SSO & MFA for Allianz Security
Boosting security and usability with SSO and 2FA for all users.
Know MoreAtlassian Crowd Data Center
Streamlined SSO and enhanced security with 2FA
100%
Secure Authentication
54+
Integrated Add-Ons
Client Overview
With around 159,000 employees worldwide, catering to over 122 million customers in more than 70 countries, Allianz Group needs no introduction. Headquartered in Munich, Germany, its customers benefit from a broad range of personal and corporate insurance services, ranging from property, life, and health insurance to assistance services, credit insurance, and global business insurance.
The Challenge
Enhancing Security with SSO and 2FA for Internal and External Users
Is to improve its security posture by implementing single sign-on and 2FA for both types of users accessing their Atlassian applications (Jira and Confluence). They were posed with the unique challenge of managing security and usability for both their internal and external users.
The company wanted to delegate the internal user authentication to the IDP, which would handle the 2FA for those users. Yet the external users would still be required to log in with their application credentials, and the 2FA would be handled on the Atlassian application itself.
Solutions we provided to Allianz
Crowd SAML SSO
Two Factor Authentication (2FA)
Our solution for the requirement involved utilizing Crowd SAML SSO, combined with Atlassian connectors, to extend SAML functionality to the Crowd-connected applications, namely Jira and Confluence.
We also suggested implementing our Jira 2FA add-on to enforce two-factor authentication for external users, while exempting internal users who are already authenticated through SSO. This is because 2FA for internal users is managed by the IDP itself.
How It Works
The Crowd SAML SSO functions as a SAML Service Provider, establishing trust between Atlassian applications and central IAM applications. It manages the SAML Request, SAML Response, and user session management across all Atlassian applications. With the SSO connector for Jira and Confluence, users can initiate SSO directly from the Atlassian applications. While user authentication is handled by the IAM, Crowd is still responsible for managing users and their groups (permissions) across the connected Atlassian applications.
In addition to this, a 2FA add-on was implemented on Jira to enforce two-factor authentication for all users, enhancing security for external users. However, this introduced usability challenges for internal users, as they were prompted to complete 2FA twice—once via the IDP and again within the Atlassian application. To streamline the experience, a feature was added that allows internal users to bypass the second 2FA prompt when logging in via SSO, improving overall user convenience.
Key Benefits
- Centralized access control: With Crowd SAML SSO, the user authentication is moved to central IAM without losing any of their existing user permissions.
- Improved user experience: By providing a single sign-on experience, users would seamlessly access multiple applications without having to re-login for different applications. It improved the user experience and reduced the likelihood of password-related issues.
- Strong security: The solution we proposed has the ability to enforce 2FA for non-SSO users while skipping it for SSO users. The Crowd SAML SSO leverages the security features of SAML and the IDP to provide strong authentication and authorization controls.
- Scalability: Crowd SAML SSO is easily scalable, it would allow our client to add or remove applications as needed without having to worry about managing multiple login credentials or access controls.
By fulfilling the requirements of Allianz, we were able to include them in our journey of innovation. Being a software security company, we know the importance of an organization’s security and, hence, build secure, quality products for our clients along with world-class support. So, get on a discovery call with us at +1 978 658 9387 or email your queries to info@xecurify.com, and we would be glad to take it forward from there.
