Skip to main content

Monokee 4.0 Access Management Capabilities

· 12 min read
Dr. Mattia Zago
Enrico Fabris
Sara Meneghetti
Valentina Codogno

Monokee’s Access Management capabilities cater to both internal and external users, addressing use cases across a wide range of applications and services. It offers centralized identity management, single sign-on, multi-factor authentication, and granular authorization controls. These features align with external trends such as the convergence of IAM features, SaaS adoption, passwordless authentication, adaptive access, and cybersecurity mesh.

Access Management

Monokee is an all-encompassing access management suite, designed to meet the demands of today’s decentralized and dynamic environment. It provides core functionalities for both workforce and B2C users, including centralized identity management through directory services, seamless single sign-on (SSO) for streamlined access, robust user authentication with widely accepted multi-factor authentication (MFA) methods, and granular authorization controls.

Monokee stands out by supporting portable identities, offering integration with established providers like social media and cloud services, and backing emerging decentralized identity solutions. This flexibility broadens your reach and caters to a wide range of user needs.

For B2B partners, Monokee simplifies registration and permission management. For B2C customers, it enhances user experience through self-service options, activity logging, and native consent collection.

Monokee’s authorization and adaptive access features allow for dynamic decision-making based on contextual data and risk evaluation. Its extensibility empowers you to integrate additional IAM and security tools, customize experiences, and embed controls into custom applications.

Security is further enhanced with phishing-resistant MFA methods, compromised password mitigation, and robust API access controls. While threat reporting and ITDR are future additions, current functionalities enable you to define strict risk-based policies, audit access, and mitigate potential risks.

Monokee aligns with identity-first principles, offering adaptability, integration, and extensibility. This paves the way for a secure, interoperable, and distributed identity fabric.

Critical Capabilities

Identities Repository

Monokee goes beyond the minimum requirements of a directory service by providing a comprehensive identity management solution for both workforce and CIAM. It offers advanced features for identity synchronization, SCIM support, access governance, self-service, and identity-based security.

Users management

Monokee acts as a centralized repository for identities, storing custom attributes, roles, groups, and more. Within each user, group, and application, detailed properties are available and configurable.

Identity synchronization and integration

Monokee offers connectors to synchronize identities with existing directories like Active Directory, LDAP, and HR systems. This ensures consistent and up-to-date information across platforms. Monokee supports inbound and outbound SCIM provisioning, allowing applications to automatically request and receive user attributes directly.

General management

Monokee streamlines user lifecycle management, starting with smooth onboarding. Whether for employees or customers, automated workflows ensure they quickly gain access to appropriate applications based on their roles, groups, or specific attributes. Users can also participate in a self-service experience, registering, initiating access requests, and updating their profiles, all while reducing the burden on IT teams. Onboarding journeys can even be customized based on user types or departments for added flexibility. Concerning offboarding, Monokee automatically revokes access across connected applications upon termination, minimizing security risks from lingering access. Throughout the user lifecycle, dynamic access management plays a crucial role: Monokee employs role-based access control (RBAC) to assign privileges tailored to user roles, eliminating the need for manual configurations. Regular access reviews keep user access relevant and secure, while Just-in-Time provisioning offers temporary access for specific needs.

Identity-first security

Monokee natively integrates dynamic, context-aware controls for ensuring a quick an effective response to changes in risks and trust throughout the user journeys.

Identity Administration

Monokee offers native administrative tools for identity management and administration. A fully compliant SCIM interface is available in the Identity Manager to provide support for third party integrations. Users can be synchronized to and from Monokee as well as third party resources with support for context-based workflows and custom provisioning and/or deprovisioning. Fully automated flows can be integrated with general-purposes interactive ones.

Monokee AM Capabilities - Monokee Identity Manager technical architecture
Monokee Identity Manager technical architecture
Monokee AM Capabilities - Identity Manager synchronization configurator
Identity Manager synchronization configurator.

Multiple authoritative sources can be used to populate target resources, including Monokee user repository or third-party applications.

Single Sign-On (SSO) and Session Management

Monokee plays a hybrid role, depending on the process in which it is involved and the actor addressed and supports multiple protocols in each phase independently. For example, you can use a SAML application (SP) with Monokee as IdP but have the users come from another IdP using any given modern authentication protocol.

Monokee AM Capabilities - Monokee acts as Identity Provider or Service Provider depending on the role of the other actors. Connections are completely independent and mediated via the Visual Identity Orchestrator
Monokee acts as Identity Provider or Service Provider depending on the role of the other actors. Connections are completely independent and mediated via the Visual Identity Orchestrator.

To achieve these bridging functionalities, Monokee extensively supports SSO protocols such as SAML 2.0, OAuth 2, OpenID Connect, JSON Object Signing and Encryption (JOSE), Simple Web Tokens, and mTLS. Custom authentication methods can be evaluated upon request. Monokee is also OpenID Certified (including for third-party-initiated OP).

Application Broker

Monokee supports apps integrated with modern and custom legacy (or not standard) authentication methods. Configurations for individual applications can be imported, exported, and provided as a template.

Monokee AM Capabilities - Supported application types.
Supported application types.

Your application, your rules: individual applications can be protected by customizable access policies.

Monokee AM Capabilities - Example of application protection flow
Example of application protection flow.

Administrators can use data from users, roles, custom attributes, custom scripts, and external data sources to make a decision. Individual applications can be associated directly with users but also with groups, and, in addition to the classic RBAC scheme, custom attributes may be valorized statically (i.e., based on individual users’ attributes or groups) but also dynamically (i.e., based on APIs, policies, or runtime values).

Monokee AM Capabilities - Monokee application broker provides direct access to all applications and resources assigned to the user.
Monokee application broker provides direct access to all applications and resources assigned to the user.

Session Management

Monokee sessions are completely customizable directly from the V.I.O. with the corresponding nodes. Monokee’s V.I.O. offers a robust session management system. This system is designed with a high degree of capabilities and granularity, enabling it to regulate the state of user sessions during interactions with applications. The platform can manage session durations by issuing and refreshing time-limited access tokens or cookies. This feature ensures that user sessions remain secure and active only for the intended period. Additionally, the platform has the capability to terminate sessions, providing an extra layer of security and control. Users can manage their sessions across multiple applications from a single interface, enhancing usability and efficiency.

Monokee AM Capabilities - Monokee session management nodes enable the complete customization of sessions, including custom ephemeral ones not bound to any specific user journey.
Monokee session management nodes enable the complete customization of sessions, including custom ephemeral ones not bound to any specific user journey.

User Authentication

Monokee out-of-the-box offer includes core AM functionalities for workforce, B2B, and B2C use cases. Along with core user-authentication methods and classic MFAs, Monokee offers mitigation controls for common threats and general passwordless approaches. Enforcing a solid MFA strategy for a more secure business environment is extremely important but nonetheless often ignored. To ease enterprises in rolling out mandatory MFA for all accounts, Monokee natively integrates several authentication factors:

  • One-Time Password (OTP), both time-based (TOTP) or HMAC-based (HOTP).
  • SMS (discouraged as of 2017).
  • Hardware tokens and security keys.
  • Device attestation and device pinning.
  • WebAuthN and FIDO2, including multi-device passkeys.
  • Biometrics, Know Your Customer (KYC), and Anti-Money-Laundering (AML) providers.
  • Decentralized Identities with full support for W3C Verifiable Credentials and Verifiable Presentations.

Monokee integrates with multiple vendors worldwide to ensure optimal coverage and cutting-edge technologies.

Authorization

Monokee supports dynamic and configurable authorization approaches: it is possible to combine multiple conditions to guarantee authorized access to the applications. The figure that follows summarizes some examples of custom policies that can be designed within Monokee.

Monokee AM Capabilities - Monokee custom policies application in an authentication and authorization user journey
Monokee custom policies application in an authentication and authorization user journey.

Additional Capabilities

Portable Identities and Business-to-Business (B2B)

Monokee allows users to leverage their existing digital identities, such as those from government agencies, banks, and communication service providers, to authenticate themselves in various online environments.

This capability is further enhanced with Business-to-Business (B2B) dedicated connectors: businesses can invite and register partners and manage their permissions through delegated administration functionalities or directly from within their default user journeys, while still retaining the options of managing the access rights of multiple external partners.

Monokee AM Capabilities - Create sessions using internal or external users by swapping out the most suitable connector node
Create sessions using internal or external users by swapping out the most suitable connector node.

In Monokee, these capabilities are included out-of-the-box, including delegated administrator roles and delegated administrators. Just-in-time provisioning is also supported during this process.

Business-to-Consumer (B2C)

Monokee offers self-service functionalities for both administrators and final users including streamlined onboarding (automated workflows to expedite provisioning and access assignment, roles, and permissions), offboarding (swift deprovisioning and account termination, including data removal), application access (requests, role-based permissions, and attributes-based permissions), and data processing processes (consent collection, forced checkpoints, export rules, and data sharing flows).

With the V.I.O., Monokee empowers a shift towards a user-centric, identity-first, IAM approach to bolster efficiency, compliance, and a positive user experience.

Continuous Adaptive Trust (C.A.T.) and Threat Response

Enforcing a solid MFA strategy for a more secure business environment is extremely important but nonetheless often ignored. To ease enterprises in rolling out mandatory MFA for all accounts, Monokee natively integrates several authentication factors:

  • One-Time Password (OTP), both time-based (TOTP) or HMAC-based (HOTP).
  • SMS (discouraged as of 2017).
  • Hardware tokens and security keys.
  • WebAuthN and FIDO2.
  • Biometrics, Know Your Customer (KYC), and Anti-Money-Laundering (AML) providers.

Monokee integrates with multiple vendors worldwide to ensure optimal coverage and cutting-edge technologies.

Unfortunately, a blind count of the authentication factors asked of the user is a naïve approach. Monokee enables security engineers to build custom policies for dynamic risk and trust management that include runtime conditions and behavioral parameters to achieve Continuous Adaptive Trust (CAT). With Monokee, you can move from MFA to CAT, integrating passwordless user journeys where the trust in the user identity is continuously adapted and evaluated.

Custom factors can increase security while reducing the frequency of additional authentication steps. Different entry barriers can be designed on security levels and threat indicators, enabling frictionless access to low-sensitivity areas while guaranteeing a security assurance level. CAT factors include user identity, access context, reputation analysis, and anomaly detection.

Extensibility and customizations

Integrate third party solutions via RESTful APIs, both as input and output of Monokee’s flows. Each user journey provides full compatibility with HTTP methods to create general purpose CRUD-like operations.

From the V.I.O., multiple utilities nodes offer native and external signals integration with no-code approach to enable custom-built applications and APIs. Snippets for flows and nodes can be copy-pasted across environments and from the official documentation.

An example of Access Flow

This description details the initial steps of a user journey within Monokee's Identity Orchestration platform. It highlights the decision-making process based on user authentication status.

Monokee AM Capabilities - A basic credentials flow
A basic credentials flow.

Here's a breakdown:

  • Starting Node: This is the entry point for all user journeys. A user lands here upon initiating the access request.
    • Authentication Check: The system verifies if the user is already authenticated (e.g., has a valid session).
    • Authenticated User: If the user is already authenticated, they bypass the authentication steps and proceed directly to the target application (End Success).
    • Unauthenticated User: If the user isn't authenticated, the journey progresses to the next step.
  • Frontend Form Ask Credentials: This node presents a login form to the user, with username and password fields.
    • User Input: The user enters their credentials and submits the login form. The values are stored as variables for later usage.
  • Monokee Authenticate User: This node receives the submitted credentials and performs the authentication process.
    • Successful Authentication: If the credentials are valid, the user is authenticated, and the journey proceeds to the End Success node, granting access to the target application.
    • Failed Authentication: If the credentials are incorrect, the user is directed to an error state labeled "Wrong credentials."
    • Additional Error Exits: There are other potential exits:
      • User Not Activated: This indicates a user account that hasn't been activated yet.
      • User Locked: The user has been locked by an administrator or an automatic process.
      • Password Expired: The user's password might have exceeded its validity period and needs resetting.

This example focuses on username/password authentication. Monokee supports other authentication methods (MFA, social logins) that would be integrated into this flow at different points.