot about IEM. We talk about Zam, especially when we talk about Zam, we, I rather speak about the user experience that they start talking about what we support from a technical point of view. And I say that because at the end of the day, we're trying to solve the product. No, so it doesn't matter, although, well, it matters what we support sort of IDC, some mill, how can, how can we integrate how we manage the access tokens S Don and all this stuff. But I want to keep the focus on the user experience because we do all that technical stuff just to make them their lives easier. So we want them just to make it very easy for them when they interact with our application to go through and get a frictionless experience.
We shouldn't forget that because sometimes we, technical people sometimes tend to go the other way and try to be like a future rich. And sometimes we forget about like what the user is doing with the application. That's what they did. So the user really deserves a nice, a great IM experience, why they said the subtitle. Well that's because of the app, it's gonna be focused on B2B applications. That means that the companies are building applications and they're selling it, and they want to integrate an IM or an IDP solution with their applications. So we will put a focus on that because it's also very important. It is not only sometimes we can talk about B2B to C, which has at the end of the day, the users that we will be using the application that the business are selling. But that's why, so B2B says because of the lab, we will focus on B2B applications.
I hope it's clear so we can kick it off. So a little bit of an agenda, I think already like explain more or less how we're gonna go through the session today. We will make a, we'll do a little, very brief introduction of Siam. And then we will go through three different models, which are bringing, bringing your end users to the application, onboarding multiple customers, which in this case, customers would be the B2B applications. So you might have different organizations utilizing your, your software. So that's why we talk about onboarding. Multiple customers will be a company, a company B that we will use in your application. And the last model will be bringing context and enabling collaboration. It is about how can we, we will go a little bit deeper into the technicalities and try to show you how can we integrate or extend the flows that we offered in Alexei, zero, talking about flows, login, flows, sign up flows.
How can we extend them just to put some context to that flow and do, do beautiful stuff with, with gene that we, that we offer within Dell zero product Q a, it is, as you can see a little bit shorter than expected for today, but as we are gonna be breaking up for, for I'm giving you time just to do the programming, it's not gonna be that fast so that we will be talking about like two to three hours probably. And then if we leave a little bit of Q a, which is, I think very important as well, how an hour, something like that, we will be, I think, three and a half. Something like that, three to three and a half that I think is gonna gonna be more than enough. That's what I was telling. It is not, you don't need four hours just to do an integration, just to sell your product, your software and put it to hands of your customer.
That is very easy to, to go through. So, so what is I, well, EIT, I shouldn't, I shouldn't have to explain this, but it's just like an introduction of what we, what we all know. I believe in the room and in the audience online. So as I was saying, when I think about science, I, I don't start talking about technicalities, but I'd rather just talk about the user experience and that's why I'm trying to depicting here. So when I see Siam, I say C, it is the front door to my application. It is the reception. It is sort of like that. When you come to the hotel, it's the, is the first thing that the user interacts with. That's why such a importance to, to the modern. So it is something that is essential for your users. It is essential for, for your business. So it is just, as I said, the first interaction the user has in an online market as we are today in an online world.
So it is key. It is key just to make it right to, to get it right. And when I say get it right again, and I'm gonna repeat myself, not all about technicalities, but the user flow the, the experience of the user. So that's how, how I see, I obviously we need to talk about, about privacy. We need to talk about security. And again, it's convenience, convenience when I say convenience user experience. So as you can see, we, we shouldn't forget the convenience part of the, of the, of the puzzle here talking about time. But obviously we have to talk about privacy. We have to talk about security, where we see ourselves well in the middle. I think we not only us, but is the, the thing we, we try to sort of like, as I say, combine the three quadrants, if you want to, the, the three things that we believe are key just to get to the user or give the user a frictionless experience while keeping privacy and giving security.
So I'm gonna show a little bit, two examples to scenarios. So to see where the user interacts with the application, and as you can see, the scenario one will be a retailer who wants to set up a frictionless customer experience that also prevents fraud and abuse. As you can see, I can, we have like four columns. And I see, like, for example, for registration, we could talk about abuse detection. So you see the columns on down there on the head, you see like a sort of type of interaction and the measures we could give or provide the users. So the user experience will be frictionless for it, and we'll be keeping private privacy and also being insecure. So if we talk about registration, we, we can talk about abuse detection. For example, we can provide services, the platform platform that's outside of dust, the product itself, we can protect wrong registration using, for example, suspicious emails, just a very basic example during the logging we can provide, for example, for the users.
So the business is really good, social integration, a classical in the same business, not that much in workforce, but for, for time's key, just for, for Simon it's prestigious, for example, to provide social integration, we can provide also a universal logging, which is kind of a special term we use within STO. It refers to a logging mask, which is out the box provided to you, and very easy to integrate that comes together with a lot of standard flow, such as possible reset the login, the sign flow. So everything is out of box for you just doing an integration. Actually in that case, I redirect to the, to the universal login. We have different flavors of it. We can talk about it later, moving to, to the right. We have access. We can talk about a policy engine provisioning organization. Porwal us. That's something that is also important.
Sometimes provisioning is not that important for, because usually in a science context, the user is gonna be self-managing the, the identity himself, but there might be cases where we have to do like a provisioning beforehand. So the user can log in our Porwal. But top of that policy engines means that just we, we can define whatever need perhaps using RBAC or AAC. We can assign the rules on the permissions that we need, the, the end users transactions. Well, as I was saying, that links together, actually with the access, we can assign the roles we need through different access, different approaches, such as cer a second scenario, which is a B2B, which is the core of the lab itself. So it is a B2B service company wants to our startup wants to deploy a zero trust security model. So we see again, the same S that we saw before we talk about different, different stuff, because we are talking about B2B software as a service.
So during the registration, we might need device management strategy. We might need a product that is able to manage devices so they can be properly managed within the platform. Again, during the registration, perhaps in a B2B scenario, the provision comes already given might be the case. It still, I, but as I was saying, it is a little bit different. We will talk about through the lap about this, perhaps that is the differentiations. So that's why in this column registration, in this case for the B2B S the, the provisioning, then we have for the logging, again, sort of the same items that we had before. So universal logging directory, machine identity, or login actions, very similar to what we had before. And then we have access and applications during access. We can talk about multifactor or again, policy just to assign the policies we need. So conditionally, we can assign whatever we need to the user might be roles as we can talk about Herba or AirVac on top of, of that.
So it is a very general thing. I mean, I try to sort of like split it and related to the different interactions points. So the different items that they are involved when implementing in this case, how zero, it is a little bit general, it is not meant to be like, it is only what we need for that, but it's sort of like, so you think about what is behind what we do, sort of login registration, access very general, very basic for, for this audience. I believe. So there is something probably not that much new for you. Well, it's always, but it's always, but it makes sense just to repeat it. And because we sort of set the station, I thought it would be interesting to go through.
So moving a little bit out of what is C of the view that we had of cion with the user experience in the middle for us, if we go a little bit deeper within the product, which is in this case, we are coming from the, from that angle, from the double angle. So we started like a very developer focus and we are still developer focus company. That's why we want to, we want to make together that this kind of sessions, we, we want to make it clear that we are still like a very developer centric. What doesn't mean developer century? Well, we try to give you the tools as a developer to make as easy as it gets an integration with the IM product. That's always in focus. What, what is the translation of that? Will we provide an integration with as many as you want as the case.
So every single, almost every single tech stack that you use, you get an SDK for that. So out of the box, we, we, we provide code that you can plug and play almost so copy and paste if you want. So that means that's one of the minutes, but also as well, we provide, for example, CLI tools, or we work together with Terraform. So you can integrate the development of the IBM solution together without zero with your C I C D pipeline. So that's what means that our zero is a developer-centric product. So it is very handsome, but we try to extract the balance between flexibility and out of the box futures. So that's our sort of sweet point. We are developer-centric, but we make your life very easy. If you want to extend what we, what we offer you, you can do it because the platform is very flexible.
We try to keep it open. You can almost, if you want code program, anything you want, we have what we call our actions engine, which is a server, less architecture behind the product that will run for every single login. And then you can run old code Java, a script, for example, to do whatever you want, whatever you want. What does it mean? You might want to connect to a third party service just to check whether the email that is been used to the registration is suspicious or not. Coming back to the previous example, you might wanna use the actions, for example, to reach an access token, just to add some claims to the access token, you might wanna use the access engine to block some IPS, because they're coming from, from a region that is not allowed just to access your website. So we provide the infrastructure behind, as I said, and we try to strike that balance between out of the box and flexibility.
We are not an out of the box company, if you want, we are not also like you have to do it, everything yourself, but we are somewhere in between. And we try to keep on that, on that positions, because we understand that, em, so it is difficult sometimes just to gather every single use case we have in there. But with the flexibility we provide, we can get to those use cases. And then if you have like a ban integration, you can almost like do a copy and paste just to get to the integration done with, with the product that was. So what I was saying, design for developers, we give you the tools. And as I said, very easy to, to work with, and we will go through the lab and you will see how, how it looks like. So before we start, we usually do these presentations sometimes in partners, in partners with our partners sometimes.
So we provide, they provide us like a, an environment where you just get everything out of the box. In our case today, it's not the case. So we might need to do a little bit of, and this don't be afraid of this. I mean, this is just a couple of downloads. If you've been a developer, you will see there is nothing wrong with it. There is very standard stuff that we have to do. And probably most of you, you have it already on your laptop. So we need a pre that's not a pre-work, but it's just a couple of downloads just to start the session and to start the lab. What we are gonna do during the lab is just to, I provide you an application, a regular web app reading in no JS express, you would, you can copy the locally, then we will run node. And then you will to integrate that application with the zero platform. So what do you need for that? So you need, if you don't have it, I hope most of you have it. So you need no. Yes.
So the version 16 should be the one that you, or higher than that. You need a code editor. I hope as developers, you might have that already. So we easily talk about visual studio, which is very common and very easy to use and well, to do the, to download the, you might want to install kit or kick up TLI. If you don't have it, I, I post the links in there. So it for you just to install them and you should have, once you, you get it installed. As I said, you copy the, the, to your local device. So with, with that command, or even with gift, you can do it as well. So then you need an out zero tenant, which is like a couple of quicks today. You just go to our page, enter an email, and there you go. And you should have access to the training handbook, which is the lab pizza, zero.net, which is I told you about it is like the, actually the guideline of the lab.
So you click on that and you will see, or you will get what you have to do to start the lab. Please don't be afraid. I hope there are some developers in the house. I hope if not, I mean, I started ASCE leveler. Then I moved to data analytics. You could say, okay, my developers involved in that task. It is not be developing. I did an MBA afterwards. So I was moving away from that. And then I came back to this and it was very easy for me just to, again, just to go back and, and deal with code. It is not like very difficult thing that we are gonna do today. I don't want you to be afraid at all. It is just about like, doing a very simple integration. It is just that we need the, we need the tools. Otherwise we couldn't launch the, the application itself. So as I was saying, I will give you right now. I think like we have five minutes or four minutes to nine. I think, I think it's fair. If I give you like 10 minutes of time, you to try to go through this downloading node, getting, get doing the copy of the repo and then signing up for Alexei. If you don't have everything. All right. That's sounds good. All
Have any, any promise or you need any help? Just let me know.
Awesome. It sounds like
I hope it is coming along. Gonna give you two more minutes just to kind of complete the, this don't worry. I mean, if all of a sudden there is something with a GOFI and something like if you're using windows and somehow little bit different to do the installation, and you have to click the, go through web and try to understand how to download, for example, get or work with the CLI. It's just one, one thing that, that they, during one time you do it, one to do it one time. One is done once it's, you will be able, I mean, I promise you the benefits is going through this sort of a small hiccups doing these kind of installations. It is gonna be forgotten completely. Once you see how it is, how easy it is just to integrate a standard of the art platform with your web within minutes within, in one hour, perhaps depending how, how complicated are your use cases, but it is worth doing, going through this sort of hiccups and try to, just to be you, you don't have to even be a developer to do this. It is just, you need that setup.
And you would say, you don't have to do be a developer just to do integration. It's gonna be copy and based copy and based. Definitely. I promise you, so how are we doing the audience?
Yeah. You and
Good. It happens anyway. I mean, if you are not able to, to eat yourself, you will see how to do it. I will sell you. So I just wanted like people just to realize, because I got that wall situation. When I went through this kind of tutorials and all of a sudden you were able just integrated with a couple of clicks and was pretty, I mean, pretty interesting just to, to see that. And that's what I want to make the people realize that with the platform you don't have to be, you don't even have to be a developer to integrate state of the art solution. So it is a very interesting just to see it yourself, but that's, that's the goal. That's the goal of the, of the session. Actually, it is not that you have to start everything. Yes, you do.
If you wanna do it yourself. But other than that, I mean, I hope you, you have access that will be important to last link. That one is lap.pizza, zero.net. This is, as I said, the guidance to, for the entire lab there, you will find all instructions unit through the models, a colleague models. We will go through a couple of models. So please try to get access to that page. I Hope's up and running. I tested a few minutes ago. I was doing okay, so then shouldn't be a problem with that. So if you want, go ahead and open that link. So that lap CDP double boom slash last lap dot its zero.net with that you get access to, to the life itself. Yes. How would
That be open?
Sorry, how long
Can I do this test just for today?
No week, as long as you want, we, we can keeping contact that one is something that we use for different conferences. So it's something like it, it stays online and that's something that you can use at your own pace. And whenever you, you want to try it out or have time to do so. So that is for you as well, like a sort of like a helper to see how to integrate the, the tool.
So I just gonna click and start with the first mobile. As I said, I hope you already opened the lab pizza, CDOT, net webpage. You will start to see some information. I will open it to my laptop. I will let you let you see how it works. So model one, bring in end users into your application. So what you see here, it is a representation. So it is sum up of how we see an integration or the easiest is duration possible with the LC platform. The customer is coming from the left hand side, you see the client and the brochure and tries to get access and ID tokens far on the right hand side of the, of the slide in between. You have your application, of course, and you want to provide a friction less experience when it comes to login. And when it comes to doing a signup, your application is in middle and on top of the application, the easiest ways to integrate a zero with your application will be using the universal login. I already used that term before we call it that way, universal logging. But at the end of the day, you can see it as a widget provided by ALCI jewelry, redirected user to a page hosted in ALCI where the widget is render.
The thing is that when I talk about redirection, perhaps it makes sense at this point, like some people they take, okay, we are talking about like a frictionless experience. And then you talk about redirects. The thing is that we can customize every single detail of that page, hosted in, add zero, meaning that when you redirect the user, the user doesn't have to suffer from sort of like other 10 for the website, doesn't have to the Heathers and filter. For example, of the web of the webpage, doesn't have to disappear at all. We can keep that it is a redirect just where we can customize it to a point that it looks exactly the same as the website. And we support for example, custom domain. So when the user even is, gets redirected, it might be redirected to our URL, which is accounts dot your company.com, which makes the experience actually like keeps you the assurance that you are still within the, the environment that you should be.
You get the experience from a UI perspective, as I would say for it is important that, that part of the, the deal. Now you have to make the user feel like this is a friction. There is something like he shouldn't be worried about what is he landing, even if he are redirect. So that's the thing. We, we do a redirect to a hosted page within S with under domains. We can customize that page and central to that page would be the, what we call the widget universal logging. It is a widget that is provided by us. So you get password results, you get the standard logging, you get the standard signup you get on top of that. Everything thing you, you might think of regarding attack protections, I'd, Bero breach, password protection, all that kind stuff is already in that, on that widget together with a platform without zero platform.
So after this lab, you will get a really, really, really, really well protected and very friction like experience with, with your users. So it is, as I said, I mean, for me, it was sort of a breakthrough just to see how easy it was with the platform to integrate with, with the website. Just to, to mention it, we can see on the bottom of the slide, we can sort of use whichever provided identity provider you might have at the end of the day. We can federate if you want, or as you can see user data or to the right, to the universal login, it means that we can provide as well databases. So we can provide user stores as well in our obviously, but federations are possible. For example, I just mentioning there over there's like, we are talking about Google, Facebook, whatever, whatever you need, this is the easiest way for Alexei to yes,
Well, that's to D solution without domain. How do you manage, I assume have value structure, not static
IPS because not static, static, IPS, static IPS on the, not as usual anymore. Yeah. And it's hard to, from my background, I know it's hard to implement another provider in the same DNS environment. So
Yeah.
I see some challenges with this very basic thing we speak about.
Yeah, well, no, I mean, that's a fair, fair question. At the end of the day, custom domains, we, you can configure them just is a, from our configuration point of view. Yes we are. Perhaps I should mention it just in case, you know, clear, but it's true. We are a cloud only solutions. So we live in the cloud. We used to have like a deployment on premises back then many years ago, not anymore, we are cloud. So we either work on AWS or also in Azure as well. We provide public cloud or also private solutions, but always on the cloud. When I say private, it is a private cloud on, on AWS or sort yeah, with private cloud, there are some more of some more control, but it's true. But at the end of the day, the customer means when I configure those, it is sea name that has to be set up in the, in the dentist, on the dentist C that is gonna be linked to the custom domain. And then we do provide the support self-managed certificate by out zero. Or you can even use yours if, if you want to configure that, that custom domain.
Yeah. But with, with CNA, we always have the problem that they're not really fast. If something changes in background. Yeah.
The propagations that there is a latency involved in there, but it should be okay. We don't hear that much of a problem for our customers to be honest, but yes, they are. Right. Once you configure those sins, there has to be a propagation. There is no latency involved, but there is a one time thing usually.
Yeah. But the log in log in procedure or the IDP procedure, the IDP must be available all the time because it's very basic.
Yes, yes.
Nothing running without it.
So yes, yes, yes. Definitely. There is like some downtime. There might be some time if you sense the custom to the customs domains, that there is some time downtime, downtime involved on that, on that process. That's, that's definitely something that you might, you have to consider when setting up custom domains. Yes.
Yeah.
Yes. No, but that's, that's a good point. That's a good point, but it's always like a trade off and it makes sense. Definitely. So for any serious company, serious company, just to go through the custom domains path because of the security that the user gets, when you learn on something like accounts, do your company.com. So
Yeah,
But that's, that's a good question. Thank you.
Yeah. We have to check it in detail.
Yes,
Of course. Thank
You. No more than welcome. Easiest way to integrate universal login, but we do. Yeah. Obviously, and as I was, I was saying before we try to strike, we try to strike the balance between flexibility and out of the box. We do have like a way of embedding that solution as well. So you get the widget. If you, if you wanna go that way, it is also possible. So, so you can have everything on in house. You don't have to do a redirect. All you can embed that solution on your website, either just using the widget we provide, which is called lock JS is a JS library. So JavaScript library, or we could also talk about our rapper that we offer. We are the block that we offer on top of our API, because at the end of the day, whatever we offer through the logging and the universal logging, we can offer it through APIs.
So you have like a no fast, I'm not gonna say no code, but the redirect using the universal logging, you can go in embed, use our log widget on your website, or you can use the LC JS rapid on top of API. Or if you're gonna go to the very single detail you can use directly the API. So the thing, as you can see, we try to sort of keep you the tools you need and try to cater as many use cases as we can. So for a term from talking about flexibility. So that's something that we understand, not, not everyone, sorry, not everyone is gonna be okay with the universal login, but not everyone is gonna be okay, embedding or programming every single from scratch the solution itself. So we try to provide the, the guidance along, along those lines.
Correct. Anything else on here? I think talk about every, everything goes in and there. Okay. So we, this is I'm showing you because this is gonna be the first part of the lab we want to integrate or do the integration with the universal login. So we can go now to the lab, PIP zero.net, go to the model, model one, as you can see the products, I believe we are done with them. Other than that, we go into model one and we will start like working hands on how to define an application in zero, get a guidance on how to integrate, copy based, almost copy, and based that code into your application itself. And once you're done with that, we will try to launch the application and see if we get redirected to the universal login. That's the, the model one. So as I did before, if you go to the pizza to the lap.pizza, zero.net, just go through the steps you you have in there. I will give you like, in this case, 15 minutes, perhaps to do that, and then I will do it myself. So you can see how can we integrate that life in case you have any problems. So, as I said, pizza, lap pizza, zero.net/model one. And yes. So I think we are like 25 right now, 9 25. We can meet again at 40 and I will show you how to, how to do that first step or how to complete that model one.
I'm not gonna be counting the minutes at all. I don't wanna make you feel like we are going through here, like tense. We are going back to schools, something like that. Don't worry. I mean, just try your best. The thing is like the time you are investment investing at this moment, I promise you it is worth it. It is worth it. You will see from me as the audience was asking before you will, we will keep that lab open for you. So if you have to come back after you see how it's done, you can go. And obviously, please reach out to me. If there is something that is not working at all, even not now, I don't have access right now at teams. I don't know whether in things, we get some kind of interactions or not, but we, we can do it later on. So you will get it done. You will get it done. I'm pretty about it. As I said, I'm not a hundred percent developer. I do. Pre-sales yes. Bit of a tech, but they have to, you know, do sales and then still, it is quite easy just to integrate that product with, with, with your platform. That's the matter the tech stack you have, you you'll get an SDK from us. So very, very easy to integrate.
So I think we say like 40. So yes, I'm gonna tell you four more minutes, but I said, no rush. Don't worries. We will go through, you will go through with me in a few minutes and you, you will see how's how is sound. We might have to change you one, see the slides anymore, but my laptop in like four minutes, something like that.
Speaker 10 01:27:50 I,
So I hope you've been there already. This is the model one for, for the lab where you are supposed to go through to get the first integration. I hope it's not too, too small. Let me just make it bigger. So second, so it is just about, as we were saying, the model one is about bringing the users in. So the first thing we have to do is to integrate the tool. So, and the easies way to do that was I integrating the, using the universal login, doing a redirect. That's what we are going to do. And the steps you're seeing here for the model one, you will see that it's related to that. The first thing we have to do is to create an application zero. So that's something that I will do right away.
So let me just go back, make it a little smaller, go to the, to the tenant itself. Here you go. This is the outside tenant. As you can see on the menu, on the left hand side, you, you can see the options that we offer. And one of them, one of the tabs that you see is applications. That's where you have to sign, register your application, registered an application in what does it mean? I'm at the end of the day? Well, at the end of the day, you are getting like a client ID and secret. So it is a registration on the app itself, but it is a way of connecting the application to the platform. It is a way of giving you a client unique client ID. So you can use it on your web just to connect to, to the APIs, to the backend of zero to zero itself.
As you can see, I did create one application, which is pizza zero, and just gonna open. Otherwise you can just click on here and create the application on itself. There is very using once you click on here just for the sake of, so in how it works, you can click and select what kind of applications you are trying to integrate. So we do support almost any kind of applications. So for example, Naif, if you're using iOS or if you're using Android, we do provide SDKs for that as well. Obviously, SBAs we can support those as well. We support many grants among them is Pixi for example, with authorization code, which is works very well for SBAs just regular web apps with a backend. That means that you have like a secure backend, which has, could be call like secure clients, so to speak. So you have a backend, you can, you deem secure.
And then we also have, for example, that kind of applications, which are machine to machine applications to machine applications are meant to connect backend services. They are meant to connect clients without user interaction at the end of the day. So I'll zero. In that case, on the machine to machine approach, well, we just generate tokens for those clients so they can interact with each other or talk to each other. In this case, we, I did create a regular web app, which I call it pizza zero pizza zero. If I click on on pizza, zero is a regular web app. As you can see, you can get a, you get the client idea secret for the app, but what is important and probably that's the something that you saw already. Once you click on create, you get to choose what kind of environment you you want to use for that app or all the, say what tech stack you use to program that regular web app.
In our case, as in the lab is mention, we are using nos express. So I click on knows plus I could change the technology just for the sake of showing you the, the, the quick guides that we offer out of the out box. So the thing is that about this documentation that you see in here is that you get what we call live code. So there are a couple of things that you get out of the box. In our cases, we will be running the application on the local horse. You can keep it that way. So those are the callback Porwal and the log Porwal. So that means once the user gets back from the universal logging, where it's gonna be landed, and that's the something that you have to specify in here, you can keep the defaults for the, for the sake of the lab, because we don't need that.
We will be running the application on the local host so we can save and continue. And the thing that's that I was saying that you, you get what we call life documentation. What you see in here, it is just a couple of snippets of code that they are already customized for you. So, as you can see in here, and I gotta make it bigger, I think it is a little bit too bright here in the, in the room. I hope online is a little bit better. What you see in here is already customized code, meaning customized code. In this case, it's just about the client ID is already set up for you, because then you can do a copy and paste of that snippet into your application to do the first integration. So very easy to use and very fast just to integrate.
I will do that right now. So I do have my project in here. I use studio for that. This is the, what you should see you, you get that once you do the, the clone of the repo, you, you get that structure. One of the files is obviously the servers and that's where we have to copy and paste that code. And that's what I did. So you can see here, that's the code we, we had in the live documentation. I did paste it here together with the app use of conflict, just to use the configuration that we, it was generated for us on, on the platform. And you can just use that, that one copy and paste remove that one, which is the standard one that is coming from the app that we are using for this demo. You just comment that one. So it is out of, out of the, the running call.
So to say, and then there was something that obviously to do check if the user is authenticated or not. And as you can see, we can do it here. So you just have to uncommon the line. So you, you can say if the user is authentic, you can offer him the, the access to the order HTL or not directly to the index, just depending on what, where he, the authentication status of, of that user. It's been like a copy and past, directly of this few lines on the code, obviously the application was already prepared, obviously that's that's okay. Yes. True. But it's like a very good starting point. So at the end of the day, we are just instant or creating the, the out zero client with a configuration provided by us and using that we can sort of do and do the, send the request to zero, just to see whether the is authenticator or not.
That is part of the, as well of the, that you have to install part of the YDC anyway, copy and paste on the top of the servers. That's what it is. If I go back to the application itself also to the tenant itself, we can see in here that the next step already is just to test our logging. So that's it. I mean, this two, couple of steps, obviously we did the preparation, but it's not other than installing the right tools to run an app on, on our laptop, on our computer. And that's what I did. I execute or run the, the server note surveys, as you can see here, make it here again, and the server is running. So if I go to the local house on port, I believe 3000, it was set out as correct, 3000. You can see the, the pace now.
So it gets render. It's just Bon vanilla. So it's just an entry point. The important thing is what is behind the logging. When we click on logging, the code will be executed and we'll use the configuration that STO provide us, provided us, and we will get directly into what is a login box or the redirect, as you can see here, we don't have a custom domain. We were speaking before about the custom domains. This is, is still in sdo.com. As we were saying that we are doing a redirect. So we are landing within our zero. We could use custom domains. That's a feature that we can customize. And perhaps because the waste of questions in the audience, perhaps we can show that how we have enough time. So if we go to branding, that is part of the branding. We have something, what is called custom domains.
And in custom domains, we can define the domain and decide whether we want to use out zero manage certificate, or even if you want to use self certificate. That's the part of the branding. So to speak of the platform, as I was saying, as I was saying, in this case, we are just using the standard hosted page within out zero. You can see a little bit, probably yours looks different to mine because I already activated some features. But what you're seeing here is the universal logging when you have set up an organization. So that's something that you will go through the lab today and you will get to that point, but that's the, the first step is completed with that. It is just being able to do the redirect. If you enter your credentials, you will be able, or if you want, you will be able just to login into the website. For me, it's a little bit more of a two steps and you will save later on, but just for the sake of doing this, we can sort of use for example, and get into the application we I'm doing redirect that you, you will get to that point later on. Okay.
Probably because there was using another use. Okay. Okay. It's okay.
It's okay.
Anyway. Okay. So I hope the first step is through, I mean, we, we just have to sort of copy and paste that snippet that you have seen in our zero. It is, it is it's super easy. I mean, it might, the first time you see like, oh, well code, I don't wanna deal with that. It might be too complicated for me. It is not that complicated, to be honest, it is just, as I said, yes, copy and paste a little bit of a code within your application. And if you're a developer, you will realize that that's very, very, very easy for you. That was the first model with that. We do have integrated the, the universal logging. We have done the redirect to the hosted logging. So we can sort of jump into the next model, which is perhaps we can share the slides again, or I can do it here in my laptop. I think it might be easier for, for everyone also here in the audience. So we don't have to switch. I hope you can see that this going back to the experience, the user experience, which is for us as science provider a key. So we, we have some reports just to mention one from 2019. It is not tough. Well already like four years, perhaps we should change that one. But anyway, that, that hasn't changed at all. I mean, it's 80%, for example, of us service participants, state speed, and convenience as crucial for the user experience.
We don't care whether we support. They don't care whether we support O IDC, they don't care whether we support numerous grants of, of two. They just wanna have a easy way of getting into the application, obviously has to be secure, has to be with privacy. And that's something that is given, but we shouldn't forget about the, the, the user experience along those lines, the rest of the, the, the boxes that you see here. So they could, or they could even pay a price premium 16% if they get a nice customer experience. So again, the importance of the UI on top of the technical platform. So again, I am always looking at the, at the customer customer identity access management. We shouldn't forget about the customer, never forget about the customer. 53% of customers are willing to share more personal there with companies that offer a great customer experience.
And this is related to the feeling secure feeling that the, the experience is right for them. So imagine, I mean, it is all about getting data from the user. If you're able, like to provide something like a secure environment, easy to use for them, they can sort of share with you more data that you could use, potentially, just to, for example, thinking about a retailer to do promotions based on whatever attributes the user want to share, wants to share with you. So, and I don't know, I don't know how many, how many times I repeated myself today, but it's just, we are all and sort of the developer, as I said, but we shouldn't forget about the UI place because it is very important for time. And that's what we try to do in Alexei here know has to be very customizable, has to be to the, to the last bit, just customizable to the last bit.
So we can get like a nice UI for the user to interact with other comments as well. The 54% of, of all the solutions need improvements in user experience as a state of a customers. So that's a, a long way to go more than a half of their websites looks like that. They're not like perfect for the, for the end user. So again, focusing on the, on the user experience. So along those lines, so if we want to focus on the user experience, we should be able to make our logging box a little bit more appealing. So that's what we are gonna do on model two. So we will try to a very basic thing, change the logo of the universal logging just to start with, which is a couple of clicks. So it is just about customizing that universal page, universal login page a little bit, bit, a little bit. So it is more aligned to the CI of the, of the company itself in this case, as I said, it's just about changing the logging of the universal login.
Correct. So I think for this one, I think it's is like five to 10. I think we should be like ten five, so like 10 minutes again. I think it's a little bit easier. This one. So this shouldn't be, shouldn't take that long, just about copy out and paste the login, the icon. So the icon, you get it in a file within the structure of the, the rep. There's a file where you get a link to the logo. You can just that link. So it's all in the, in the, in the lap. So we can go now to the lap.zero.net, follow the model two instructions. And then we will be in, as I said in 10, less than 10 minutes here. And again, just to show you how to configure or customize that icon for the universal log. Yes. Question, is
It? Yeah. I have a short question related to customer experience today, we drive our customers to the, to MFA based login. So on every platform they have to manage their own MFA solution. And that's annoying for customers. Of course. Are you able to federate the other platforms like Azure as one example?
Yes. Yes, definitely. I mean, when talking about Federation, that's, that's a good point when we have a lot of customers, they do have already like a multifactor or kind of flow already in house that they wanna keep on using because perhaps it's even device dependent and that's something that cannot be changed, you know, and that's true. There is a hit on the user experience throughout on, on that, that way we can federate to those. I mean, we do have what we see we've seen before in that flow here, we have what we call the AC. Actually, if I go, we, we will check on that later on. Let me just move a little bit. There you go. So we have that, that was the end of the first slide that I saw with the flow after the access and ID tokens are action generated, but we do have a rules action, which can be used for example, to do redirecting the flow.
If we detect that the user is coming for, or is logging through our, to, through a Azure, we can sort of, for example, tell, okay, please go to a Azure login yourself. And then you come back to, to zero. It is a trivial Federation. The thing is, if you start with, with the login itself, maybe from the, from the beginning, if you just wanna go do a login, for example, with a Azure, we can do a Federation. It is just about establishing a connection. We call it a connection. It is a Federation. If you want to integrate a second factor, which is coming from from your company, then we can use the rules engine to do that. That step that's something that is because of the platform is very flexible. So the user could log, for example, without zero, once he's locked, we can redirect and ask the user just to enter another factor.
There might be a redirect to another website or at another pace where in house probably where those kind of devices are managed. And the second factor is done. That's something that can be done with, with the rules engine. So we can break sort of the standard flows as we have to cut different use cases. That's what I was saying at the beginning. And that would be a case if you have the second factor somewhere else, and you want to keep on working with them or using them, you can breaking the flow and doing the redirect. Having said that, we obviously provide a lot of second factor options from duo to web 10, to UV keys, to email SMS.
What else I think I'm missing go OTPs. Definitely. So if you want to, you can use the platform as well, just to take care of any second factor that you might think of. I understand there might be some Sr as well. There is a migration in both. We can migrate some factors, some second factors in some factors, such as OTPs and that kind stuff, because the devices been already registered. Perhaps we can migrate those to the platform, or if you want from scratch, we could provide you with second factors at your whichever factor you, you need, we, we take care of it. That shouldn't be, shouldn't be a problem, correct? Yes, we, no, just to add a little bit of on that, we are very flexible for example, and we do provide adaptive MFA, additive MFA. It is, there is a risk score in both in that.
That means that the platform with AI artificial intelligence tries to QFA score to the logging that is happening with that score. We can decide whether a second factor is needed or not the value behind it is always like we are talking about customers. We shouldn't forget about the user experience. We don't wanna ask for multifactor if there is no need to do so, there might be any, if the user connecting from China, why the users connected from China, we want them just, he's connecting from China. We want him just to go through a second factor. That's something that we can do with data MFA. There are other options, the actions, engine, or the rules engines that you see here. It is also very flexible to work with the kind of environments, because as part of the user context, when he's logging in, we will check that on the lab.
We will see that we can check, for example, the IP of the user of the client that the user is, is using. And with the flow, with the rules engine action engine, we can sort of like call that and said, okay, only step up factor in case that there is any pair suspicious trying to do the, the login of the client is not the common client that the uses has been using so far. So a lot can be down with, with the platform. And we provide out of the box. Multifactor definitely. That's something that many customers of us come to us just because there is, it is very difficult for them. Yes. For example, to implement that kind of second factor with a ground solution in-house solutions. So it's difficult for them just to, to go through that process and to maintain that. But that's something probably similar to any cloud provider as we, as we are.
So we provide that out of box and a lot of customers, they just check on that and they say, okay, all of a sudden, I mean, we just have to flip a switch and we can work with fingerprints on the web. That could be an nightmare to program, program it yourself and maintain the solution for, for your customers. So for your, for your company. So that's why Barry is like a flip of a switch. So you afterwards as well, if we have time, correct, we do provide with a rules and actions in engine. So of like, as we can redirect, we have the, the, the possibility to, to, to work with ID proof companies as well. We can let the user log, for example, to once the user is log, we want us second factor through or verify the idea through, for example, which is something like a very prominent here in the, in the region, in the dark region. So that's something that we can also do. And that's something that's that involves using the rules and access engine. We can extend the flow and then try to do the ID proofing verification and come back to the flow and say the UC is right. So, okay. Yes.
Do you match actually, I have questions maybe
Speaker 11 01:54:44 Let's
I can hear, you
Speaker 11 01:54:45 Can hear it. Okay. Maybe you need, okay. So let's pretend that, that there is no need at the beginning for, for you, you play the IDP role to ask, to ask me the second factor, then I try to access some specific research and I have to step up. Huh? Makes sense.
Yeah, yeah. Yeah.
Speaker 11 01:55:06 How do you manage that? This is kind of very interesting. Okay. Some, yeah, but here we are talking about different concept and, and, and then an easier one, you show us an open IDC with the authorization floor, kind of like it. But if I have an angular, it's a little bit different, right? Maybe you are going to show, maybe you are not. So the first one is much more of interest than me, but the other one is still something that maybe we can, I don't know if it's going to be part of the, of the D OT.
Yeah. For the first question I understood. I understood currently you wanna do like an Federation to serve for example, and come back and provide a second factor with zero
Just in case it speed.
Yes. Correct. That's fine. I mean, when we probably go back to this one, which makes more sense for this question.
Yeah.
All right. So what we will do here actually, instead of using like Alexei zero device, we will use like a Federation that will be Azure. So the login is through Azure. And once the logging is completed, we can trigger the action engine or another, the action or the multifactor in this case, sorry. Which is something that is provided out of the box within the platform. We can say, when do you want, because we have this data, the MFA, but the Federation is that part. And that is completed outside of zero. We just do the Federation itself. We give, we get the okay or not. Okay from the IDP. If we get an okay, we set up like the user needs to use multifactor and that multifactor will be in out zero.
But how do you treat the thinking? Cause I have to be session that fresh and this is very hands on. Really have to.
Yeah, yeah, yeah. Yeah. Well, I don't know whether I have to, we can talk about it later, but it's okay. Sorry. No, no, no, it's fine. But it's it's right now. I understand why, why you're meaning it's okay. That we can, we can do that. I mean, it is, we get the information we get from the IDP and then we can use it just to decide where, where to go next. So I can, I can talk to you later on the second question.
Okay. I'm using just a single webpage ads. Yeah.
Angular not fly
Anymore to, I see
That. Yeah. Not you
Think that for granted,
We can manage a single page application angular is done and usually we recommend P C plus to code that's something supported. So that's why we recommend today. We are going with regular web. So backend, no JS express, but yes, yes. Definitely angular or next or no, no. We do support a lot of text tax and that's part of our business. We, as I said, we just grew up as a developer centric company. So we, we are, I would say like leaders on that, on that aspect. So if you have something inhouse that you want to integrate, probably you are better yet. Your so would be one of the best solutions out there.
I would say
All. So going back to the lab, sorry for the guys online. So we were like in model one. So let me just go a little bit forward. We were doing model two, which is about like configuring the, the icon. So that one is very, very easy. So I will share my screen again. Bear with me. There you go. And then we have,
We were
Trying to find a pizza lap. Oh, there you go. Okay. So we were doing model that one, the previous one, we go to the next model, which is model two. And as you can say in here, let me just make it bigger. Always
We have the universal login and we just have to copy an icon to the universal login. That is very, very, very easy on top of that. We wanted you to play around with the federations in this case, activating the social connection. That's something that you can also do. You can apply it to the different applications you have, and we will do that as well. So I think that that was it. Let me just show how it's done. I mean, if we go to the tenants itself, I make it bigger for you. We have something which called branding. We go to the universal login and the universal login gives us just a chance to add what is called an icon. Very easy customization. Obviously we can customize primary color background dollar. We could even through templates, upload hat, mill, HTL call, just to customize the whole page.
And this, in this case, just play around. We just wanted to add an icon to the universal login. And that's what I did in here. You enter in there, the, the, the link, and then you click safe changes. Don't forget about clicking on safe changes. And then you're good to go. That was about configuring, like, or setting out an icon, working a little bit with the customization. Yeah, I know it is not a lot. For example, if you want to, you could have access to the whole HDL page. That would be the classical approach. You get access to the universal login itself to the HDL code. So you can customize it to the very single detail. This is the classical experience we call it just going back. We have two flavors for the universal login. We have the new universal login and the classical experience. The new universal login is render on our servers. And you just get the result on the classic. You have access to the JavaScript data will be render on the browser of the, of the user. We do recommend using the new whenever possible. You can customize it as well through templates through the API, but depending on the cases, sometimes you, you, you can use the classic experience to get more flexibility in terms of dealing with or working with the HTML.
The second thing we wanted to for that model was to create an, a new connection or activate actually a social connection for us. We have what we call authentications, the different kind of connections. We, we talk about connections in our case. Now we, we have, for example, the databases in this case under authentication tab refers to the databases that we offer. So works as a us user store. We can provide a Federation to a social provider. We have what we call enterprise connections, which is something that we will see later on and is the, the key about it is like we provide home real discovery. That means that on email domain, you can redirect the user to the different enterprise connections. We do support passwords labs as well, email or SMS. So you can get a automat click for example, or you can OTP or correct.
And then we have our educational profile. We can talk about it later on, but in this case, we wanted to activate the social connection. So as you can see, I already did the activation of the social connection. And as you can see here, we have two applications for the social connection and using like a developer keys in this case. So it is just a meant for testing. If you're going here, you can activate that Federation to Google for the different applications you have in there. So as you can see, PIP at zero activated the follow application, that's for one is activated. So that means that you get the, the option to embed, or you get a button on the, on the universal login where you can click and then you get log through what is a so connection.
That was it for the model two. You don't even have to touch actually the, the Codero because at the end of the day, what you are doing is you customizing the hosted universal login. So everything recites on, on, in Alexei zero, and that's why you can do it directly on the manage task for correct. As you can see here, the icon is in there. The login is not there because as I said, you will get to this point, I'm using a different logging flow where I use an organization and you will get to that point. But other than that, you will see like a login boxing here, which is, which is Google or that kind of social connections.
Once you click on that, you can redirected to Google. You have to enter your credential if you haven't done so, or you are not logging log in, in, in, in the browser, but that's the, that's the same. Correct. So a little bit of customizations, as we said, so icons, so doing a Federation with the social provider, I think we can continue then with the next model, we are like a 10, almost 15. So the next model is all about a new topic actually, which is related to the organization feature. And it's very related to what we were saying about B2 V. So we are trying to sell a website service for customers, and we are talking in this case of customers, such as another company. So other companies, they want to use our application. Correct. So
This is the use case as we can see in here. So we have different kind of organizations using our, our software. As you can see in here, I think I don't have pointed in this case, but anyway, so the same application is used by three different apps, three different organizations, each organization is using different IDPs. So we see that, for example, on the top, they're using active directory in the middle as already active directory. Even they have external staff in there. And for example, the, the bottom one, they use the G suite, external staff, customers, so different different organizations using the same platform. How can we depict, how can we support that without hero? So we do have what we call the organization's future, which is exactly that. So we define the three different organizations we define which connections in the platform have, have to be assigned to each organization.
And we funnel the users depending on the domain of the email, to the correct organization. That's the way it works. So the user, for example, will see user one at organization, a.com. Once we check name.com, we pass it to the, to the top organization and he will do a Federation against an active director. If we are talking about@organizationb.com, they get a free license, or it will be like the free license organization, and it will be redirected to active directory. So in the cloud, we're talking about on premises on the first case then in the cloud as a, as an IDP, but
We are trying to isolate the sort of business that they're who, which are using our application. And we can isolate those customers or organizations. I don't wanna talk in this case about customers, but that business that is buying our app, our piece, our software as a service app, they can actually, we can actually support that directly with, with very few steps within the platform. This is the organizational feature as we call this rather new within the platform, but very interesting to have a look at again. So model three, I hope, I don't know if we have time to, to do a break probably, but otherwise we can give a little bit more time for this one. So you have like 20 minutes to do this one and you can have a break in between as well, if you want. I would say so we will be back like 37 or 40 10 40. So this is about creating organizations. So very interesting to work with as well. You will see, you will see how can we isolate that kind of customers that they're using your software as a service application. It's the classical V2 scenario and that's something that's being implemented because customers wanted it. And we did it. So
Have fun again.
Should
We got yes, one question.
Speaker 11 02:08:19 Okay. Thank you. I see that you are kind of brokering three different IDPs that's for authentication, right? No authorization yet.
Yes. I mean, you, you can't configure authorization on top of that. We provide RBAC plus Ava, so you can assign roles to the users and depending on some kind of attribute that they might be return back through the IDP they're using, we can sort of like assign authorization as well and provide an access token with, with the right claims.
Speaker 11 02:08:49 And then a very tricky question I saw in the previous slide. Maybe you can switch back there. Yes. That you have users here in, in the second major, but is that an additional identity store or it's just for us to understand. I mean, if we just focus on author authentication and roll back as we are, maybe we do not need an additional identity store there. Do we
That one in here? Yeah.
Speaker 11 02:09:15 Yeah. The
Second one, it might not be needed at all. It is just to represent in this case, when in Alexei zero, you do a Federation, we get a footprint of the user itself within Alexei zero, which is case just to maintain
Speaker 11 02:09:28 That's beautiful
For, from
Speaker 11 02:09:31 DPO perspective. That's beautiful.
Yes. Well, we have to count the user somehow. We are doing some kind of business here, so that's the, that's exactly the thing. So that would be for us a monthly active user. Definitely. So even if the IDP is external, we are providing a server service to do the Federation. And not only that we might provide you with I capabilities through maintaining the sessions that depending how you configure it. So yes, definitely. I mean, obviously the user recite somewhere else, they are managed somewhere else. We are talking about Federation, but we are providing a service or addon service in this case, for example, through the organization, future, which is rather unique and which helps you to sort of get faster to market when you are selling a, so as a service solution by you, right by you, right? Yeah. A little bit misleading, perhaps the, the pick. Yeah. I agree with you. It is just the users. Somehow they land the information land in S it is at the end of the day, whatever the IDP is, giving us back. Maybe just an email or email on some other information or the password. So
Global,
Correct. It's global. Doesn't have to be an email for us. It's primarily email is our identifier, but it doesn't have to be
Email.
Correct. So, so model three, if you go to lab pizza.net pizza, zero.net, you can work on that as I said, 20 minutes. So it's like 10 40, something like that. Yeah. I believe the was on questions in teams chat as we are like hero switching between the slides and my laptop. And we said, okay, don't, don't log into teams, but I hear that the was on questions in there. The thing is I opened the chat, but I can see, I cannot see any of the questions. So if you want to repost them, that will be perfect for me because I now have opened the, the chat. So please go ahead and I will try to answer those questions live. Sorry about that 10 40. We continue. All right. Yes, I can. I can see one of the questions. What about on behalf of with delegated privileges? So
The thing about on behalf of we, we, well, just to, to put a plane, we do not support it out of the box. That's something we related to impersonation. We decided not to go that way a few years ago. So I believe for a couple of years ago, so impersonation, sometimes it has some problems. It, it is not the best way of handling security. That's our point on that? Obviously. I mean, I haven't chosen that direction is something that is given to us. I mean, as a presales, we do go that way or we stages what we, we have the thing is, I'm not saying that I'm not against it, but it's something that we, that we get it a lot. So impersonation and on behalf situations, the thing about it is like you can use extensions on top of the LC platform. We have, we have a marketplace. I not gonna mention partners of us or other vendors or third vendors today, but you, you get to deal with that kind of situations and scenarios, if you are using extensions. So you might need a third party service just to take care of it. There are some workarounds, and I urge you to contact us to get a little bit more detail on that through one of our features, which is account linking, but
There is some work in both, but as I said to put a plan, we don't have it out of the box, but you can use extensions. Or as I said, you can talk to us and we can see what kind of use case you have. And then in that case, we can provide you with some guidance on how to deal with that kind of situations.
Yes. Well, that's true as well. I mean, I understand that yes. On behalf of yes, at the end of the day, it is not impersonation, but it could be seen as an impersonation at the end of the day, what you're doing is like, for example, I can remember customer of us in the healthcare industry where I don't know, the son of a father will check on the details of online of his father. That's something that he comes that's on behalf of, but it is also like acting as, as the, as the user itself, but it's a little bit related, but it's true. We do have, as I said, really good extensions, which can cover that kind of standard. Just very, very well. Other than that, we can talk about a little bit more in detail, just reach out to us. I mean, there are some workarounds just to do with that kind of cases, but it's not something that you can activate directly on the platform. We will be give you to correct, like 30 minutes more. And then we will go on with the, with the next model I will show you and then go on with the next model.
Yeah. Some, some question as well. And that's a, a good question when we do federations in this case, in particular, the talk about social logins and the personal information and GDPR. So there is, there is a footprint in, I mean, we do provide all the means just to be GDPR conformant. So that's something that we have to put up front. That's no problem. And in particular with the social connections, if you don't use the, the social connection under authentications, there is socials and you don't click on the social itself. There is what we call a custom social connection, that custom social connection, it is something that you customize or you can't even decide what kind of information is gonna land in, in Al zero. That's another means is to control what kind of information lands in, in S so if you use the standard social connection that we offer directly on the dashboard, just you see the information that is being in Alexei, zero collected in Al zero.
As I said, all means just to B GDPR confirm that's something that is your code as well, just to understand what kind of information goes to Al zero. And then again, I repeat myself, I don't wanna confuse anyone, but I repeat myself. We do give all the means just to B GDR confirm, but obviously you need to do some sort of due diligence and understand what kind of information in your case wants to land can land or not in, in Alexei zero. And as I said, if you go to the, the custom social connections, then you can configure the connection itself could be again, Gmail, Google, but then you get access to what is a snippet. And then you get access to, to define what kind of information will be fetch and stored in, in, I see some errors related to the domain to the domain request resulted in an error, probably.
Okay.
Yes, we, we can,
Well, actually the depends where, where you are, but if you, you can select where you want to deploy the instances. So GDPR in Europe, we, I mean, we use a front for, as a, the, the domain and for, could be Dublin in the us. As I said, there is at the end of the day, your call, there is some footprint, obviously within S we give the means to handle that, to decide what kind of information lands in S and then you can, upon that decide what to do with the data. I mean, we, that's something that's also part of your two diligence as well when doing the Federation, but we do provide the means to be consistent. I mean, consistent as well, comply for the earth, the chosen, the main has to be the name of the tenant should be entered. So I hope it's the working, I mean,
Oh, yes. Correct. That's the you to use the organizations you need to, well, in this case to use the home brand discovery, actually we have something that is called authentication profile. If you go to the authentication on the left hand side, the last section it is section is called authentication profile. And there is one called identifier first, which is the, I believe the second one you have ID plus password, then identify a first and then identify a plus first blue web. Then if you choose the middle one, the one in the middle, then there is like from the profile, as you can see on the picture, there will be, and box, the first box will ask you just for the, for the, for the email. And then we decide upon the domain of that email, where to go. So that's needed. Yes. I mean, we might, I mean, not, I'm not with the public sector, to be honest, I can redirect you to the, to the right person. I take it. So from we, okay. We might want to connect afterwards and put you in contact with the public sector, with my colleagues. So they are more aware of the specifics about the going around the kind of regulations
For, I think it is 10 40. So I promise we will go and show you, show you my screen again. So let me just go back to where we were. So in the lab, we will, I believe we are in model three. That was a little bit too long. I, I know, I know, I know, sorry about that. That is, it's a little too much text perhaps, but what we were trying to to do actually was just, if I go back to the, this slide on my, on my computer is fine. I think you can see in here, I gave you, we gave you a link just to,
Just to generate some enterprise connections, which is in this case, you will use O IDC as you seen in the, in the lab to connect to those and those enterprise connection as we call them are based our Okta directories. So you know how zero Okta we altogether and that's that that's somehow you, you can see it in here as well. So when you go to that link that we provide you, you get that information, which is at the end of the day at directory structure in Okta. And we will use that as an IDP for us just to attach to the different organizations that we define in a, it could be something else such as active erritory. It could be held up, could be any IP you might have, and you want to configure attach to the different organizations you define in a, so that was the, the link in here.
See this lab creator pizza do net will provide you with something similar to this, which is the client idea of an application in Okta, which is there is directory as iation, as I said to it, so that it will work as an IDP for us. And that's the information you need to have to configure. I, no IDC connection within if I go to and I go to the authentications, you will see that we have enterprise connections and make it a little bit bigger for the audience in here. So, and the, I did define open ID connectors protocol just to connect to those. And I did define two because you will have to define another one later on, but for example, just to go into one of them, this is how it looks like. And here you can see the information that it was on before you have to enter it here with client Andd on there.
Correct. So you just click on save changes and you have your enterprise connection in the out outfit platform. Just to go back to the authentication profile, perhaps just to beforehand, we don't forget. I don't know whether it was in the lab or not, but there are three different ways of authenticating in this case with the new universal login. Actually, if you is a little bit of a change in the user flow, as you can see here. So we will use a identifier first approach, which is we ask for the email. First we check the domain. That's what we call home real discovery, H R D. And then depending on the domain, we can select where the user goes. So that's the sort of the identifier we do have other profile flows, which is a simple email and password flow, or if we want, we can go through the, which is also in here as well. But for this case, identifier first would be the, the good, the good one, the one to go, because we are using, we want to use the home real discovery to redirect, depending on the domain, on the, of the email, the users to the right organizations. So we did define the connection.
It is time to go and create one organization. That's something that we do in here on the link on the left hand side, as you can see, did already open it before we have, I have two, well, you probably have created one as well. You will create the second one later on. And as you can see here, you get the, to define the name and display name of that organization. You can even configure or customize depending the, the login, depending on the organization itself, you can have members. And that is the thing that you will be able to isolate on how the users that they are, that they do belong to the organization is not only that they are connected to an IDP, or they are residing in an IDP, but you can have layer in top control by L zero on top of with the organization feature where you can have an invitation flow.
So to speak before the user can even log through an organization. So it is align on top of the IDP they enjoy using in, in the backend. So to speak, when doing the Federation, talking about IDPs here is where you can define again, isolated. I did define two connections, but probably you have only one in here, which is the connection I just saw you. So I just enabled that connection. And there is some options you can have for the different connections. And in this case, I did say, and you have to configure it that way as well. Please auto membership activate the auto membership option. So the user can sort of get a membership directly with just log against the, the IDP.
It looks like it thinking, thinking, thinking, there you go, enable auto membership. So that's the, that's the option you want for your first connection and, and organization. So once we have activated all of that, and we have configured the organization, we have assigned the connections to the organization. We do have defined the, the profile, the authentication profile. So it's gonna be an identifier first. So that's that you will get what I got from the very beginning in here. So we do get the universal login, as you can see, it is identifier first approach. So the assistant only ask you about the, the email first, depending on the email domain, it will be, the user will be redirected. So sorry, you have to enter first, the, the organization
Then depending on the male, the user gets redirected to the right connections because we might have different connections for the, for the organization. So depending on the, on the domain, we can do that. If we click on continue, we get redirected to the IDP in this case is Okta. As you can see, it is just a Federation through Okta. So the IDB in this case would be Okta. And then you had a password when you created that enterprise connection that it was given to you. So I just have to copy that password for that, for that email.
And we get lock in. So you can see here, I believe I'm just gonna go back to the lab itself. I don't think we have to, we have play around with the, with the metadata. There are some, yes, you probably have to disable some grants if, to, if you want to activate that, probably there was a yellow box on the top, but it is like a pretty like pre pretty clear, it pops up very clear. So if you haven't done that, it just also needed. So, because correct. So we, we haven't played with the metadata yet of the, of the organization, because there are correct. So we have to, to activate that or to activate the organizations for the pizza app applications, we have to still have another forgot to, to tell perhaps like, if we go to, like, if you go to the applications, we have to find the organizations.
We have to find the connections behind the organizations, but we haven't attached. So to speak the organization feature to the, to these applications, to the pizza zero, we might have for many applications registered in the system in our zero, not all of them have to use the organization's feature so we can be that selective. And then if we go, for example, to P zero zero, you will see that we can, we have another tab, which is call organizations. And in organizations, if we go down, you can see that you can, you have different three different options. And that's why, which you get the yellow box if, and probably so we have different options for that, for that application. We, we can decide whether we want organizations to work on top of that application or not at all. If we say like individual individuals for personal use, which means that there is no organization that will be required to use that application or only team members of organizations, which is the case.
That means that the user needs to enter an organization before he can even log into the application, or we can provide both. That's also an option. And that means that either user or individuals can use the app, or if we want pop up the, the, the organization and the box, and they have to go through the organization, that's something that it is also possible, correct. But for these cases, like a simple as a team members of organization, that's, that would be fine. And that's it. I mean, I believe this, this, this step was a little bit, way too much, or perhaps too, too, too long or too many things to, to do. And we had to deactivate something in here, the grants that if it is one to do it, once you, you are good with it. And it is very, it is rather easy. I would say it is just to, we have to keep in mind the picture we had before in the slide, which is we are trying to depict this. So that means that we are trying to define that's why within the first step enterprise connections, then we have to define organizations on top, attach those connections to the organizations and then decide for which applications are we gonna use the organization's feature.
Correct.
Yeah. As we were seeing we saying before, like, what kind of information is coming from the active directory or in this case, Okta, if we go back, you will see that there is some information or some footprint that is landing in and you, you can see it in here. So you can see three users in here. Use ones, like, for example, the social connection. As you can see here, you get some footprint in there. So that was the question. Also in chat, there is some information that is coming from the social provider. We are doing a Federation, but still, as we were saying, before, we are doing some business here, we count monthly active users. If we do a Federation, they count us well in here. So you will see some information here, but that kind of user profile, it is not managed within zero, but in the IDP.
So it has to be refreshed every single time that you do the login, then you get the new information. Would you cannot change anything here. So that's, that's the thing. If, if we open the profile, they were saying, what kind of information is landing from the social connection? You will see you, you get some information from the social. I hope there is nothing that nothing bad from me, but is rather as email. And that's the name and surname. So it is not that much. I mean, draw some information yes. Related to the IP and that kind of stuff. Yeah. You might want to control that as well, as I was saying, if you, just, for the sake of the answering the question in the chat, if you go to social, there is something that we call custom social connection
On the bottom directly, and here you can customize the connection for example, to a social provider. And that's the, that's the good part of it. You can decide what kind of information lands within, out here that gives you very fine grain control over the information coming from the, for the, from the provider and being store within, within zero, that would be another option. Sometimes it works quite well for some of the customers that they, they do wanna do whatever they want, even they might want to mask, or they want to hu something. And the idea doesn't have to look like an email within us. So might use like a, whatever they want. So with the fetch, you can sort of like on what kind of information and in which form appears within the, within the platform. All right. So how are we doing? Yeah, let me check in, in terms. Okay. They're talking about, they have some, some errors in there and, but wrong redirect. We, it might be, I believe that the name of the tenant should be correct. Otherwise the reality, if I go back to the, to probably you can see it in here.
Oh, not really. This that you, you should use the name of the talent in my case, is this one, let me just make it bigger. Am I sharing? No. Can I share it again, please?
Yeah.
Okay. Thank you. So that's the name of my tenant. That's something that you have to use on the top of the screen, as you can share here, that's the name of the talent you have to give, and it's gonna be the same for any connections that you use because that's part of the, has to be in the vac. Probably that's the, that's the error
Do you have? There is a question in the chat about scheme support. We do out outbound. No problem at all. We can check on top of any. I mean, we can execute anything outbound. So to speak, like to go to skiis is just about synchronizing profiles through between different providers. We can do outbound quite well. No problem. Inbound is a little bit different. So that's something that there has to be yeah. Control other way, but we don't have the skin support out of the box, but we can provide PS professional services that they can help you just to build up on top the PI what you need for the, for giving AKI support, which is not that common by the way in IAM. So if we talk about workforce yes. In IAM, it is not that common. Usually like we have like one central user store that is used and there is not that much synchronization involved, usually in the same use cases.
Yes.
Speaker 11 02:48:39 A very technical question. Thank you. I saw that you are using open IDC connect and you are using a broker broker Federation. So you have to manage the refresh tokens somehow had, had you been using Sam to have been easier for you, but actually you're doing the harder way. So how do you manage this thing?
Yeah. I mean, we usually IDC whenever possible someone is for us sort of like a little bit more cumbersome if you ask me, but I understand. Yeah, yeah, yeah. But I understand this. It's been there for very, very, very long and it works very well as well, so, but we just use, so I see in that case, yes, refresh focus can be, can be managed. But in that case, probably I'm not sure about the configuration, but I believe there is some kind of configuration where you can deal with it, refresh phone persona, but it should be okay. We do, I mean, is checking the refresh token just to leave it.
Speaker 11 02:49:39 You have to keep them somewhere somehow. I mean, just thinking about your architecture, have some database we are talking about, they need not to have another identity, sir. Yeah. That's flies yet. We have to link some way somehow the identity with a refresh token because these users can come up again.
Yes, yes, yes. That's part of the services of the Federation itself. Correct. Just used to, we don't have to pop up with the, the logging, make free token and get the new access token, whatever is possible. I was thinking about the configuration itself and not set about, but I think there might be some options in there whether to ask or not for it, but there's something like, I believe they can't be configurable. Yes, I think
So.
Yes. Yeah. So I usually like whenever we, whenever we come, we just like why the C we support obviously. So as well, but not sure. I mean, we don't, we don't get that many requests on that direction with someone. I don't know why, but I guess the type of customers that we are dealing with or inside perhaps is like a more extended dependent on the customer. I guess that
Why they say yeah.
Yes. Correct. I think like with that, we are like already 11 o'clock. We have to 1230, if I'm not mistaken, we do have a couple of models. I believe one more, perhaps one or two. Not sure now, but I think we are gonna be on time. No problem. If you wanna take 10 minute breaks, it's also okay. Or if you feel like we can continue, we can continue just to do the houses here on site. So up to, up to you as well, we can continue if you want and we, and at least, okay. So let me just go to the next slide.
So right now it's gonna be, we, we have seen that picture before and we are gonna make use of the actions or rules engine, which is the extensibility engine of the, of the platform. It is a serverless architecture running behind it. So there is a song called there are snippets that you can program, you can call to extend the standard flows of the, of the, of, of the platform. So meaning that I'm already mentioning it. If we want to connect to a third party services to check the, how risky that email is, or how risky or the, whether it is a suspicious email, or if you want to do an I ID proofing verification, that's something that you can do in here, but also more standard, like use cases would be extend for example, or at claims to an access token or an I ID token.
That's something that we are gonna do for the next, in the next model of the, of the lab that meaning that we will define some metadata to the organization. So the organization artifact in SDO has a metadata associated. We will assign sort of like, for example, for the sake of the lab, a license will be like premium or corporate to that organization. And we will read that information within a role. So depending on what kind of license the user is having, we will decide what kind of claims go into the ID token or sex token. I believe in this case, we are adding it to the ID token. So that's gonna be the central part of the model for, if not, if I'm not mistaken. So it is about, yes, well getting a little bit deeper, but showing you like one of the strongest features that we can offer you, which is the actions and rules engine, just to note on that, we, you will see in the platform, we do have rules, actions, and hooks actions is the newest approach to the extensibility engine within L zero.
It is meant to be like a low code approach. So we do have like a sort of a flow, which you even can plug and play this stuff. So you have like a logging flow and you can move or just plug and play. So move the actions within that flow. So you can select how are they gonna be executed? And you have the rules and hooks, which is the previous version of the extensibility engine. And those are most like a more HandsOn you have to call it. And then you have to decide and move it on, on a, just to define how are they gonna be execute. So the, the order of execution of those, they're very similar at the end of the day, although the technology behind is a little bit different. So as I said, actions is the newest version of the approach.
Then we have froze hook is the same, but it's just for different grants in Princip. The hooks are only executed for the client credentials grant. So yes, extensibility extensibility of the platform. We have different points of extensibility. We can talk about pre-sign up extensibility point for example, we can launch something even before the user gets registered within the system. We have post logging accessibility point. So once the user is logging, as we are gonna do here, we will probably add something to our claim or to our, to our token, a claim or whatever we need. And we do have for the client financial clients, we do have hooks, perhaps I can open it, that it's gonna be, even for me also just find all the sensibility points, but in the platform, if you go to, for example, actions, we try to share my screen again, giving a lot of work to the, to the guys in here in the room. So trying to share my screen again,
Correct. So if you go here into actions, you see the flows and you see the different extensibility points that we, that we offer. So that's where you can catch the user. So to speak within the context and then do whatever I was talking about the logging, which is post logging. You can read it as post login. We have pre user registration, post user registration, which is also similar to, to what is logging machine to machine, which is the hooks as well, post change password as well. So, and then, well, we do have these phone messages, but yes, well I think, yeah, those are the, the different, the different points throughout the flow where you can trigger something to be executed by this actions engine, perhaps just to go back and show you a little bit about the, the, the reason of it. Those are the rules, which is perhaps yeah.
Which are sort of like a snippet of code that you can create in there and execute different stages. So you get a lot of templates and then once you activate it, one of them you can select and select an order on, on a list to, to, or execution order. So you can sort of like move it around and decide where to, where to activate or where to trigger. One of the, what of the, one of the different rules, accidents. I forgot to show you, perhaps just the flow. What I meant with the low code. That's something like this. Did you get the flow? And then I added an action in this case was for the login flow. And as you can see in here, I place it here. I just move it from here. Like a drag and drop is that's the way it is. So that's something like a newer approach. And we understand that depending on the user, my vehicle, like to program or not, and then they can use or play around. So one could program it. And then the, the other guy will like, okay, I want this and this. And so we just have to organize it in this low code approach, so to speak.
Correct. So going back to the slides, so we will,
If
Correct, thank you. So we have the model four and it is all about define and metadata for an organization and, and reaching the ID token based on that metadata, I believe that's the, that's the content of the model four. So it is like 11, 7, 11, 10. We can say like 1125, something like 15 minutes. This involves like programming and action. So writing, so code some code to, to enrich the, the ID token. And we will, upon that decide, or the application will decide what to show to the, to the end user. So we will read the claims and then do that kind of conditional web. So that kind of conditional way of controlling what is shown in the website now, depending on the metadata or the claims in this case of the user coming through the ID token. So we have two, I said, then let's say we meet together again, like 25, 11 25. So 15 minutes around 50 minutes.
So I think it was already 25 already passed. So mobile four. I gonna say again, my, my screen, this was all about adding metadata to an organization. So I'm gonna open the organizations. I will open the organization a that is something, what we call metadata in here, and you can add a key, let me make, make it bigger. So you can add a key in here. One second, I think is I have some yes. Mute. All right. So we have a key in here with corporate in this case as value, this kind of information belongs to the context of the organization. So if a user locks in, through our organization, it will get as a claim, what kind of license that organization has been given on upon that we can decide conditionally what the user is allowed to, to see in the website. And that's what we are going to do to do that.
What we do is leverage, as I said, the context of the organization, and we will conditionally enrich the, an ID token. So it will contain the right information for the user. So depending on the organization he's using. So if he's logging on organization a in this case, that's the name. He will get a license corporate, depending on if we show corporate, I believe they can order any kind of business. So a small, medium on large. That's what we need to make sure that is within the ID token. So the website knows that this user has a kind of license because he has lock and repeat myself. He has looking through organization a so metadata set for the organization. We do need to enrich the ID token, and that's some sort of a process that we can work on through an action. As we were saying, we will use the accessibility engine and we do have what is here you go.
We do have create 1, 1, 1, and just trying to edit, sorry. Okay. Let's wait for, we've got the library we should have in customs in here, we have the action which we just track and drop. And as you can see, we are able to run actions to the, on the different extensibility points that we talk about already. And this is the one we will use in this case to enrich the ID token. As you can see, there is an ID token dot set custom claim, and that's what we are doing. And we are assigning to that. The name of the claim will be like this license and the content, as you can see, it is refer as organizational metadata, do license. So very rather easy one in this case, it is something but very common that that needs to be, be done. So depending on the organization, for example, to assign different claims to, to the token, and that's, that's what we are doing.
We are also assigning one extra claim, which we name it like with usually try to be careful with the, and to be conforming with YDC is usually the name space is recommended. So you don't have like coalition when it comes to deal with claims. And that's why also we are using that kind of name for the claim itself. And then we are assigning in this case, the display name to that, to that claim. So we are two new claims to the IV token app ID token. We could add some information also in an access token, in this case, we just decided to the ID token ID token, usually, correct? Yeah. For this case, it works out as an example, so that the action, we just believe I did the drag and drop before through the logging, we will execute then reach ID token. So what we will see is that with that action activated and executed, we will see the name of the organization. And you will have access to all the kind of pixels because pizza us, because you, you have a corporate license. So if we go to, to the login page, if we go to login, I log myself through organization a, which is the one that I had assigned the license
Two. We get redirected to the external IDP in our case, Okta, I copy the password and you can see, let me make it bigger on behalf. We are logging in on behalf, well, on behalf, perhaps not the right words, but we are going through orga, orga or organization a, that was the one I define. And I gotta corporate license. Those, that kind of information. Those two bits are coming from the, from the ID token. That's what the actions did upon that, those values we are able, or we are showing the user small pizza, medium pizza, and also larger pizza.
Yeah.
Very simple, very basic. Well, you know, that can be, this is just the beginning of using actions. So you can read, write anything you want on those actions. That is a lot of flexibility behind it. And the scales, as I said, the serverless architecture that you get inclusive included in the price. That's something, when we talk about monthly hap users, it is not only that, but you get the serverless architecture behind just room. For example, the actions with the actions and engine, that is something like very important as well. When you compare, when you compare us to, to other vendors out there. So I believe there is one more mobile. It is about defining a new organization. We call it the external collaboration and gonna go back to the slides please. And it is about like, if
Defining a new organization organization, be in my case, and we will see how can we sort of funnel some of the users that they're logging or they are residing in an IDP of organization B they might be able also to join through organization. A the thing is a little bit, yeah. Complex, not complex, but difficult to, to, to explain sometimes is it is about like you have a external collaboration to your company. It might be for example, think of, I want to give that external collaboration, even if he's from organization B, I want to give him access to organization a as well. Why, why would I do that? Because through, if he locks in through organization name, perhaps for one month, he has access to organization a, he will get this license corporate with that license corporate, he will have temporarily some sort of rights to access resources on the website.
And that's that kind of, that's why we call it collaboration now. So we let him in, even if he's originally for an organization, be we let him in through organization. I, and that's what we will do on the next model of, of the lab. We want to keep that kind of flexibility. So you can get, for example, in terms of an organization, if you think about companies such as Flint or already that kind of, you have a external collaborators that they might have for some experience, extended period sort of access, and you can sort of perhaps support it through organizations. Just say, perhaps depending on the use case and the challenges you have in there, but it's about, as you can see, you can, as the said not only one connection to, to an organization, but you can share connections with through or across different organizations. And that gives you the flexibility to work to this kind of external collaboration or deal with external collaboration use cases. Correct. And I believe this is the, the last model. So we are on time. So 20 to 12, I think we can catch up again at 12 and then you still have like a half an hour Q and a, and then we, we will wrap it up attention. So yes, it was model five, as I said, 12. So
23 minutes, it wouldn't take that long, but let me check teams
Speaker 12 03:28:16 Ways. I forget
We haven't ever
Speaker 12 03:28:20 So getting that sometimes it's definitely something, a password that's
Okay.
Think we have for like two more minutes to be around the clock. So the 12th, I think probably we can start as I hope. That's fine for everyone in the chat as well. We were having some, some problems with the, with the tenant settings, perhaps to create organizations. Yeah. We, we have to like be sure that we enter the tenant name. They also tenant name when created that kind of enterprise connections. So it will be used actually to, for the resident and work. So otherwise it won't work. We, we might have to adjust the instructions to be a little more clear on that, other than that. So we were trying to do or support this external collaboration way of use case. So the use case of external collaboration, where you might want to invite one collaborator to your organization so he can get the, the rise, he can get the same access you might have, even if he's residing his identity residing somewhere else.
In another IP, we can do that through the organization's feature to do that. We first of all, have to create that second organization. So that's something that we will do exactly the same way we did for the organization, a so to speak. The first one we created, we can do exactly the same for organization B. We will get a new user and perhaps I can share my, my screen now with, so you will see where we are again. So they will see the last step of the, of the lab. So don't worry. We are done last one, last one or second organization. So you will create that second enterprise connection. So that lab creator pizza, you get the confirmation that organization, it is not an enterprise connection, so to speak. So you create their enterprise connection and then you get this information you can use to configure again, your IDC connection throughout the management to small and make it little bigger, sorry, open ID connect. And then as you can see here, create a second one, Y D T to the organization B where you can enter the information that you're getting for the, from the lab creator page.
So with that, we have the connection where a second user resides. So where a second user is living. I got the information, as you can see here, we get the, again, I did data new user, which is@contoso.com. It's a different company. So we can use that to log in through the organization B, but we have a great organization B something that you already should know how to do it, have it in here. So create organization, ified the organization B as we did before we could, as I said before, add some information to the branding. We should add again, a different license in this case, organization, B that's the whole point of showing you this in this way of doing the, the external collaboration in this case, if the user goes through organization B, he will get a license premium or a premium license. And that's something that is coming out of the metadata of the new organization, B this organization B is connected to the new enterprise connection.
We just created through IDC. We are connecting as we did before to Okta, Okta will serve as, as IDP for us or enterprise connection in zero terms in the, in the dashboard. You can see it in here that I did already lock in once through the flow. So I enter the organization B on that first screen that is sewn to me, and I did complete the login flow, enter my username and password that I was given and did. So you already in here. So I do already have a cookie in my browser. That's why I'm telling you because otherwise you will like puzzle right now. When I click on that, that of a sudden I get log. But the thing is that we do have two organizations, organization, a has one connection, which is organization a B. I can't remember how I name it, but is organization a, a E it for organization B, we do have another connection, which is, or B E I C.
That was the starting point, but we want to do the, the collaboration. So what I'm meaning with that is that we don't longer want only one connection per organization, but we want to support that case where the user residing in this connection organization, B EIT goes through the flow or goes through organization. A if the user goes through organization a, he will get the corporate license instead of the premium license, but we need also to support that user attaching the second connection to the organization. A as you can see now, organization B only one connection organization, a two connections. It has the auto membership one, that's the one enabled that was the previous one we defined for it organization, a E I, and now it has also attached the second connection with that. We are able, like, depending on the user who is logging in through the organization, a to decide where he is gonna be landing or what, or which IDP is gonna be used to authenticate the user. So let me just go to the application itself. If I do a login just for the sake of this and I type organization B,
I need the, my username and password for the organization B just to do the comparison. So this gonna be the one that's for organization B, you, you obviously have another name for that. I'm logging right now. Just I'm a guy that belongs to organization B, I'm going just through organization B. And I do this. There is no external collaboration still, as you can see, or not. Now, I hope you can see that we are through organization B with@contoso.com. We have a cookie on the brochure for that. We get the premium license premium license, which is coming out of the organization. As you remember, we added through the custom claims in, in an action. If I look out and try to log in myself, still Contoso through the other organization, the organization, a
And I can select in, in here, I can select, I did enter the organization name already organization a and I can say, okay, which identity provided do I want choose for that user? We can click on organization B because we are trying to show, so you like external collaboration, how it works. We do have a cookie already, the system. That's why I don't have to enter an email or enter password overall, whatsoever. So there is no need to go again against Okta because we are handling the single. So we are keeping the session in a zero. And then as you can see the same user, because we are keeping the cookie for Ruben contoso.com, it's been through organization a and instead of getting the premium license license is getting the corporate license. I should have some, you actually, for the corporate, you get access to the small, medium, and large for the premium. Even if it's premium, they don't get the large pizza at all. There sound, I know this last step is a little bit of, it has to be. You have to think it twice. I understand that it might be a little bit tricky to understand sometimes because we are playing around with the different IDPs that we have in the back end. So to redirect the user, depending how he's logging in, but it is something that you can leverage definitely for use cases out there. So,
Yeah. So in all, this is a glimpse of the platform rather. Nice one good one for B2B use cases. I'm gonna go back to the slides. So perhaps if I go back to the slides, correct, thank you.
This is the lab we did prepare for you. So I understand there might be some issues. I, I try to correct some, I think, I believe we, we get some, some other people on board. They were having somewhere else. Sorry about that. In terms, I didn't have the chance just to log in, log me fast enough today. But anyway, I hope that you can continue working on that. And if you have any questions, obviously you can talk to me, congratulations. Yes. This concludes the lab we have of course, documentation for the different, different data we talk about. Or we tried out actually such as enriching login flow with actions, securing backends, as we did during the redirect to universal login. And we talk about the multifactoral authentication, but obviously there is a lot, much, much more to be read about how to support multifactor authentication within out zero, correct? Spin up a demo tenant. I believe you have it. If you've been through the, through the demo lab today, and definitely I'm open for, for questions. And definitely, I mean, I wanna hear about you about your, your feedback about the lab. And if you like the sessions, I was a, a little bit different to, to the other sessions you might encounter in this kind of scenarios. But we wanted to also show you that for the developers, how developers C we are and how easy it is just to integrate the, the, the apps,
Correct. That that was for me, it is like we have around like 20 minutes for Q and a. We're gonna get closer to the laptop as well, just in case in Tim is posting some questions, but anyone in the audience as well, feel free just to write up your voice and go for questions. If you have any,
You always have to, to manage sometimes impersonation,
You have to switch it wrong. I think,
Yeah, there was a switch. Yeah. In really words, you always have to, to implement some impersonation features. Do we have something in place here prepared for usage without implementing it by ourself?
Actually, I think the question already pop up in the, in terms we do not out of the box support impersonation. That was sort of a decision we took a few years ago. Di it for a little bit unsecure, if I should say, or we don't like, like someone else reusing your tokens for any, because then it's also sometimes difficult to track who is using what, but we do have very, very good third party vendors that they can work on top of the platform through the extensions, we do have a marketplace marketplace and extensions, and those partners, they cover those kind of scenarios. Very, very well on top of the, of the platform. So we have those on behalf of scenarios that in chat mentioned, but then we do also have more complex scenarios that you, you can leverage other, that kind of extensions to, to cover those scenarios. There are workarounds, not depending on third party services, but that's something that we should talk about it because they requires a little bit of Yelp, meaning that there is nothing out of the voice that you can use right now for imperson assume that's the that's, that's the thing.
Yes.
Thank you for the question. Now I understand it comes often. I would say depends on the, on the, sometimes on the industry I was talking before about the healthcare industry, that's something I was talking about this parent song thing, or song father, grandfather, where they want to access some sort of healthcare system and they wanna do it on behalf of them.
So,
Yeah.
Yeah.
As I said, either extensions, we can talk about in a little bit more in detail through what we call account linking. There are some sort of workarounds you can leverage to, to some extent, take care of that use cases, but not out of box
Account, linking yes. Account linking, by the way, this is something like also very important. We see it a lot in time. It is quite important just to stress it out because we, we talk about sometimes companies that they do have different brands out there than they want to unite or gather the information from the different brands and centralize it in one place. And that's something quite important for Zam from business perspective, he has to have a 360 profile of the user doesn't matter where the user is coming from. Doesn't matter where the user is using one brand, the other brand. That's something also quite interesting for Zam.
Yes. I have one question in chat. They're talking about, we can say perhaps opacity if I read, write. So from the tokens we do, I mean our tokens access tokens and ID tokens are not a back, but they are sign also by our publicists and as on private case. And then you can, we don't have like a, there are some vendors out there that they use the intro spec just to do that kind of checks of the access token. We rather like recommend, rely on the or IDC flow. If we get the access token, it means that the ODC flow went through from, from the start to the beginning. That means that the, the, the person or the, the, the client who's getting the access token should be allowed to see that token on top of that, we always recommend, always recommend that their access token has to be validated.
Why not? I mean, you get an access token better just to just an extra, extra measure, so to speak, but those tokens are not a pack. So you can read the information in, in there. That's something that it is, it is the way it is. Because as I said, I mean, we are relying on the security of the O I D T protocol. For example, if we're using an with P plus authorization code, we rely on that flow just to be sure that the one who is getting the access token is the person who should get the access token. Yes. So, yeah. Well, there are some, some question related to cross site and then perhaps I think the life refresh token. Yeah. Well,
The approach they refresh token. Yes. They, they are long left. Now. We, we can revoke tokens also as well. So that's something that you can control on the platform, but yes, if you get compromised on the, the first token is compromised, but then obviously they, they get access to, to the, get a new access token and go on with that, with that attack. But you, you, you have options in the platform just to revoke in tokens. That's something that you can leverage also as well, if you encounter that kind of scenario. So you might want to use the token revoking token mechanism that we provide. So you can sort of take care of it.
Yeah.
They say, well, refresh tokens at risk. It's always like this trade off, no their balance. What is, what is also nice to have for the user, for the end user experience. Now, obviously if you, you can also play the access token. Good. I mean, you can also play with the life of the access token. No, you can extend it if it should be short now, by definition, the access token, we are moving away from API keys and that can first scenarios, well, we want to use access token. That should be short. If so, that's the way it should be. But then there first token, it is very, very useful just to provide like, aary like the user screen, the friction is gonna be known to less, so they only have to log once. And then they're able just to go through and keep on logging into the system without even typing their credentials. So, but that's something that you can control that on the website. If you feel like, as I said, you can talk about the re revoking tokens mechanism that we offer, but then you can also sort of, if you are how you sell, if you are like a keen to do so, you can do it on the application itself and decide whether you shoot or not allowed to use refresh token after some time that's also up to you as well to, to decide. But yes, refresh token is a nice feature from a user perspective, user perspective, very useful just to avoid any kind of friction for the user for second, third, for fifth logins that they will try to attempt to, to the
Talking about native applications. Also, the refresh token is quite nice because in native applications, you can combine them. For example, with the bold stores of the native of the devices of Android or iOS, you can keep those tokens in the bolt and the secure boat, and only allow just to use the refresh token with the fingerprint, for example, on the device itself, not without them, but just to, they do the first login, they do the registration, they get access token to refresh. You can store those refresh in the bolt and then only allowed a new access token to be get through the first token when they use the fingerprint, which is at the end of the day, quite, quite secure, a little bit related, depending on the platform, depending on the stack, you can control it somehow differently.
Okay.
Any other questions? How was, how was it? I think you like came almost
Just problem with the yeah. And with and
Okay. We can. All right. I understand. We can check on that one. We can check. I have access to the, to the enterprise connection itself to Okta so I can check what, what we're running there. All. Yes. Well,
Lot of tech stocks that you can use, perhaps, well, I don't have that, but anyway, this like a developer centric approach that we want to give that is core to us is our, our heart, so to speak. So we will keep on supporting you guys or developers and even not developers our saying, we try to strike that balance within developers and out of the box, but definitely we are coming from a developers centric approach. So we will keep on working on that. And we are making a lot of improvements on that direction. For example, like expanding our support to Terraform providers or that kind of stuff. So we will keep on going that way for the organization's future. There's a, there is a lot coming very soon. We know there are some hiccups with the, with the flows, but it's from our user perspective, but that's something that we, we have to keep on delivering new new features for.
So, but very robust platform, as you have seen, we can do almost whatever we, we want. If they are not out of the box, the feature we are looking for, we can talk about it. And as we have the Axios and rules engine, we can always extend and adapt the platform to your flows, to your use cases. That's the, that's the main thing for us. We, we want to sort of be flexible, like build the Swiss knife, so to speak in terms of like adapting to the different use cases you might encounter. Just gonna check teams again.
Yes.
You're welcome.
Alright. Whereas what else? Well, now that we are part of Okta, yes. A couple of words about it, perhaps it makes sense. We will keep on focus, which our focus was. We were like meant to be for time. We had a little bit of workforce back then, but we will, we, we were always like a very focused on time. So taking care of customer identity, access monitoring, once we are part of Okta, we are having like the whole world in our hands, so to speak in terms of user base. So we have the workforce design, so we will keep on doing that. So obviously we will keep on doing Siam Okta doing workforce. And obviously there, there were some products of feature for Octa also capturing the, the same business, but we also some features and pro from the product also capturing the workforce. But we are now like a very strong focus, very clear actually, where we are, and we are just sort of together. So to speak on that's the, that's the thing, because we are able to cover the, the, the spectrum. So whatever you need, whatever you want from workforce to within the same, or with the same company, so to speak, we can interact with each other as we've seen today using for example, Okta as an IDP. Why not? So that's something that we collaborate definitely, but developer centric and Siam that's, that's the product unit. That's the focus of the, of the product unit, definitely moving forward.
I think we have five more minutes.
As I said, I will keep those. The lap is, will be online. So, and definitely you have here, my email, you can find me in link it in. Definitely. So, and if you have any, anything that related to the webinar to the lab, you can send it to the webinars.com. There still was the, the, the last email we have go directly to myself so I can take care of it. It associate related to, to the webinar itself. No problem at all. Just letting me, let me know. That's what I'm here for. Correct. That's it? I think, I mean, we have one minute, five minutes. I don't see any more questions I believe. Oh, one more question. Okay. Thank you. Thank you. You're welcome. Andreas. Welcome. Well front, any other questions? Five minutes. I know it's a little bit different. It's been a different session I repeated already, like, but
I don't know. We believe that we want to show you that there is not, it's a little bit of copy and base at the end of the day. You just have to know where to go and it is worth it because we, you end up with like a state of the art IM solution on top of your app with a couple of hours of, of your time in mind, you have to like build that from, from, from scratch. And obviously we haven't talked about MFA, but if you have to man, create that, build up, maintain that that's something that you can do at the box with, with a flip of a switch here at zero. So not only that build, but as I said, maintain is also, we, we shouldn't forget about it. And then your developer that goes somewhere else. And, and then the call was there. The ideas, well, very well written, but then there is some legacy snippets in there that you don't, you don't know anymore where what they're doing. And then all that kind of stuff is much, much easier. If you rely on a solution such as which is giving you like the confidence out of the box, for example, support web of them or fingerprints on the web or multifactor. So like stuff. But I guess that's the that's, that's, that's the business. And then we are not the only one, but we try to be the best
As everyone.
When
It comes about day show Martin says, wanna look at
Yes, we are very proud of it. That's something that we are very, very proud of. It. We are very proud of like, when people start looking for look up for O I D T for example, they end up perhaps on top of, on a web or site of ours or documentation on that is also yeah. Yes. We, we understand that. And the developer must that we, it is behind us. We, we try to take care of, of it because we understand that it's a huge drive for us. So yes, yes. Documentation probably much better explain that I did today. If you go to documentation, you will have every single bit, you need to know about anything that was, was not clear today or unclear. So yes, please visit the documentation. So if you go to the dashboard itself to the right hand side, you, you have access to the Documenta documentation directly. But even if you do a look up in Google, you will stamp over the, the documentation of how zero. All right. So if there is no more there possibilities to integrate into CI CD pipeline.
Yes, yes, yes. Definitely. No, no, yes. Definitely. No, no, you don't have to click a lot. No, we do have a deploy light tool that's for now zero. So you can download the tenant as a configuration configuration as a code. Actually you download the, the tenant itself. That includes all the scripts that you might have. For example, actions. Then you can use whatever you need as part of your C CD pipeline to do the modifications and then upload it. We can also, we do also support the Terraform provider, although it is a community right now provider, but we are working on that direction just to go the official way for the Terraform provider. So either way you, you are cover with that. So you can do whichever, whatever you want in terms of the CIT D pipeline you have in house, you can keep on working with that CTD pipeline and just rely on the deploy tool or Terraform provider, just to download and upload the changes. You can find information about those directly on the website, on the documentation side, correct? If you, for the CIT D pipeline integration, if you go to the extensions, you will have a bunch of instruct of different instructions to integrate with different providers, well providers with different CIT tools and pipelines at the end of the day, it relies on the deployed tool. Most of them. So,
Which is
Our
Deploy tool
Tool. All right. One minute.
All right.
All right, guys. Okay. Thank you everyone. It's been a pleasure. I hope you have enjoy. It was a lot of work for you as well. So I'm clapping as well and for the guys also online. Thank you. Thank you very much. All right, please keep in touch. Keep in touch. Keep my email please.
Along one, by the way.