Unified login without interruptions. Why are SSO and IDM integrated into one system in RooX UIDM?

      SSO has long become a standard, but in large infrastructures, a standalone SSO is not enough — because somewhere access remains for a dismissed employee, somewhere a former contractor is still listed as active, somewhere an employee has long been transferred but their rights have not been changed. RooX UIDM addresses these issues not with a set of integrations, but as a cohesive system where SSO and IDM operate as a unified whole. We explain why this is critical and where such integrations make security not just formal but effective.

      Organization of Single Sign-On (SSO) is one of the most sought-after tasks when implementing an access management system. However, in practice, it turns out that in large companies, authentication alone is insufficient for a stable and secure SSO implementation. An important role here is played by the IDM component, which ensures the accuracy and currency of user information.

      What happens without IDM

      In traditional SSO, there are no tools to automate access issuance. In most scenarios without an IDM component, the SSO system "hooks" into existing user repositories (e.g., AD).

      This scheme has two drawbacks in a large company:

      - A lot of manual labor for administrators: creating user accounts upon hiring, assigning to groups, monitoring permission changes during transfers, blocking accounts during leave or dismissal,

      - Human errors: forgetting to grant rights, granting too few or too many, not revoking permissions at the right time, etc. Each such deviation is a potential security breach point, audit failure, employee downtime, increased IT workload, or staff dissatisfaction.

      If IDM is a separate system

      Realizing that SSO functions alone are insufficient for access management, companies consider IDM. But they face another problem: a separate IDM is almost always redundant. Most functions are used once every five years or not configured at all, which simply increases complexity and ownership costs.

      Additionally, a heavy IDM adds bureaucracy: new interfaces, roles, approval steps appear. Instead of simplifying processes — another maintenance burden.

      Financially, it is also necessary to allocate budgets not only for licenses and IDM deployment but also for its integration with SSO.

      As a result, instead of easy automation and reliable SSO, a company receives an overloaded system where the most important — operational and secure access — gets lost in regulations.

      What SSO needs from IDM: the minimum necessary for maximum operation

      We analyzed practical cases and requests from large companies. It turned out that solving the SSO task does not require "the entire IDM," but without the following key functions, it’s impossible to go far:

      - Synchronization with HR systems: process personnel events — automatically creating or blocking accounts, granting or revoking access rights.

      - Not only employees: in many companies, external participants — contractors, integrators, partners, auditors — also gain access. It is important to manage their rights in the same scope as employees, considering contract validity, status, responsibility zone.

      - Role model: supporting static roles, automatic role assignment based on organizational structure, contextual roles (for projects), manual exceptions.

      - The ability to transmit changes in accounts and permissions to other systems: protected applications or user directories.

      We have enhanced all these capabilities in RooX UIDM by creating an IDM module within it.

      How the SSO+IDM bundle is implemented in RooX UIDM

      Integration with HR systems

      RooX UIDM synchronizes with HR systems and processes personnel events affecting access management. For example, a "hiring new employee" event can trigger a sequence of actions: creating accounts in RooX UIDM, AD, corporate email, and other business applications; assigning initial roles in RooX UIDM; adding the user to relevant AD groups; initiating the first login scenario (generating a temporary password, setting a permanent password upon first login).

      Not just employees

      In RooX UIDM, external users are treated as full access subjects, just like employees. The system allows assigning roles, limiting the validity period of permissions, automatically blocking accounts upon task completion or contract termination.

      Role model

      RooX UIDM supports both RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control). It allows:

      - Defining organizational roles (e.g., "Procurement Department Employee at Site A")

      - Creating project or temporary roles with limited durations

      - Assigning direct permissions without role aggregation — for exceptions or non-standard scenarios

      - Using multiple role hierarchies simultaneously — for example, one reflecting organizational structure, another functional or geographic features (e.g., enterprise ↔ division ↔ shift).

      Within ABAC, rules can be configured based on attributes such as position, department, project, location, start date, experience, etc. This is especially important for matrix or holding companies, where access depends on multiple factors.

      Transmitting changes to other systems

      RooX UIDM includes a service that ensures synchronization of data between different systems for access management and user identification.

      Integration with request systems

      During requirement analysis, it became clear that implementing a request mechanism within RooX UIDM is unnecessary. Large companies already have approval systems used for other requests. To avoid duplication, RooX UIDM integrates with existing approval systems (Naumen SD, Jira Service Management, 1C ITIL, BPMN platforms, etc.).

      Thus:

      - All requests are managed centrally within familiar business user systems,

      - No need to train users on a new interface,

      - RooX UIDM automatically processes approved requests and monitors execution,

      - Approval workflows remain under business and IT process control.

      Advantages of this approach

      - Single management point: manage authentication, accounts, and access rights in one interface.

      - Managed login: RooX UIDM does not just allow login via SSO but also decides whether to grant access based on the user’s current company status.

      - Flexible routing: access to different systems may require different factors — e.g., SSO in ERP only with enhanced MFA.

      - Exit control: upon dismissal, RooX UIDM does not just block login but revokes sessions and notifies security.

      - Audit and compliance: every login is logged, enabling instant tracking of who logged in, where, when, and whether they had permission.

      And the main benefit achieved by combining SSO and IDM in one product is a reduction in the overall cost of solving the task for the customer.