Your SlideShare is downloading. ×
CIS14: Creating a Federated Identity Service for ABAC and WebAccess Management cis
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

CIS14: Creating a Federated Identity Service for ABAC and WebAccess Management cis

442
views

Published on

Matt Tatro, Denise Lores, Wade Ellery …

Matt Tatro, Denise Lores, Wade Ellery
Radiant Logic
How to create a federated identity service that will build a bridge from the old world of groups to the new world of ABAC, improving your authorizations and Web Access Management.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
442
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Creating a Federated Identity Service for ABAC and Web Access Management Wade Ellery Western Region Director of Sales Denise Lores Senior Architect
  • 2. The Four Pillars of Identity Services ¡  Enhanced user experience ¡  Improved management of security risks ¡  Efficient development/ deployment of applications ¡  Reusable integration ¡  HIPAA, SOX compliance ¡  Common access logs ¡  Improved accountability ¡  Common reporting ¡  Reduced administrative tasks ¡  Reduced help desk calls ¡  Improved process efficiency ¡  Central user information ¡  Reduced administrative tasks ¡  Reduced help desk calls ¡  Improved security ¡  Accountability ¡  Cost savings User Self-Service & Password Management Virtual Directory Web Access Management/SSO Centralized Audit Delegated Administration Synchronization/ Replication Federated Identity Management/SSO Logging and Monitoring Automated Approvals and Workflows Meta Directory Authentication & Authorization Access Certification Enterprise Role Definition Directory Storage Standard APIs Reporting Audit, Role & Compliance Access Management Identity Management Identity Data Services
  • 3. RadiantOne: Your Foundation to a Complete Identity Service HR DatabasesApplications DatabasesLDAP Directories Cloud Apps
  • 4. IDM Supporting Multiple Repositories is Costly: Traditional IDM Attempted to Mitigate Existing Identity Infrastructure Legacy Applications
  • 5. IDM Existing Identity Infrastructure Legacy Applications New Applications and Customers Increase complexity, support, and risk Existing Identity Infrastructure SaaS/Cloud/BYOD/ Partner Apps
  • 6. RadiantOne   Existing Identity Infrastructure SaaS/Cloud/BYOD/ Partner Apps RadiantOne The Identity Hub IDM Legacy Applications
  • 7. Federated  Iden-ty  Service   Existing Identity Infrastructure SaaS/Cloud/BYOD/ Partner Apps Federated Identity Service Able to Sunset Identity Stores IDM Legacy Applications
  • 8. Identity as a service through Virtualization The Key to Solving the Identity Integration Challenge •  Acting as an abstraction layer RadiantOne creates attribute rich global user profiles spanning multiple identity silos. •  Aggregation, Correlation, Transformation, and Normalization of the user identity provides the ability to serve that identity to applications in the format they expect. Aggregation Correlation Integration Virtualization Population C Population B Population A Groups Roles LDAP SQL Web Services /SOA App A App B App C App D App E App F Contexts Services SCIM REST
  • 9. More Identities, Better Scope—the Secret to Boosting Your Ping federation IdP Deployment
  • 10. Administrator Standard User Manager Sales Marketing Product Management People ID/ identifiers Product 1 Product 2 Product 3 Web Content Lead Generation Direct Sales Indirect Sales •  If you have those attributes somewhere already, instead of having static assignment, the groups memberships can be data-driven. Where do the Attributes Come From? Existing Data Sources! GroupsRoles Departments Divisions Location
  • 11. RadiantOne Methodology Leveraging Existing Contexts to Build User Profiles
  • 12. RadiantOne Methodology Joining across Data Silos Links Identities to Context
  • 13. •  RadiantOne is made of two main parts: •  An integration layer based on virtualization •  A storage layer: Persistent Cache •  LDAP (up to v6.2) •  HDAP (based on big data technologies, v7.0) RadiantOne Integration Layer and Cache/Storage Layer Integration Layer Integration Layer + Storage (Persistent Cache) HDAP Storage (Persistent Cache)
  • 14. HR Database LDAP Directory Active Directory Normalizing Attributes Across Sources to Support Policy Authoring and Policy Decision Point employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com uid=AFuller ntitle=VP Sales ClearanceLevel=1 Region=PA memberOf=Sales nDepartment=Sales Correlated Identity Virtual View employeeNumber=2   samAccountName=Andrew_Fuller   objectClass=user   mail:  andrew_fuller@setree1.com   departmentNumber=234   ?tle=Sales,  VP   uid=AFuller   ?tle=Vice  Pres.  Sales   givenName=Andrew   sn=Fuller   departmentNumber=234   EmployeeID=509-­‐34-­‐5855   ClearanceLevel=1   Region=PA   UserID=EMP_Andrew_Fuller   DeptID=Sales234     cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: •  ClearanceLevel=1 •  nTitle=VP Sales •  Region=PA Dynamic Groups Virtual View ComputedAttribute Normalized Attribute Values Federated Identity Attribute Server Normalized Attributes Attribute: nDepartment Values: Accounting Administration Business Development Distribution Marketing Production Research Sales Shipping Attribute: nTitle Values: CEO CIO CISO VP Sales VP Marketing …
  • 15. Oracle DB User = LCallahan Co = Sutton Ryan MemberOf = Sales RadiantOne as Single Identity Source Access Management Portal ODSEE Enterprise App A (MemberOf = Sales) Enterprise App B (MemberOf = Finc) Claims Enabled App C (Security = High) Claims SaaS App D (Security = Low) Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low saMAccountName = JSmythe Name = John_Smythe MemberOf = IT, Finc Security = High saMAccountName = JSeed Name = Jill_Seed MemberOf = Sales SaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High John’s AD Profile User = JSmythe MemberOf = IT, Finc SAP ERP Profiles John_Smythe = High Laura_Callahan = Low AD AD Profile saMAccountName = JSmythe MemberOf=Sales IDM Profile User = JSmythe GUID = 23185798306=4 User = LCallahan GUID = 39583201202=3
  • 16. Customer App Profiles User = LCallahan Co = Sutton Ryan MemberOf = Sales RadiantOne as Single Identity Source for IDaaS and Portal Portal IDaaS NorAm AD Enterprise App A (MemberOf = Sales) Enterprise App B (MemberOf = Finc) Claims Enabled App C (Security = High) Claims SaaS App D (Security = Low) Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low saMAccountName = JSeed Name = John_Seed MemberOf = IT, Finc Security = High saMAccountName = Jsmythe Name = Jill_Smythe MemberOf = Sales IDaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High John’s AD Profile saMAccountName = JSeed MemberOf = IT, Finc SAP ERP Profiles John_Seed = High Laura_Callahan = Low Sync with VDS EMEA AD Jill AD Profile saMAccountName = JSmythe MemberOf=Sales
  • 17. Confidential and proprietary materials for authorized Radiant Logic personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. Why RadiantOne •  Portals, Content Management, Collaboration •  Federated Access - SaaS/Cloud Apps/Claims •  Web SSO – Access Management •  Partner/Vendor/Customer IAM •  Fine Grained Authorization (ABAC, XACML) •  Mergers, Acquisitions, Divestitures, Reorgs •  Directory Re-architecture, Replacement, Decommission •  Active Directory Consolidation and Partitioning