A session at IIW 13, Tue, Oct 18, 2011 by Daniel Headrick, Nathan Sowatskey, Dave Jones.

1. Issues with Externalized Identity
An Internet Identity Workshop session proposed by
GE and Cisco

2. Agenda
• Overview:
– Currently the identity externalization trend is forcing
enterprises to continue enabling point-to-point
connections from enterprise to cloud / business
partner
– We believe this may be headed towards scalability
issues and is complicating provisioning
processes, AuthZ and persona collisions
• Goal:
– Understand 2012 direction from the identity industry
leaders and service providers to help develop practical
direction while longer term solutions unfold

3. Issues
• Point-to-Point federated identity and the cost and complexity of
establishing connections
• Full life-cycle management for provisioning and de-provisioning
user access to SaaS, and changing permissions within that lifecycle
• Synchronizing enterprise data between the enterprise and the SaaS
• Defining, distributing and executing policy consistently in the
enterprise and in SaaS
• Second to n tier SaaS integration for federated identity,
authorization, data synchronization and provisioning life cycle
• Visibility and auditing for all tiers of SaaS for federated identity,
authorization, data synchronization, provisioning life cycle and
network access
• Collision of external and enterprise identity

4. Point-to-Point Federated Identity
• Each connection is bespoke
– Could we have some agreement on attribute sets?
– How do we enable SAML re-use with persistent identities
(routable identity)
– When does point-to-point tip over?
• Legal contracts differ without potential for reuse
– Could we have some standard Ts&Cs for identity
exchange?
– Is there a standard model for dispute resolution?
• IdP connection configuration process is complex
– What scope is there for automation?
– How do we make the protocol meaningful to the business?

5. Full life-cycle management for
provisioning and de-provisioning
• Every federation is different!
– Different APIs, CSVs, TDFs, Excel, spreadsheets, emails,
pieces of paper, faxes, web pages …
• Three logical models
– JIT – implicit lifecycle, BUT don’t persist attributes in
service
– Sync – complicated technology and privacy
– Query – Opening up LDAP to external queries,
transactionally expensive
• Privacy of identity data synchronized across SaaS
providers

6. Defining, distributing and executing
policy in the enterprise and in a SaaS
• How do we enforce enterprise policy at SaaS
– XACML? Not interoperable in practice
– Agree XACML on a per SaaS basis, see “Point-to-
Point federated identity cost and complexity”
• Distributed Policy Management
– Each provider has their own PAP/PDP, some on
premise, some allows API but most different

7. Second to n tier SaaS integration for
federated identity
• How do I enforce what services my SaaS uses?
• How do I enforce which users can use which
SaaS leveraged service?
• What visibility do I have of services leveraged
by SaaS providers?
• Who can consume data provided by services
leveraged by my SaaS provider?
• Where did my data go?

8. Collision of external and enterprise
identity
• Potential for personal identities to bypass
policies on enterprise Identities on the same
SaaS service
• Users can store enterprise data on personal
SaaS service offerings
• Duplicating (convoluting) identity between
point-to-point federations