Utah Architecture Review Single Sign-On

Slide 1: TA Review – Authentication and Single Sign-On Utah Department of Technology Services March 2008

Slide 2: Introduction The Utah Master Directory (UMD) and related SiteMinder architecture was designed in 2001. There is a need to validate current practices against best practice industry solutions with an objective of wider adoption of the Single Sign-On (SSO) and related directory and access control infrastructure.

Slide 3: Types of Single Sign-on

Slide 4: Identity Access Mgmt Ecosystem

Slide 5: Current Architecture • UMD Directory • SiteMinder • Credential Collector • AppProfile System • AppAdmin • JAAS Providers to Application Servers

Slide 6: User Adoption  Overall integration with existing applications inventory is less than 30%.  Application specific directory and authorization is used by 65.4% of all production applications.  Direct LDAP to agency directory information is utilized by 23.1% of production applications.

Slide 7: Successful Features of UMD • Integration with NDS to Synchronize LAN Passwords • Availability of UMD/SiteMinder Infrastructure • Identity Management • Simplified Maintenance of User Access Privileges • UMD Support Services

Slide 8: Obstacles that keep agencies from using UMD Services – Difficulty Using the UMD with New Applications: 22.7% – Difficulty Using the UMD with Existing Applications: 22.7% – Direct LDAP Access: 18.2% – Reliability and Scalability Concerns: 18.2% – Inadequate Documentation: 13.6% – Cost Concerns: 13.6% – Availability of UMD Web Services: 13.6% – Application Profile Management: 9.1% – SSO Security Concerns: 9.1% – Concerns with the Use of “Cookies”: 4.5%

Slide 9: Help Desk Call Data for Password Resets and UMD Related Inquiries 1st Q ‘07 2nd Q ‘07 3rd Q ‘07 4th Q ‘07 Jan ‘08 Feb ‘08 Network/LAN PW 485 587 693 740 251 245 Reset Mainframe PW 385 380 421 382 147 101 Reset UMD 484 618 594 624 264 242 PW Reset Total 1354 1585 1708 1746 662 588 Total Tickets 17,812 18,240 19,342 19,089 7,604 6,813 % PW Resets 7.6% 8.7% 8.8% 9.1% 8.7% 8.6% Industry Average is abt 30% - IT Security Journal

Slide 10: Best Practices • Application Coverage • User Access • Ease and Flexibility of Management Deployment • Single Sign-Off • Authentication • Enterprise Reliability Capabilities and Scalability • Shared Work • Legacy Application Environments Integration • Overall Security Objectives

Slide 11: Industry Reports Forrester Gartner

Slide 12: Extending Enterprise ID Across the Web

Slide 13: Federal E-Authentication The E-Authentication Solution created the US E- Authentication Identity Federation which allows Federation members to recognize and trust log-in IDs that are issued by other trusted Federation members. The trusted members that issue these log-in IDs may be other government agencies, academic institutions, or commercial entities, such as banks or other financial services institutions. There is opportunity for Utah to participate in this initiative by establishing the UMD as a trusted entity.

Slide 14: Recommendations • Position UMD Services as more than just a directory or SSO solution but as a comprehensive IAM solution. • Establish the UMD as a trusted identity source so State users can use UMD identity to access Federal applications and services as a trusted partner. • Add third party reporting software, such as eIQ, LogRhythm, etc., to facilitate audit tracking of who has access to directory enabled resources, and when they had access. • Improve the user interface for AppAdmin and AppProfile so they are easier to use by the development and application business management communities.  Provide capability for direct LDAP access by agencies within security model constraints.  Appoint a study group to review UI authentication and look at possible integration of their 36,857 directory subscribers with the UMD directory as a specialized container.