2. Agenda
• Overview:
– Currently the identity externalization trend is forcing
enterprises to continue enabling point-to-point
connections from enterprise to cloud / business
partner
– We believe this may be headed towards scalability
issues and is complicating provisioning
processes, AuthZ and persona collisions
• Goal:
– Understand 2012 direction from the identity industry
leaders and service providers to help develop practical
direction while longer term solutions unfold
3. Issues
• Point-to-Point federated identity and the cost and complexity of
establishing connections
• Full life-cycle management for provisioning and de-provisioning
user access to SaaS, and changing permissions within that lifecycle
• Synchronizing enterprise data between the enterprise and the SaaS
• Defining, distributing and executing policy consistently in the
enterprise and in SaaS
• Second to n tier SaaS integration for federated identity,
authorization, data synchronization and provisioning life cycle
• Visibility and auditing for all tiers of SaaS for federated identity,
authorization, data synchronization, provisioning life cycle and
network access
• Collision of external and enterprise identity
4. Point-to-Point Federated Identity
• Each connection is bespoke
– Could we have some agreement on attribute sets?
– How do we enable SAML re-use with persistent identities
(routable identity)
– When does point-to-point tip over?
• Legal contracts differ without potential for reuse
– Could we have some standard Ts&Cs for identity
exchange?
– Is there a standard model for dispute resolution?
• IdP connection configuration process is complex
– What scope is there for automation?
– How do we make the protocol meaningful to the business?
5. Full life-cycle management for
provisioning and de-provisioning
• Every federation is different!
– Different APIs, CSVs, TDFs, Excel, spreadsheets, emails,
pieces of paper, faxes, web pages …
• Three logical models
– JIT – implicit lifecycle, BUT don’t persist attributes in
service
– Sync – complicated technology and privacy
– Query – Opening up LDAP to external queries,
transactionally expensive
• Privacy of identity data synchronized across SaaS
providers
6. Defining, distributing and executing
policy in the enterprise and in a SaaS
• How do we enforce enterprise policy at SaaS
– XACML? Not interoperable in practice
– Agree XACML on a per SaaS basis, see “Point-to-
Point federated identity cost and complexity”
• Distributed Policy Management
– Each provider has their own PAP/PDP, some on
premise, some allows API but most different
7. Second to n tier SaaS integration for
federated identity
• How do I enforce what services my SaaS uses?
• How do I enforce which users can use which
SaaS leveraged service?
• What visibility do I have of services leveraged
by SaaS providers?
• Who can consume data provided by services
leveraged by my SaaS provider?
• Where did my data go?
8. Collision of external and enterprise
identity
• Potential for personal identities to bypass
policies on enterprise Identities on the same
SaaS service
• Users can store enterprise data on personal
SaaS service offerings
• Duplicating (convoluting) identity between
point-to-point federations