Deploying an Identity Provider in a Complex,
Federated and Siloed World
PING Conference - July 2013
1
• Challenges you will face:
• How to accommodate new requirements
• Problems you can encounter and why
• Authentication
• ...
The Challenges
3
SAML
Authentication and Federation:
The Cloud and Web Apps Imperative
OpenID
Connect
OAuth 2.0
4
The Current Security Conundrum
Security Means:
SAML, OAuth,
OpenID
Identity
Infrastructure
A complete
federation
solution ...
The Directory
Original Model for Security
• Any security system based on identity is composed of two parts:
• A registry o...
Current Infrastructure:
Multiple Doors and Locks
AD Sun
RACF
LDAPHR
Role DB
7
The Challenge of a Fragmented Distributed Identity
System
Existing Identity Infrastructure
Legacy Applications
SaaS/Cloud/...
The Challenges
• For many initiatives, such as federation and portal security, you need:
1. One global reference identity ...
Identity Provider Challenges
10
Authentication Challenges – The Details
Goal: Enable Authentication and SSO Across Multiple Sources
1. The first step is i...
Goal: Attribute-Based or Groups-Based Authorization
1. Profile information exists in multiple data sources
2. Data sources...
User Identification Challenges
sameperson,differentidentifiers
differentpeoplesameidentifiers
13
Identification Challenges of SSO
LDAP Directory
Active Directory
employeeNumber=E562098000Z
samAccountName=Andrew_Fuller
o...
Attribute-Driven Authorization Challenges
LDAP DirectoryActive Directory HR Database
employeeNumber=2
samAccountName=Andre...
Solving Challenges
16
A Federated Identity Service
Existing Identity Infrastructure
Legacy Applications
SaaS/Cloud/BYOD/
Partner Apps
17
Identity Integration
Accounting
Marketing Support
Business
Development
Call Center Fulfillment
Order Mgmt.
Sales
HR
18
Federated Identity Service
The High Level Components
The “Identity Hub” supported by
Identity and context virtualization
T...
Identity and Context Virtualization Process
20
Identity Integration (Aggregation and Correlation)
21
• Union requires some kind
of criteria, one or more
attributes, to detect and
correlate same-users
across systems. This is...
Identity Views Delivered in Format and Content
Expected by Applications
23
Solving Authentication Challenges
How does a Federated Identity Service help solve authentication challenges?
Step Challen...
Solving Authorization Challenges
Type Challenge Can be solved by
Attribute-
Based
Profile attributes spread
across multipl...
Example: Identity Correlation and Profile Creation
LDAP Directory
Active Directory
HR Database
employeeNumber=2
samAcountN...
Example: Dynamic Group Creation and Profile
Extension
cn=Sales
objectClass=group
member=Andrew_Fuller
**Based on identitie...
Example: Dynamic Group Creation
28
Persistent (disk-based) Cache
Sources
View Definitions
P. CACHE
Materialized
View
Sources
View Definitions
Run Time View
N...
Introduction to Common Use Cases
30
Support for Authentication and as an Attribute
Server
31
Use Case: PAM Authentication
Credentials Checking Delegated to Backend
UNIX/LINUX Clients
Authentication Request
Re-use ex...
Use Case: PAM Authentication
Storing PAM Specific Attribute Extension in VDS
sAMAccountName=jsmith
sn=Smith
givenName=John...
Use Case: Oracle Names Resolution
Oracle Clients
Oracle DB Servers
VDS local LDAP stores oracle context data
Schema extend...
Use Case: Global Address List for Email Clients
LDAP Directory
Active Directory
HR Database
employeeNumber=9
samAcountName...
Compliance
LDAP Directory
Active Directory
HR Database
employeeNumber=9
samAcountName=Alice_Lee
objectClass=user
mail: ale...
Use Case: FID and Provisioning
Legacy Applications
(and respective stores)
AD Sun LDAP
Cloud Apps
LDAP/
SQL/
SPML
FID
as r...
• Summary
• In order to accommodate new requirements you will face challenges around
authentication and authorization.
• M...
Upcoming SlideShare
Loading in …5
×

CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World

464 views

Published on

This session will offer practical solutions for managing the identity lifecycle in a federated, distributed and cloud-based system. Based on real-life deployments, you will learn how to solve problems beyond protocols and access, using tools like identity mapping, identity synchronization and attribute look-up. You’ll also get a perspective on technology that could change the way identity is managed—and stored—altogether.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
464
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World

  1. 1. Deploying an Identity Provider in a Complex, Federated and Siloed World PING Conference - July 2013 1
  2. 2. • Challenges you will face: • How to accommodate new requirements • Problems you can encounter and why • Authentication • Authorization • Approach to solving these challenges: • A federated identity service • Identity Hub storage • Aggregation • Mapping • Correlation • Join • Caching • Leveraging the federated identity service for not just cloud apps, but also legacy apps as well. Talking Points 2
  3. 3. The Challenges 3
  4. 4. SAML Authentication and Federation: The Cloud and Web Apps Imperative OpenID Connect OAuth 2.0 4
  5. 5. The Current Security Conundrum Security Means: SAML, OAuth, OpenID Identity Infrastructure A complete federation solution requires federating both access and identities 5
  6. 6. The Directory Original Model for Security • Any security system based on identity is composed of two parts: • A registry of identity information • The security means (which is supported by the identity information) Kerberos, SASL, SSL 6
  7. 7. Current Infrastructure: Multiple Doors and Locks AD Sun RACF LDAPHR Role DB 7
  8. 8. The Challenge of a Fragmented Distributed Identity System Existing Identity Infrastructure Legacy Applications SaaS/Cloud/BYOD/ Partner Apps 8
  9. 9. The Challenges • For many initiatives, such as federation and portal security, you need: 1. One global reference identity source for authenticating users. 2. And to support authorization, you want that one identity source to contain the richest profile possible for each identity. • But you cannot afford to just create another green field directory because: 1. It would be a huge effort to populate it 2. The information already exists in other silos • You need one central access point, but don’t want to start over from scratch. 9
  10. 10. Identity Provider Challenges 10
  11. 11. Authentication Challenges – The Details Goal: Enable Authentication and SSO Across Multiple Sources 1. The first step is identification, or finding the user entry that needs to be authenticated. But • Identities are spread across multiple data sources, such as multiple AD domains/forests. • Identities are described differently in each source, such as “uid” vs. “sAMAccountName” vs. “LOGIN.” 2. The second step is credential checking. Each source supports its own authentication mechanism: • Different encryption of passwords and schema elements (such as userPassword vs. unicodePwd, etc). • Existing internal (employee) user IDs & passwords in Active Directory. • External user credentials may be stored elsewhere (SunOne, Oracle, etc). 11
  12. 12. Goal: Attribute-Based or Groups-Based Authorization 1. Profile information exists in multiple data sources 2. Data sources have their own schema elements (object classes and attributes) • group/member (AD) • groupOfUniqueNames/uniquemember (Sun) 3. Inflexible group definition • Static (hard-coded) group members • Rely on client application logic to build members via an extra search (based on memberURL attribute) Authorization Challenges – The Details 12
  13. 13. User Identification Challenges sameperson,differentidentifiers differentpeoplesameidentifiers 13
  14. 14. Identification Challenges of SSO LDAP Directory Active Directory employeeNumber=E562098000Z samAccountName=Andrew_Fuller objectClass=user mail: andrew_fuller@radiant.com departmentNumber=234 uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 employeeID=562_09_8000 Name=Andrew_Fuller ID: andrew_fuller@setree1.com login=AFuller ID=562_09_8000 Salesforce knows Andrew by an ID of andrew_fuller@radiant.com SharePoint knows Andrew by an ID of AFuller 14
  15. 15. Attribute-Driven Authorization Challenges LDAP DirectoryActive Directory HR Database employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com departmentNumber=234 memberOf=cn=AllUsers,ou=Groups,dc=ad uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 cn=Regional Sales objectclass=groupOfUniqueNames unqiueMemeber=uid=afuller,ou=people,o=sun EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234 Is this the same person? If so, what groups is he a member of? If so, how can I get a global profile when there is no single common identifier? 15
  16. 16. Solving Challenges 16
  17. 17. A Federated Identity Service Existing Identity Infrastructure Legacy Applications SaaS/Cloud/BYOD/ Partner Apps 17
  18. 18. Identity Integration Accounting Marketing Support Business Development Call Center Fulfillment Order Mgmt. Sales HR 18
  19. 19. Federated Identity Service The High Level Components The “Identity Hub” supported by Identity and context virtualization The “storage” is a directory (for speed and scalability) The “services” are metadata extraction, view design, mapping, correlation, join, synchronization (persistent cache with auto-refresh) 19
  20. 20. Identity and Context Virtualization Process 20
  21. 21. Identity Integration (Aggregation and Correlation) 21
  22. 22. • Union requires some kind of criteria, one or more attributes, to detect and correlate same-users across systems. This is the common, global identifier. • A match based on this attributes(s) allows us to remove duplicates. • The result is a “union compatible” operation, where all users are represented exactly once, and only once, in the virtualized global list. emplogin firstname lastname smatthews Sarah Matthews lanalandry Lana Landry employeeID givenName sn title llandry Lana Landry Writer smatthews Steve Matthews Janitor LOGIN firstname lastname role group homephone llandry Lana Landry Tech Writer Marketing 4152096800 smatthews Sarah Matthews CEO Admin 4152096802 firstname lastname Sarah Matthews Lana Landry Steve Matthews System A System B System C Global List (Union) Identity Correlation Example - Creating a UNION Set 22
  23. 23. Identity Views Delivered in Format and Content Expected by Applications 23
  24. 24. Solving Authentication Challenges How does a Federated Identity Service help solve authentication challenges? Step Challenge Can be solved by Identification Identities spread across multiple sources Integrating users from multiple sources Identities described differently in each source Object and Attribute Mapping to provide a common schema Credential Checking Different encryption of passwords and schema elements Providing a single form of authentication to application, and the flexibility to delegate the credential checking to the backend or customize some other validation mechanism 24
  25. 25. Solving Authorization Challenges Type Challenge Can be solved by Attribute- Based Profile attributes spread across multiple sources Integrating users from multiple sources, in order to build a global profile Groups-Based Existing groups and potential group members spread across multiple data silos Offering Flexible Group Definitions: - Aggregate/map existing groups - Build new group definitions with dynamic members How does a Federated Identity Service help solve authorization challenges? 25
  26. 26. Example: Identity Correlation and Profile Creation LDAP Directory Active Directory HR Database employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA CorrelatedIdentityView employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com departmentNumber=234 uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234 26
  27. 27. Example: Dynamic Group Creation and Profile Extension cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • title=VP Sales • Region=PA CorrelatedIdentityViewDynamicGroupsView ComputedAttribute(memberOf) basedonalookupinthe dynamicgroupsview employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA memberOf=cn=Sales 27
  28. 28. Example: Dynamic Group Creation 28
  29. 29. Persistent (disk-based) Cache Sources View Definitions P. CACHE Materialized View Sources View Definitions Run Time View No Cache Addressing Performance Challenges Sources View Definitions Memory Cache Memory Cache 29
  30. 30. Introduction to Common Use Cases 30
  31. 31. Support for Authentication and as an Attribute Server 31
  32. 32. Use Case: PAM Authentication Credentials Checking Delegated to Backend UNIX/LINUX Clients Authentication Request Re-use existing users and credentials! AD Domain 1 AD Domain 2 Sun Credentials Checking forwarded to authoritative source 32
  33. 33. Use Case: PAM Authentication Storing PAM Specific Attribute Extension in VDS sAMAccountName=jsmith sn=Smith givenName=John title=operations manager uidNumber = 100 gidNumber = 108 gecos = Andrew Fuller loginshell = /bin/zsh homedirectory = /home/afuller shadowLastChange = 10877 … sAMAccountName=jsmith sn=Smith givenName=John title=operations manager Base Profile Extended Attributes These extended attributes can be stored in any source: “local” or some other backend Join of all attributes and presented as a single entry UNIX/LINUX Clients AD Domain 1 33
  34. 34. Use Case: Oracle Names Resolution Oracle Clients Oracle DB Servers VDS local LDAP stores oracle context data Schema extended at VDS Each client configured to point to VDS to lookup DB 34
  35. 35. Use Case: Global Address List for Email Clients LDAP Directory Active Directory HR Database employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=VP Sales ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203 Correlated Identity View employeeNumber=9 samAccountName=Alice_Lee objectClass=user mail: alee@mycompany.com departmentNumber=234 uid=Alee title=VP Sales givenName=Alice sn=Lee telephoneNumber=415-520-2203 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Alice_Lee DeptID=Sales234 35
  36. 36. Compliance LDAP Directory Active Directory HR Database employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=Guru Inside Sales Manager ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203 source=HR Database source=LDAP Directory source= Active Directory Correlated Identity View employeeNumber=9 samAccountName=Alice_Lee objectClass=user mail: alee@mycompany.com departmentNumber=234 uid=Alee title=Guru Inside Sales Manager givenName=Alice sn=Lee telephoneNumber=415-520-2203 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Alice_Lee DeptID=Sales234 Reports Which Data Sources Does Alice Have Active Accounts In? 36
  37. 37. Use Case: FID and Provisioning Legacy Applications (and respective stores) AD Sun LDAP Cloud Apps LDAP/ SQL/ SPML FID as reference image SPML SCIM 37
  38. 38. • Summary • In order to accommodate new requirements you will face challenges around authentication and authorization. • Multiple existing different identity silos means • Many methods for credentials checking • Many locations housing different aspects (attributes/groups) of an identity • These challenges can be solved with a Federated Identity Service based on virtualization. • You can leverage the federated identity service for not just cloud apps, but also legacy apps and other initiatives as well. • Coming Up: A Foundation for the Future • Michel Prompt shows you how the Federated Identity Service you put in place today is a key piece of infrastructure that prepares you for the future. Summary 39

×