• Save
Identity Federation for the Enterprise: Lessons Learned
Upcoming SlideShare
Loading in...5

Identity Federation for the Enterprise: Lessons Learned



Talk on Identity Federation: Lessons from the Trenches presented at the EEMA conference, London, June 9th 2010. Zach Sachen and I share our experiences on implementing a full fledged ID Federation ...

Talk on Identity Federation: Lessons from the Trenches presented at the EEMA conference, London, June 9th 2010. Zach Sachen and I share our experiences on implementing a full fledged ID Federation solution.



Total Views
Views on SlideShare
Embed Views



3 Embeds 6

http://www.linkedin.com 3
https://www.linkedin.com 2
http://www.slideshare.net 1


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Nalneesh opens w/ self intro, then Zach self intros and covers next slide
  • ZachOur client recently rolled out an Identity Federation(IdF) solution across their enterprise.  While, the (IdF)vision of outsourced Identity Management is real, success requires vision, perseverance, and disciplined execution.  The major steps to realize success include an understanding across four areas: Users, Business Architecture (policy and process), Infrastructure, and Applications.  Developing an Architecture that align with the Corporate business and Information Security goalsPlanning the role out by carefully selecting and sequencing the applications that lend themselves to federation both inside and outside the enterpriseLaunching a pilot that tests both the technology and process implications of the solutionIn this talk we will share our experiences regarding building momentum, designing, and realizing Federated Identity.  We will use our experience at large organizations (e.g. federal government agency and large pharmaceutical company) as a backdrop.  We expect the audience to be able to apply these insights in their own environments.*** Important to let the audience know that the this talk is not about various protocols and technology standards such as SAML, WS-Federation, Microsoft’s roadmap. We however did leverage experts in our journey and the knowledge is incredibly useful ***
  • Nalneeshtalk about success measures when talking about benefits/promiseImproved ComplianceSafe Harbor, PII, HIPAA, etc.Improved Securitymultiple options from identity providers – e.g. OTP with Blackberry/cell,securID, etc.Improved Collaboration / User Experienceseamless access and authorization in the cloudmore up front, pays dividends in long runBetter User Experiencefaster, less clicks, self-serviceeSignaturesEconomies of ScaleMetcalf’s network law – the more that join the more valuable it will bevolume discounts with providerssupport modelCost Savingsde/provisioning, resets, troubleshootingreused credentials
  • NalneeshDescribe the three scenarios and tie it to pain points and promise
  • NalneeshProvide overview of the the four components and why the components were important to our constituents
  • NalneeshDiscuss architecture layers
  • NalneeshProvide OverviewYou will notice alignment with the Delivery/Operations diagram Nalneesh coveredPolicies, Standards and Guidelines drive the processes and technologies.For policies, be prepared to deal with how policies get defined – contracts, policies, the second key factor here is about rationalizing conflicting policiesProcess and technologis focus on how identities are provisioned and entitled, how policies are enforced on those identities and the operational aspects of those identitiesWe list 6 process and technology areas that must be dealt with in the IDF solutionWe introduce the top down view late in the presentation to emphasize that the top down view could lead you to believe that one must always start with policies. The reality however is different as we cover in the implementation challenges as described on the next slide.
  • ZachAgain, FIDisn’t a silver bullet, and although you will have the ability to federate, you still need to federate your applications in a strategic way, and one big part of that is understanding the effort involved with each applicationAdditional Application Considerations:Policy/Regulation: data sensitivity: CFR 11, HIPAA, PIIUser characteristics:numberlocation languagesusage frequencyroles
  • ZachNotesWho do I call now? (provisioning, authn, authz)the identity provider’s processes and policiessetting expectations training providedself-servicesupport mechanisms and integration of support (IdP, SP, PM, et. al.)security approach – certificates, tokens, etc. vs. zero footprintnumber of touch points as a measure/metric of success
  • ZachSponsorshipexecutive levelMarketing/Educationpithy elevator statementsexecution teams ready?Great Expectationsa pilot is a no loss dealagree on bufferingExecutionsomeone has to be Mr. Incrediblehiccups, resourcesID Federation is expensive, but lets share with you what we would do differently, we should be prepared to share anecdotes here.As we know, flexibility lends itself to complexity, and without the right experts you won’t realize the benefits, and will have an even more uphill battleAssessment Phasebuild momentum / start the conversation - why this? why now? benefits?consider the audience and messaging – executives to “day to day”educate and involve others to create initialvision – think big, start smallPlanning Phaseuse pilots to build/maintain momentumconsider partner (IdP, SP, et. al.) needs and availabilitydon’t repeat mistakes - leverage your networkset realistic expectations - align with culture; scope, schedule, budget, returnsconsider alignment with existing initiativesExecution Phaseconduct pre-execution phase readiness test – budgets and people in place?communicate frequently – is it real?provide perspective – failure isn’t always a “bad thing”have a plan B – what if...ID Federation benefits can be measured both from a user and business perspectiveUnderstand the investment philosophy and approach up frontUse experiments / pilots to learn and mitigate riskDo your homework – understand your industry and vendorsSignup champions and market ID Federation as a business enablerPersevere to succeed!
  • ZachLeave the audience with some thought provoking questions and open up the call for questions

Identity Federation for the Enterprise: Lessons Learned Identity Federation for the Enterprise: Lessons Learned Presentation Transcript

  • Identity Federation: Lessons From the Trenches
    Nalneesh Gaur
    Principal and Chief Security Architect
    Mobile – 214 649 1261
    Zach Sachen
    Mobile – 541 782 8463
    Jun 9th | 13:45 – 14:15
  • Our Journey
    What problem did we solve?
    How did we do it?
    What did we learn?
    What did we do?
  • Pain and Promise
    • Lengthy Provisioning Process
    • Repetitive, Redundant, Different
    • “Slow Trust”
    • Collaboration / “User” Growth
    • Cumbersome Authorization
    • Cost
    What problem did we solve?
    • Improved User Experience
    • Faster Secured Collaboration
    • Fewer IDs
    • Additional Security Options
    • “Built-in” Compliance
    • Economies of Scale
  • Context
    What did we do?
    Internally Managed Application
    External User
    Internal User
    Externally Managed Application
  • Federated ID Solution Components
    How did we do it?
    While additional Components are conceivable, these four components are fundamental to every ID Federation solution
  • Architecture
    How did we do it?
    Architecture is influenced by:
    Trust Relationships
  • Process and Policy
    How did we do it?
    Policy, Standards and Guidelines
    Process & Technology
    Self Service
    Architecture Review
    Provisioning & Entitlement
  • Applications
    How did we do it?
    Classification Framework
    Many factors determine effort to federate an application, we have found two major factors:
    1) native federationsupport
    2) level of customization
    Non- Native(e.g. local authn.)
    High Effort
    Medium Effort
    Federation Support
    Native (e.g. SAML)
    Low/Medium Effort
    Low Effort
    Level of Customization
    1 – There are technologies which can deliver “virtual federation” in a relatively easy manner – e.g. Citrix and Microsoft product combinations
  • User Experience
    How did we do it?
    Setting the Vision
    Setting Expectations
    Solution Support
  • Success Notes and Lessons Learned
    The Results!
    What did we learn?
    • Pilot Value
    • Marketing/Education
    • Great Expectations
    • Execution Challenges
    • Journey Implications
    Source: Disney Pictures – “The Incredibles – Rise of the Underminer”
  • Thank You
    • Should the first wave of ID Federation be internally or externally focused?
    • How to position Identity Federation as a catalyst for strong authentication?
    • Should business leverage ID Federation as the spring board to get on the social media bandwagon?