The challenge I have with this is what if an employee leaves my organization but was once registered with CRES.  Because CRES spoofs the sending e-mail address, that employee who is no longer a part of my organization can still send e-mail as if it is from my organization.   Correct?

1. I think that CRES should change its policy of spoofing e-mail addresses and use a CRES notification e-mail address as the sender address.  Once the encrypted e-mail is opened, then expose the senders address.  This will help support the whole domain sender authentication movement.

2. Allow CRES admins to remove registered users like we currently can with IronPort Encryption Appliances.

3. Allow the continuation/support/sales of the IronPort Encryption Appliances.

Just my thoughts.

The right way to solve that issue for your employees is to use SAML to let them get to CRES for your business addresses. If they dont have the password they can't get in, and when they leave they won't have access to your mail account, plus forcing everything through SAML would keep them from authenticating anyway...
i just don't know how far down the SAML path CRES is yet....
Sent from Cisco Technical Support iPad App

SAML intergration with CRES has been there for long.. https://supportforums.cisco.com/thread/2108602

Additionally The user account on CRES can be "suspended"/"Locked" by the CRES admin.  When an account is suspended, the user will not will not be able to log into CRES or open new or previously received secure envelopes from CRES.

Is SAML authentication supported?  My last call to Cisco support a few weeks ago indicated it is not and is pending the release date of the Outlook 7.3 plugin.

If I switch to SAML authentication does this mean I have to create User accounts in my directory for external users or is it designed to work against multiple authentication profiles.  For example, if the user name matches a SAML authentication profile, it goes against our local users directory (for internal users), if it doesn't it goes against CRES directory (for external users).

Please check the account admin guide for SAML authentication details https://res.cisco.com/admin/CRES_Admin_Guide.pdf

SAML's supported, however only for opening envelopes in a browser and logging in to CRES, not currently in any of the plugins (including the upcoming 7.3).

SAML on CRES is based on domain name. When a user logs in, if they're in a domain that's associated with a CRES account set up for SAML, they'll authenticate with SAML. If a user logging in isn't in a domain associated with a CRES account using SAML (either because they're an external user not associated with any customer account on CRES, or they are associated with a customer account but not one set up for SAML), they'll authenticate on CRES using their CRES credentials.

A user can theoretically recover from being Suspended, as that's the state they get in when they can't answer their challenge questions. I'd have to check if they can recover if set in that state by an admin, howerver, it's kind of irrelevant because Locked is there precisely for this case. If an admin sets a user to Locked, the only way for the user to be able to log in or open messages is for an admin to set them back to Active.