Contractor Enrollment and Onboarding

Managing non-employee onboarding without a centralized process is a challenge that leads to a variety of different workflows. Setting up accounts and granting permissions are inconsistent across the board. Without a direct means of flagging accounts as temporary or mapping them back to their respective sponsors, orphaned accounts can persist well beyond their acceptable lifespan, creating challenges for maintaining compliance. Additionally, visibility into the full scope of the onboarded vendor’s access must be maintained in the system to ensure compliance.

If these third parties are left unchecked, the decentralized system cannot assure appropriate usage of access or follow-up, and the user’s access is still active. To combat these risks, organizations must have a consistent methodology for onboarding vendors, ensuring full visibility into an identities access, and managing the lifecycle of their access from onboarding to decommissioning.

Many modern organizations require the use of contractors or vendors, known as third parties. Managing these non-employees through the HR system, the authoritative identity source for their IT ecosystem is burdensome. In addition, third-party individuals often require access to organizational resources such as shared tools, applications, or data sets to provide critical services. But that access is often for a limited period.

Third parties present challenges and bring additional risks, such as ensuring that access is managed correctly and, when required, deprovisioned quickly. Saviynt plays a key role in helping many organizations simplify the vendor access management process and reduce non-employee risks. A robust vendor access management from the Saviynt Platform helps reduce these risks utilizing a sponsor-based approach to vendor access. Automation, access request, risk visibility, and access review are provided by Saviynt throughout the process of onboarding third parties and managing these identities throughout their lifecycle.

A new worker has to be verified before they are granted access to the infrastructure, and that access comes with a host of entitlements. But the gap remains: who verifies and who onboards the identity? As we’ve discussed, the need for combining strong identity assurance with strong third-party access governance is a logical approach to managing this common but poorly addressed issue.

Saviynt TPAG is integrated with 1Kosmos through the Universal Web Login interface that aids in the proofing and secure collection of PII data necessary for a contractor’s automated onboarding. The UWL interface automates the API calls that need to be made from Saviynt into the platform and the mobile app where the user would proof themselves. Through the partnership between 1Kosmos and Saviynt, the utility extends into account claiming through magic links that enable day zero onboarding of contractors through a high degree of assurance per NIST 800-63-3 and UK DIATF standards. Saviynt, through its plethora of target connectors, can provision accounts and access into both on-premise and cloud systems seamlessly. The applications themselves are integrated either with 1Kosmos directly or with an IDP, thereby enabling a newly onboarded user to login into critical applications without ever needing a password while preserving security through true
biometric authentication from a registered device.

1Kosmos is built with specific capabilities for the onboarding, verification, and authentication of employees and contractors within the confines of the workplace. In this instance, 1Kosmos will validate the contractor onboarding and enrollment into the organization, leveraging Saviynt Third-Party Access Governance as their identity provider. The reference diagram illustrates how the two solutions work together but let’s dig deeper into it.

Contractor Verification

1. The manager initiates the new hire. A new contractor is entered, and onboarding is initiated through Saviynt Third-Party Access Governance.
2. Saviynt Third-Party Access Governance generates and sends an email to the new contractor with onboarding instructions.

User Proofing

1. The contractor downloads 1Kosmos app or a custom app integrated with 1Kosmos API from AppStore or Google Play.
2. The Platform instructs the contractor to scan government-issued documents to proof themselves to and verify their identity to IAL2.
3. The contractor clicks the link in the email to start the onboarding process. The link displays a QR code generated by 1Kosmos for the contractor to begin sharing their proofed identity.
4. The new contractor is asked to provide consent through biometrics (1Kosmos LiveID) for sharing their PII data with Saviynt Third-Party Access Governance.
5. The captured documents are encrypted by the Platform and are sent to Saviynt Third-Party Access Governance.
6. 6 Saviynt Third-Party Access Governance decrypts documents and creates a record for the hiring manager to approve onboarding.
7. 7 Saviynt Third-Party Access Governance sends an email to the hiring manager to log in, view, and approve onboarding.

User Access Grant

1. Saviynt Third-Party Access Governance creates an account and access in Microsoft Active Directory for O365 or an Enterprise IDP.
2. 2 Saviynt Third-Party Access Governance sends a request to 1Kosmos Platform to generate a magic link for the contractor enrollment and account claiming.

Account Claiming

1. Saviynt Third-Party Access Governance sends the new contractor an account claiming invite email with a magic link generated by the 1Kosmos platform.
2. The new contractor clicks the magic link and is challenged to provide MFA in mobile app through an OTP by email or SMS.
3. The contractor enterprise account is enrolled and bound to the contractor’s mobile device within the mobile app.

Passwordless Login

1. The contractor, on their first day, will log in to O365.
2. Office O365 or Enterprise IDP will trigger access with a SAML redirect to the Platform.
3. 3 The contractor will be challenged with a QR code. The contractor will scan the QR code with the 1Kosmos mobile app or custom app and is asked to provide their biometrics for access.
4. The contractor provides their LiveID.
5. The 1Kosmos Platform sends the authentication information to O365 or Enterprise IDP via a SAML response.
6. The contractor is now logged in.

Saviynt defines third-party access governance as managing nonemployees, managing the identities and access entitlements of a partner, affiliate, volunteer, contractor, or vendor. Ultimately, most organizations have many contractors within their environments and have access to the infrastructure, applications, and data. The Saviynt Third Party Access Governance solution manages the life cycle, the onboarding, the entitlements, the governance of these third-party identities and, their authentication. 1Kosmos improves these capabilities by delivering a distributed digital identity platform that is both FIDO2, NIST and UK DIATF certified.

1Kosmos transforms the Saviynt Third Party Access Governance onboarding process. The result is the highest degree of identity assurance for new contractors. By binding contractors to their proofed identity, 1Kosmos creates an identity-based biometric authentication and a passwordless experience. Contractors will utilize their trusted mobile device for physical or logical daily authentication and step-up authentication required for privileged activities. As a result, each access event is associated with a real, verified identity.

When 1Kosmos is integrated with Saviynt Third Party Access Governance, you quickly move toward a Zero-Trust model, where ‘never trust, always verify’ results from the combined solutions. 1Kosmos provides the proof of who somebody is, verifying users using biometrics, and will eliminate the contractor jacking highlighted above. In addition, Saviynt Third Party Access Governance manages the identity life cycle, entitlements, and the governance of these third-party identities.

Combining the technologies from1Kosmos and Saviynt addresses the challenges organizations face dealing with contractors. Organizations will manage the identity governance of contractors, securely enroll and onboard the contractor to a passwordless environment, eliminating user names and passwords and eliminating contractor jacking potential. Overall, organizations will eliminate the extra security exposures contractors introduce.