Identity & Access
Management
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Set up, manage, and disable all of your
company’s apps in one place.
TABLE OF CONTENTS
Rippling’s identity management
model
Rippling helps your team securely
provision, access, and manage apps
Rippling integrates with your apps
and websites
How to configure Rippling’s IDM
Integrating with your internal and
external apps
Integration via partner API
Integration via SAML
Integration via LDAP and Rippling
REST API
Integration via SSH keys
Rippling security
Rippling makes your organization
more secure
Rippling’s high availability
architecture
RIPPLING
Rippling’s identity management model
A rich identity management (IDM) model is the foundation of
Rippling’s Identity & Access Management system, and is the basis
for managing your employees’ access and security.
When you onboard an employee in Rippling, several attributes are collected from
the hiring manager or the new hire themself.
All of these attributes can be used to define smart rules that determine which cloud
services an employee gets access to, which licenses and permissions they get
access to, what groups they’re included in, and so forth. For instance, you can
define a rule such as “all part-time sales contractors in the New York office get Zoom
Basic access” or “all full-time engineers in the Front End department belong on the
Front End Google group.” In the next sections, we’ll see how smart rules can be used
to configure most onboarding/offboarding actions in an automated way.
The first unified, zero-upkeep directory
The most challenging part of most IDM models is ensuring that the data is kept
up to date as employees join, leave, or change roles. If the data isn’t accurate, the
IDM model is useless at best, unsecured at worst.
Because Rippling is the key HR onboarding and offboarding tool for our clients, new
employees’ information is generally entered into Rippling before any other services.
Rippling then manages their employment status—such as whether they have
accepted the offer and whether their start date has arrived—as well as the exact
timeline of the onboarding and offboarding cycle. Similarly, when an employee
moves to a different department, the change is done in one place in Rippling, and
then Rippling can automatically create or suspend accounts based on the
employee’s new role.
Altogether, this ensures that Rippling’s identity data will be the most accurate
and the first to reflect changes, so an employee’s access always stays in sync with
their role.
And since Rippling provides a single source of truth across HR and IT functionality,
changes in data will update both HR and IT systems immediately, without the need
to sync data manually between databases.
Attributes collected during
onboarding:
• Department
• Title
• Work location
• Manager
• Employment type
(e.g., full-time or contract)
• Usernames (e.g.,
preferred email address
or Github username)
• Class codes
• Custom fields
• Start date
• SSH keys
• Multi-factor
authentication
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Rippling helps your team securely
provision, access, and manage apps
What are apps and what do they do?
You can leverage the Rippling IDM model with apps that connect Rippling with
various cloud services, such as G Suite, Slack, Dropbox, and 300+ others. Once an
app is installed in Rippling, the IDM model can automatically manage many aspects
of the service for you. The most common functionality is to create and remove
employee accounts when employees are onboarded and offboarded. But Rippling
apps can manage many other aspects of the employee lifecycle.
During onboarding
• Create employees’ accounts in cloud services, with the right permissions
and group memberships according to their roles in Rippling
• Automatically record option grants for new hires in your cap table software
• Collect public SSH keys from employees that need access to your servers
• Import candidates from leading applicant tracking systems
• Initiate background checks from leading providers
• Automatically ship preconfigured swag packs to new hires
During employment
• Provide Single Sign-On (SSO) capabilities for your employees
• Store employee passwords and credentials in a zero-knowledge vault
• Easily reset passwords and perform account maintenance in one place
• Authenticate SSH logins to your servers
• Expose a virtual LDAP server with your organization’s employees and structure
• Import 401k contributions from 401k services into payroll
• Import timeclock data from Time and Attendance services into payroll
During offboarding
• Suspend or disable offboarded employees’ accounts. Apps can do this for
all services at an exact time, which is impossible with manual offboarding
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Partner API
APIs (Application Programming Interfaces) allow
Rippling to query and update data directly in the cloud
service. This is most commonly used to create and
remove employee accounts but can also provide other
functionality (such as option grants, 401k sync, and
syncing employee attributes between cloud services).
Most modern cloud services expose APIs.
SAML
SAML (Security Assertion Markup Language) allows
Rippling to log employees into the cloud service with
one click and, in many cases, create their accounts if
they’re logging in for the first time. Most modern cloud
services support SAML.
Password Management
RPass (Rippling’s password manager for teams) can
manage your employees’ credentials, allowing
employees to use SSO through web-based forms,
and giving you visibility and control over your
organization’s password security. This can be done for
any web-based service. It looks, feels, and acts like
other password management tools, such as LastPass
and OnePassword.
The largest and most common cloud services (such
as G Suite, Dropbox, and Slack) generally support both
APIs for user provisioning and SAML for SSO. Less
mature cloud services might support only one or the
other. Rippling apps will always use the fullest extent of
what the underlying cloud service provides.
Rippling’s App Shop houses over
500 apps with provisioning, SAML,
and custom capabilities.
→
Rippling integrates with your apps and websites
Rippling uses six different methods (depending on the third party and their
technical limitations) to integrate with all of your team’s apps and websites.
All six are technically different, but to the end user, they look, feel, and act like
one unified solution.
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Easily manage distribution of
employee SSH Keys based on role,
location, or department.
→
Rippling REST API
Many Rippling customers have custom in-house
systems for which they need to provision and
deprovision user access. For that, Rippling exposes
a REST (Representational State Transfer) API with
endpoints to read and interact with employee data,
groups, payroll, and PTO. The API is developer-friendly
and can be set up within minutes. For example, with
the Rippling REST API, companies can sync employee
lists to provision accounts in internal software
systems, or populate an intranet with the names,
photos, and contact info of new hirees.
LDAP
The Virtual LDAP (Lightweight Directory Access
Protocol) app in Rippling gives you access to your
employee data in Rippling via the industry standard
protocol, which is also used by Microsoft’s Active
Directory. Any service that connects to LDAP
can be pointed to Rippling’s LDAP service. One very
common use case is for a company transitioning
away from an Active Directory server.
SSH Key Management
Rippling’s SSH (Secure Shell) Key Management
feature doesn’t integrate with your internal and
external apps and websites—it integrates with your
server infrastructure using SSH keys. Built-in,
easy-to-set-up SSH key management is an important
part of identity management.
The SSH app lets you manage your developers’
SSH access in the same seamless, automated way
that you manage other cloud services in Rippling.
When you install the SSH app, you can set up smart
group rules indicating which employees should
get access to which server groups. When an employee
is configured to get access to at least one server
group, Rippling prompts them to generate a public/
private key pair and upload their public key to
Rippling. And most importantly, when an employee is
offboarded, their public key entry is immediately
removed from Rippling’s LDAP service, so they can
no longer connect to any servers.
Configure access rules based on
when employees should receive
access to third-party applications.
←
Customize which employees
should have access to third-
party applications, based
on department, role, or location.
→
IDENTITY & ACCESS MANAGEMENT
RIPPLING
How to conigure Rippling’s IDM
Configuring access rules
When installing an app, you configure a set of smart rules defining who should
get access to the service. These rules allow granular selection and boolean logic
between any of the employee attributes listed above.
When a new employee is onboarded or any of their attributes change, Rippling
checks if the employee matches your configured access rules. If the matching
status has changed, Rippling will take an action based on the type of app. For
API apps, this generally means creating or suspending the employee’s account.
For SAML apps, the access rules control whether to allow SSO to the service from
Rippling. For RPass apps, the access rules control whether to prompt the user to
store their credential in RPass.
Configuring access time
Since Rippling’s IDM model manages the entire lifecycle of your employees, Rippling
knows when a new hire has accepted an offer but not started yet. This lets you
configure exactly when your employees get access to their accounts, so you can
ensure they have a productive first day.
Automatically assign users to
specific groups within a third-
party application based on their
role, department, or location.
→
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Configuring group rules
(only applies for apps with APIs)
Many cloud services have some concept of a “group”
of employees—for instance, G Suite has mailing lists,
Github has repos, Box has folders, and Slack has
channels. These are all mapped to a unified model of
“groups” in Rippling.
This concept of Rippling groups is a powerful
abstraction because it lets you manage many other
attributes of your employees’ accounts in a simple and
consistent way. You can use any of the employee
attributes and smart rules to define which employees
should be in which groups, and Rippling will maintain
that group membership as employees join the
company, change roles, and leave.
Note that Rippling generally doesn’t create or delete
groups in your cloud services since the meanings
of those groups may be specific to a particular service.
For instance, if you have an Engineering department
configured in Rippling, Rippling won’t automatically
create an Engineering channel in Slack. But if you have
a #dev channel in Slack, you can configure Rippling
to manage its membership and include everyone in the
Engineering department.
Matching
(only applies for apps with APIs)
When you install an app in Rippling for the first time,
Rippling needs to know how the existing accounts in
your cloud service correspond to your employees
in Rippling. Rippling applies a set of heuristics to match
accounts with employees based on the associated
email addresses, names, or usernames. The person
installing the app gets a chance to review the
auto-selected matches and correct any mismatches.
As part of the daily sync, if new accounts are
detected in a cloud service, Rippling will notify the
corresponding app administrators that they should
match the accounts to employees. It’s important to
maintain the correct matching between accounts
and employees, so that if an employee is offboarded,
the correct account can be disabled.
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Overriding automatic rules
When hiring a new employee, the hiring manager can choose to add or remove
access to an app or group if they have permission to do so.
Manually updating apps
On each app’s dashboard, the app administrator can create or suspend an
employee’s account as a one-off, and add or remove a user from groups.
RIPPLING
Integrating with your internal
and external apps
Here’s an in-depth look at integrating with your apps via partner
API, Rippling API, SAML, RPass, LDAP and SSH.
Assign temporary password
access for third-party applications
within Rippling.
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Integration via partner API
Many services offer open APIs that Rippling can connect to.
This is generally the most powerful type of integration because
Rippling can read and update users, groups, and licenses,
and automate many other actions as part of the employee lifecycle.
Installation
To install an API app, Rippling walks you through a set
of quick steps that grant API access to the underlying
cloud service. The exact type of authentication
depends on the service. When possible, Rippling uses
the OAuth 2.0 protocol, where you can tell the cloud
service to grant limited access to Rippling with just
a few clicks. OAuth 2.0 also allows for scoped access,
and Rippling asks for the most minimal scope that
allows managing users and groups.
Other services that don’t support OAuth generally
have an API key that you can copy and paste into
Rippling. Either way, the installation takes only a few
seconds and gives Rippling a durable and secure
way to connect to the service.
Connecting to your cloud services is a responsibility
that Rippling does not take lightly. See the Security
section for more information about how Rippling
protects your API keys and OAuth tokens.
Daily sync
Rippling uses the API to fetch a list of users and groups
from the cloud service each night. This ensures that
the data you see in Rippling is up to date, even if you or
other users make changes to accounts directly in the
cloud service. You can also run a sync on demand from
the Settings page within each app.
Setting passwords
Many services support setting an initial temporary
password in the API. If the service supports this,
Rippling can set the password, and you can configure
whether the temporary password should be sent
directly to the new hire or to someone else.
Services that allow setting passwords generally
also allow resetting passwords. An app administrator
can reset accounts’ passwords from the app
dashboard in Rippling.
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Creating, inviting, and deleting users
There are two ways in which Rippling can decide that
an account should be created or removed:
• When an access rule changes (for instance, when an
app administrator adds an account as an exception)
• When an employee attribute changes (for instance,
when their start date occurs)
When either of these occurs, Rippling checks the
employee’s attributes against the configured access
rules both before and after the change, and if the
result is different, Rippling uses the API to create or
remove the employee’s account in the cloud service.
In most cases, Rippling does this by making a
POST call to an endpoint in the service’s API. The
details depend on the particular API, but the POST
body payload generally contains the employee’s
name, email address, and any other employee
attributes that the service supports. Rippling checks
the response of the POST call and correlates it with
the results of fetching the user list from the service
to be sure the account status changed successfully.
This “closed loop” process ensures that the
account status you see in Rippling is an accurate
representation. And if there’s ever a problem
detected with creating an employee account (e.g.,
the service requires purchasing additional licenses to
provision the account), Rippling will notify the app
administrator via email and with a notification on their
Rippling dashboard.
Some services don’t expose an API endpoint to
create accounts directly but do have an API endpoint
that sends invitations to the employee’s email
address which must be accepted before their account
is created. For apps that use this invitation model,
Rippling sends the invitation and then polls at least
every 30 minutes to see when the user has accepted
the invitation, and this status is displayed in the app
dashboard in Rippling.
Work email address
When onboarding a new hire in Rippling, the hiring
manager is prompted for whether the new hire should
get a work email address or not. If the hiring manager
says yes, Rippling will collect the work email address
of the new hire and use it to send the invitation for their
accounts. Otherwise, their accounts will be created
under the employee’s personal email address.
GitHub usernames
Some services like GitHub require a new user’s
username rather than their email address to create an
account. If a new hire is configured to get access to
one of these services, Rippling will prompt the new
hire for their username during onboarding, then send
the invitation using that username. Administrators
may also enter GitHub usernames on the employee’s
profile page in Rippling.
Software licenses
Many cloud services support different license types
for user accounts, and it’s important to create
accounts with the right license types based on the role
of the corresponding employee. Rippling lets you
manage how licenses are assigned using smart group
rules. For instance, in the video conferencing service
Zoom, employee accounts can have either Pro,
Business, or Basic licenses, which can be managed in
Rippling as groups.
This means you can give some employees (like full-
time sales reps) Zoom Business accounts and others
(like contractors) Zoom Basic accounts.
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Soft deletion
Many services support a form of “soft deletion” for employee accounts. This may be
called “suspending” or “disabling” an account, depending on the service. In general,
when removing accounts, Rippling apps will perform a soft deletion if the service
supports it. This allows you to suspend an employee’s account immediately upon
termination, and to take any remaining clean-up actions.
For instance, in G Suite, it’s recommended that a G Suite administrator go into the
suspended account to recover any Google Drive files and set up email forwarding,
then delete the account.
API Changes
Rippling maintains partnerships with API services so that if the underlying API is
changed, Rippling is notified in advance and can update the integration accordingly.
All such updates are seamless. The administrators don’t need to do anything to take
advantage of the new API.
Assign users to specific account
attributes within a third-party application,
based on employee data in Rippling.
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Your employees can securely
log into all of their apps and
websites in just one click via the
SSO bar in their dashboards.
↘
Integration via SAML
SAML overview and SSO
SAML basically works by having the identity provider (in this case, Rippling) create
an X.509 public/private key pair and transfer the public key to the service provider
as part of installation and setup. Then when one of your employees clicks on an
SSO link to the service from Rippling, Rippling causes the user’s browser to make
a POST request with a base64-encoded XML payload—called the SAML assertion—
to an endpoint on the service called the Assertion Consumer Service URL.
The SAML assertion contains many fields, including an identifier for the user
(generally an email address), restrictions on when the assertion expires and what
it may be used for, and other metadata about the user.
It is also signed with the X.509 private certificate created by Rippling. The service
reads the SAML Assertion and verifies the signature using the X.509 public
certificate. If the assertion is valid, the service automatically logs the user in. From
the user’s point of view, it’s simply one-click access to the service they need,
without having to remember a password.
Since only Rippling has the X.509 private certificate, and the private certificate never
leaves Rippling’s servers, nobody can log into the service unless they have valid
access through Rippling. X.509 is the same technology underpinning TLS/SSL and
HTTPS, and the SAML protocol is an open standard well-accepted by the security
and IT community.
Rippling uses industry standard best practices for setting metadata in the SAML
assertion to optimize for security while maintaining end user ease-of-use. You can
view an example of the SAML assertion generated here.
Installation
When you install a SAML app, Rippling walks you through step-by-step instructions
for setting up the SAML connection. The details vary based on each service, but in
most cases you’ll need to copy/paste a certificate or metadata file from Rippling into
the external service. You may also need to copy/paste a URL or entity ID from the
external service back into Rippling.
IDENTITY & ACCESS MANAGEMENT
RIPPLING
SAML JIT
Many services support “just in time” (JIT) provisioning of accounts along with
SAML. So when an employee clicks on the SSO link in Rippling for the first time,
the service will automatically create the employee’s account and log them into it.
Notifications
If a SAML app does not support API provisioning and does not support JIT,
Rippling will notify the app administrator when an account must be created for
a new hire. This gives you a central dashboard and audit log for all account
provisioning and deprovisioning, even for services that can’t support automated
account management.
Administrator account
Rippling lets you optionally designate one account in the cloud service as the
administrator account for that service. Any employees with full administrator
permissions in Rippling will be allowed SSO to that account.
This is useful for giving your administrators access to functionality that is tied
to a separate service account. For instance, you might have a single G Suite
administrator account that has access to your G Suite Admin console, in addition
to the regular non-administrator SSO link for G Suite that takes users to their
GMail inbox.
Service provider initiated logins and mandatory SSO
Many services allow you to disable traditional password-based logins for
employees, thus requiring employees to use SSO. This can make your organization
more secure, since employee passwords can’t be hacked, and you can immediately
remove an employee’s access upon termination by revoking their SSO access.
Services that support such mandatory SSO will generally also support “service
provider initiated” logins, whereby an employee that tries to sign in on the service
provider’s site will be redirected to Rippling, log in on Rippling, and then be
redirected back to the service provider.
Rippling apps support service provider initiated logins whenever the underlying
services supports them.
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Integration via RPass
RPass (Rippling’s password manager for teams) provides all the
features you would expect of a modern password manager:
zero-knowledge password vault, team sharing, and more. But you
can also use RPass to manage accounts in cloud services in a
consistent way, even if they don’t support API or SAML integration.
RPass overview and SSO
You can read our Password Management whitepaper for more information about
the RPass security model and inner workings.
When you install an RPass app in Rippling, you configure an access rule that defines
who should get access to the service, just as with an API or SAML app. Employees
that should get access to the service are prompted to enter their account
credentials into RPass.
Once an employee has saved their account credentials in RPass, an SSO link for
the service appears in the employee’s Rippling dashboard, just as a SAML-based
SSO link would. Clicking the link takes the user to the service’s login page and
automatically signs them in with the password in the RPass vault. From the user’s
point of view, it feels just like traditional SSO: one click, and they have access to
the service they need.
Notifications
As with some SAML apps, RPass apps can’t automatically create or remove
accounts in the corresponding cloud service. But by using RPass apps to track
accounts, Rippling will notify app administrators when accounts need to be created
for new hires and give you an audit trail of when this occurred.
Offboarding
When an employee with access to an RPass app is offboarded, they immediately
lose access to any passwords saved in their RPass company vault. A notification is
sent to the application administrator, reminding them to remove the employee’s
account from the underlying cloud service, with an audit trail of when the
administrator confirms this has been done.
Any employee can share any
passwords with other coworkers
via RPass.
↘
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Integration via LDAP and Rippling
REST API
Virtual LDAP overview
The Virtual LDAP app in Rippling gives you access
to your employee data in Rippling via the industry
standard LDAP protocol, which is also used
by Microsoft’s Active Directory. Any service that
connects to LDAP can be pointed to Rippling’s
LDAP service.
One very common use case is for a company
transitioning away from a legacy, on-premises Active
Directory server. Since Active Directory uses the
LDAP protocol, almost any service that currently
connects to your Active Directory server can
easily be routed to Rippling’s LDAP service instead.
And unlike Active Directory, Rippling’s data is
automatically kept in sync when employees are
onboarded and offboarded.
Rippling’s Virtual LDAP app supports simple
authentication (also known as simple bind). Data is
organized in the usual Distinguished Name format; for
instance, users are contained in:
Rippling’s Virtual LDAP is a read-only system
supporting bind and search operations.
Rippling REST API overview
Many Rippling customers have custom in-house
systems for which they need to provision and
deprovision user access. For that, Rippling exposes
a REST API with endpoints to read and interact with
employee data, groups, payroll, and PTO. The API
is developer-friendly and can be set up within minutes.
Here are some examples of what Rippling customers
have done with the API:
• Sync employee list to provision accounts in internal
software systems
• Populate an intranet with names, photos, and
contact info of new hires
• Read and manage group membership
• Store employee’s proficiencies and pull that info
into assignment and scheduling software
• Push real-time commissions and bonuses into
Rippling’s payroll system
• Fetch PTO requests to show who is out of office
on the company’s internal homepage
For more information, please refer to our Rippling
API documentation.
u=users,dc=yourcompanyname,dc=rippling,dc=com
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Integration via SSH keys
SSH key management overview
The SSH app lets you manage your developers’ SSH access in the
same seamless, automated way that you manage other cloud
services in Rippling.
When you install the SSH app, you can set up smart group rules
indicating which employees should get access to which server
groups. When an employee is configured to get access to at least one
server group, Rippling prompts them to generate a public/private key
pair and upload their public key to Rippling.
Rippling then walks you through setting up System Security Services
Daemon (SSSD) on your servers. SSSD is an established open-
source library that allows Unix accounts to be driven by a remote
identity provider. When an employee
uses SSH to connect to one of your servers, the SSSD process looks
up the employee’s public key from an LDAP service provided by
Rippling, then uses the public key to authenticate the login.
From your employees’ point of view this process is invisible—they
simply log in with private key authentication like they’re used to. But
from an IT and DevOps point of view the change is immense—
administrators no longer have to maintain SSH keys consistently
across the server fleet.
Most importantly, when an employee is offboarded, their public key
entry is immediately removed from Rippling’s LDAP service, so they
can no longer connect to any servers.
RIPPLING
Rippling security
At Rippling, we understand that connecting to your cloud services is
a serious responsibility, and we go to great lengths to protect your data.
Protecting API keys
• Rippling uses OAuth 2.0 whenever possible.
This modern protocol allows for scoped access
tokens and time-limited access with periodic
refreshes. So you’re always in control of what
Rippling has access to
• Rippling requests access tokens with the most
minimal scope required to manage your accounts—
nothing more
• Your company’s data is logically partitioned
from any other clients, with a deeply ingrained
role-based permission system that prevents
unauthorized access
• API keys and access tokens are encrypted at rest
and in transit
Protecting SAML certificates
• Rippling uses a different certificate for every client
and every app installation, so there’s no way for
your certificate to be used by anyone outside your
company
• Similarly to API, your company’s data is logically
partitioned from any other clients, with a deeply
ingrained role-based permission system that
prevents unauthorized access
• SAML certificates are encrypted at rest and
in transit
Security is at the heart of what
Rippling does
• All data is transferred using 256-bit TLS 1.2+
encryption, which is the latest cryptographically
secure algorithm used by banks and governments
• Bank-grade AES encryption protects your data at
rest. We follow industry best practices for defense
in depth: data is encrypted with multiple keys,
keys are rotated regularly, and sensitive data uses
end-to-end encryption
Our strong team enables strong security
• We keep up to date on the latest security practices
with regular security and privacy awareness
training. New features go through extensive testing
and peer review with a rigorous SDLC
• Administrator access requires a strong password
with two-factor authentication, and separation of
duties is built into sensitive tasks
• Security teams work around the clock to protect
your data and respond to threats
Tested and trusted
• Rippling works with independent third parties as
well as external researchers who regularly assess
our site for vulnerabilities. All data is hosted and
processed in an SSAE 16 SOC 2 compliant data
center, with 24/7 physical security
IDENTITY & ACCESS MANAGEMENT
RIPPLING
Eliminate weak and reused
passwords
Research by Verizon concluded that
81% of corporate data breaches are due
to weak or compromised passwords.
By enabling SSO for your employees—
and better yet, enabling mandatory
SSO for services that support it—you
can simply eliminate the most common
cause of data breaches.
Enforce multi-factor
authentication across all your
cloud devices
Not all cloud services support multi-
factor authentication, which is an
industry best practice for securing
accounts. By enabling it for Rippling
logins and using Rippling as the
SSO identity provider for other services,
you can effectively enable multi-factor
authentication for services that don't
otherwise provide it.
Instantly disable accounts
during offboarding
Immediate removal of offboarded
employees’ accounts is essential to
preventing malicious behavior by
someone who has nothing to lose.
Centralize logging and account
activity visibility
By managing account creation, deletion,
and SSO in one place, you have a
central dashboard for monitoring
account activity throughout your entire
organization. Review audit trails,
identify abnormal behavior, and pass
compliance audits with ease.
Rippling makes your organization
more secure
Rippling is proud to be SOC 2 Type II compliant
IDENTITY & ACCESS MANAGEMENT
RIPPLING
We understand that you and your employees need access to cloud services 24/7,
with no disruption. As an identity manager, we take this responsibility very seriously,
and we built the whole product around ensuring that Rippling will always be
available when you need it.
Rippling achieves high availability through an architecture of redundancy and
continuous monitoring.
Rippling’s API servers are clustered behind a load balancer and distributed across
multiple Amazon Web Services availability zones. API servers are kept stateless to
allow easy horizontal scaling.
The database leverages MongoDB, one of the most widely deployed and trusted
NoSQL solutions. Data is replicated live to multiple backups that can be elevated to
master within seconds. In addition to the live backups, data is dumped nightly and
stored in redundant availability zones.
Server infrastructure is monitored 24/7, and Rippling’s infrastructure team regularly
reviews and plans future capacity to account for growth. As a result of these efforts,
Rippling has passed a SOC 2 Type 1 audit that included attestation to the availability
controls of Rippling’s system.
Rippling’s high availability architecture
Rippling helps businesses manage every employee system—their payroll,
benefits, computers, apps, and more—all in a single, modern platform.
By connecting every system in a company to one employee system of record,
businesses can automate all the manual work they normally have to do to
make employee changes. Take onboarding, for example. With Rippling, you can
set up a new employees’ payroll, health insurance, laptop, and apps like Gmail
and Slack—all in just 90 seconds.
LEARN MORE
rippling.com/app-management
