FAQ – New IdP (Identity Provider) support (Evolve or Studio Manager)
Evolve or Studio Manager
Ques1: Which authentication providers are supported with Evolve today?
Answer: For authentication between end user (browser or Studio client) and Evolve we support the following authentications:
- Windows AD
- SSO providers:
- SAML (Azure AD, Okta, ADFS, Auth0, Google)
- OAuth (Azure AD, Okta, ADFS, Auth0)
Authentication support between Evolve and SAP ERP systems like S/4HANA are a different topic that isn’t covered by this knowledgebase article. More information on that topic can be found here in our product documentation.
Ques2: If the IdP that a customer wants to use is not in the list mentioned above, what does it take for Precisely to provide support for a new IdP?
Answer: Currently we have tested only the IdP mentioned in answer to question1. If customer need support for any other IdP on SAML or OAuth, theoretically it should work with Evolve apart from the few features like AD Sync and user lookup. If we have to provide support for any new IdP, we will need access to the environment with that IdP from customer. Usually, it will require involvement from customer’s IT/cloud ops team as well. This is required because almost all the IdPs are licensed, and we have to bear the licensing cost of all the IdPs we want to support, and it is not feasible for us if this is needed for just a few customers. We can sometimes use trial version of IdP software as well for testing and development around new IdP support, but trial version has limited user access and limited access to features that creates challenges for us which is why we usually requires access to the new IdP in the customer’s environment for development and testing.
Ques3: Which features are at risk of not working with an untested IdP?
Answer: Following features will not work with an untested IdP:
- User Lookup and AD sync features does not work without code changes and customization
- Additional features depend on the testing to determine if they will work.
Ques4: How much time may it take for Precisely to provide support for new IdP?
Answer: Whenever possible, we will try to incorporate support for a new IdP as limited release for a given customer until it can become generally available. Normally, it takes engineering a minimum of two months to validate, fix issues, and provide support for a new IdP on a single protocol (SAML/OAuth). This period does not include the time taken by IT/cloud ops to create the setup for engineering. But this does not mean we can provide support for a new IdP in 2 months because such support will need a software release vehicle. For example: if our next release is three months away, then this development will add two months delay to that release, and we may be able to provide a version of the product that supports new IDP in next 5 months.
Ques5: What are the criteria for Precisely to add a new IdP support? And how can a customer help?
Answer: Any IdP that support SAML/OAuth can be supported with Evolve. A customer can help Precisely in expediting the support of a new IdP by doing the following:
- Provide Precisely access to and support of their development environment in which Evolve is deployed so if needed Precisely can make some code changes and test quickly.
- Provide a point of contact from customer’s IT team who can help engineering with any required changes.
- If the aforementioned is not possible, then customer can get us a IdP software license that we can use internally to make code changes and test that IdP.
Ques6: What are Precisely’s plans to streamline the process of adding support for new IdPs?
Answer: Our engineering team is working on several POCs (Proof Of Concepts) at the moment that can help us streamline this process. One of those POCs includes the use of SCIM servers. We will have more information on this in the coming few months.