Production Rollout Strategies for Via Access
Customers will often test the integration between Via Access and applications in a test/lab/dev environment. That testing can answer technical questions about Via Access. What information can the Product Management team share regarding user adoption during a production rollout? Are there strategies to limit the impact on end users and help desks? Are there technical tricks that allow an easier transition between the existing environment and Via Access?
- Cloud Auth
- Cloud Authentication
- Cloud Authentication Service
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
- SecurID Access
Some applications support a phased rollout (starting by providing SSO integration for a small user population and expanding to others, over time), while others are more of a "big switch" (once you switch on SSO/SAML, that becomes the only way for all users to log in).
- If an application is integrated using HFED, it can often be rolled out to users, gradually. Using policies, the administrator can control things so that only certain subsets of users would see the application in their portal. Other users could continue to access the application, directly.
- If an application is integrated using SAML, it depends on the application's approach to SAML, but:
- IdP-initiated SAML applications often continue to support direct logins, and as such can often use a policy-based rollout as described, above. Other users of the application would still be able to log in to the application, directly.
- SP-initiated SAML applications usually are a "big switch," but some may continue to support direct logins through the use of a login form AND an "or sign in with [the IdP]" button.
- If an application is integrated using Trusted Headers, it should be protected from direct access, so the cutover would necessarily impact all users.
If an application enables SSO by pulling a "big switch," it becomes more important to test out the integration against a test/dev instance of the application. Then, once you've confirmed all the details, you'll know exactly what you need to do to enable it for the production instance. I generally recommend making production changes during off-peak hours, though, anyway.
Once all users have been switched over to use RSA Via Access to log into their applications (whether using HFED, SAML, Trusted Headers, etc.), it's a good idea to disable direct logins where possible, so that all users have a secure and consistent login experience.