1. IT Infrastructure Architecture and Solutions
Enterprise Identity and Access
Management Design Criteria
_________________________________________
Creation Date:07/17/2013
Authorization: CIO
Corporate Headquarters
Global Organization
2. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 2
Submission/Revision History
Revision Author(s) Release Date Comments
001 Jerry A.Taylor 07/17/2013 Documentcreation.
Technical Review History
Review Reviewer(s) Date Comments
002
Outside Group
GLOBAL ORGANIZATION PROPRIETARY AND CONFIDENTIAL. ALL RIGHTS RESERVED. PRINTED
COPIES ARE FOR REFERENCE ONLY.
This document contains information that shall not be disclosed to third parties without written consent. This
document shall not be duplicated, used or disclosed, in whole or in part, for any purpose other than to evaluate
the information herein.
GLOBAL ORGANIZATION, Global Organization , and the GLOBAL ORGANIZATION logo are registered
trademarks of Global Organization , Inc. and/or its affiliates in the United States and certain other countries.
All other brand names are registered trademarks of their respective companies.
3. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 3
Table of Contents
Submission/Revision History ---------------------------------------------------------------------------------------------2
Technical Review History --------------------------------------------------------------------------------------------------2
Purpose -----------------------------------------------------------------------------------------------------------------------4
Scope --------------------------------------------------------------------------------------------------------------------------4
Definitions--------------------------------------------------------------------------------------------------------------------4
Identity, Access Management and Single Sign-On--------------------------------------------------------------------9
Overview----------------------------------------------------------------------------------------------------------------------------------------------------9
Current Global Organization Enterprise Environment ---------------------------------------------------------------9
Active Directory -------------------------------------------------------------------------------------------------------------------------------------------9
Multiple Active Directory Forests------------------------------------------------------------------------------------------------------------------9
ADFS/SAML --------------------------------------------------------------------------------------------------------------------------------------------10
Kerberos/NTLM---------------------------------------------------------------------------------------------------------------------------------------10
Public Key Infrastructure/Certificate Authority----------------------------------------------------------------------------------------------10
Identity Management ---------------------------------------------------------------------------------------------------- 10
NetIQ Directory and Resource Administrator---------------------------------------------------------------------------------------------------10
Open Source Software --------------------------------------------------------------------------------------------------------------------------------10
Global Organization Applications-------------------------------------------------------------------------------------------------------------------11
Access Management------------------------------------------------------------------------------------------------------ 11
Access via Active Directory Security Groups ----------------------------------------------------------------------------------------------------11
Microsoft Exchange Server---------------------------------------------------------------------------------------------------------------------------11
NetIQ Aegis-----------------------------------------------------------------------------------------------------------------------------------------------11
Google Mail-----------------------------------------------------------------------------------------------------------------------------------------------11
Open Source Software --------------------------------------------------------------------------------------------------------------------------------12
Wireless Access------------------------------------------------------------------------------------------------------------------------------------------12
Global Organization Applications-------------------------------------------------------------------------------------------------------------------12
Requirements-------------------------------------------------------------------------------------------------------------- 12
Solution Models ----------------------------------------------------------------------------------------------------------- 13
Third-Party Solution------------------------------------------------------------------------------------------------------------------------------------13
Current ADFS/SAML Implementation -------------------------------------------------------------------------------------------------------------14
Recommended Implementation Methodology-------------------------------------------------------------------------------------------------14
References------------------------------------------------------------------------------------------------------------------ 15
4. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 4
Purpose
The purpose of this document is to provide information on the design criteria and requirements to implement an
identity and access management solution with single sign-on for the Global Organization enterprise environment.
Scope
This document provides information for a design to implement identity and access management with single sign-
on for the Global Organization enterprise environment. The audience for this document is technical and
management professionals experienced with enterprise environments.
Definitions
Table 1 Terms and Acronyms
Term/Acronym Definition
The Institute of Electrical and
Electronics Engineers Standards
Association (IEEE)
The Institute of Electrical and Electronics Engineers Standards
Association thatdevelops global standards in a broad range of
industries.
International Organization for
Standardization (ISO)
An international standard-setting bodycomposed of
representatives from various national standards organizations.
International Telecommunication
Union (ITU)
A specialized agencyof the United Nations thatis responsible
for issues thatconcern information and communication
technologies.
National Institutes for Standards
and Technology (NIST)
A non-regulatoryagency of the United States Departmentof
Commerce thatsets national standards in the United States.
Federal Information Processing
Standards (FIPS)
Publicly announced standardizations developed bythe United
States federal governmentfor use in computer systems byall
non-militarygovernmentagencies and bygovernment
contractors,when properly invoked and tailored on a contract.
Identity management The managementofindividual principals,their authentication,
authorization, and privileges within or across system and
enterprise boundaries with the goal of increasing securityand
productivity while decreasing cost,downtime and repetitive
tasks.
Digital identity A set of data that uniquelydescribes a person or a thing
(sometimes referred to as subjector entity) and contains
information aboutthe subject’s relationships to other entities.
Access control The selective restriction of access to a place or other resource.
Role Based Access Control
(RBAC)
Methodology for restricting system access to authorized users
based on roles.
Active Directory (AD) A directory service running on the Microsoft Windows operating
system.
Forest The top level container of Active Directory infrastructure.A
forestcan consistofone or more domains and those domains
are connected through transitive trust. A forest shares a single
schema database and securityboundary.
Schema Contains formal definitions ofevery objectclass thatcan be
created in an Active Directory forest.
5. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 5
Term/Acronym Definition
Attribute Data items used to describe the objects thatare represented
by the classes thatare defined in the schema.
Attribute Instance An occurrence of an attribute that is defined in the schema.
Class A formal description ofa discrete,identifiable type of object
stored in the directory service.
Directory Information Tree (DIT) The directory itselfrepresented as a tree structure in which the
vertices are the directory entries (class instances) and the
connecting lines the parent-child relationships between the
entries.
Control Access Rights A class thatdescribes an access rightnottied to a resource,
but an action.
Inheritance The ability to build new object classes from existing object
classes.
Object A unit of data storage in the directory service.
Object Identifier (OID) Unique numeric values,issued byvarious issuing authorities,
to uniquelyidentify data elements,syntaxes,and various other
parts of distributed applications.ObjectIdentifiers (OIDs) are
found in OSI applications,X.500 Directories,SNMP, and other
applications where uniqueness is important.
Security Descriptor Information aboutthe ownership ofan objectand the
permissions thatother users have on that object.
.X500 A family of standards developed jointlyby the ISO and ITU,
formerly known as the CCITT, that specify the naming,data
representation,and communications protocols for a directory
service.
Domain A logical group of network objects (computers,users,devices)
that share the same active directory database.
Trust Trusts are authentication pipelines thatmustbe presentin
order for users in one domain to access resources in another
domain.
Lightweight Directory Access
Protocol (LDAP)
An application protocol for accessing and maintaining
distributed directoryinformation services over an Internet
Protocol (IP) network.
Internet Protocol (IP) The principal communications protocol in the Internet protocol
suite for relaying datagrams across network boundaries.Its
routing function enables internetworking,and essentially
establishes the Internet.
Internet Protocol address The numerical label assigned to each device (e.g., computer,
printer) participating in a computer network that uses the
Internet Protocol for communication.
Service Provider A companythat provides organizations with consulting,legal,
real estate, education,communications,storage,processing,
and many other services.Generallyused to refer to third party
or outsourced suppliers,including telecommunications service
providers (TSPs), application service providers (ASPs),storage
service providers (SSPs), and Internet service providers
(ISPs).
6. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 6
Term/Acronym Definition
Identity Provider An authentication module which verifies a Security token as an
alternative to explicitly authenticating a user within a security
realm.
Entitlement Authorized permission and access ofa system or application.
Web service A method of communication between two electronic devices
over the World Wide Web.
Credential Used to control access to information or other resources.The
classic combination ofa user accountnumber or name and a
secretpassword is a widely-used example ofIT credentials.
Password Manager Software that helps a user organize passwords and PIN codes.
Form Filler Software that automaticallyfills in forms on a user interface,
typically used with web service forms.
Single Sign-On (SSO) A property of access control ofmultiple related,but
independentsoftware systems.
Security Token Service A software based identityprovider responsible for issuing
security tokens,especiallysoftware tokens,as part of a claims-
based identitysystem.
Claims-Based Identity A common wayfor applications to acquire the identity
information they need aboutusers inside their organization,in
other organizations,and on the Internet.
Multi-factor Authentication An approach to authentication which requires the presentation
of two or more authentication factors.
Knowledge factor Something the user knows (e.g., password,PIN,pattern).
Possession factor Something the user has (e.g., ATM card, smartcard,mobile
phone).
Inherence factor Something the user is (e.g., biometric characteristic,such as a
fingerprint).
Hardware token A type of multi-factor authentication securitydevice that may
be used to authorize the use of computer services stored on a
dedicated hardware device.
Software token A type of multi-factor authentication securitydevice that may
be used to authorize the use of computer services stored on a
general purpose device.
Simple Object Access Protocol
(SOAP)
A protocol specification for exchanging structured information
in the implementation ofWeb Services.
Protocol A system of digital rules for message exchange within or
between computers.
Extensible Markup Language
(XML)
A language thatdefines a setof rules for encoding documents
in a formatthat is both human-readable and machine-readable.
Security Access Markup
Language (SAML)
An XML-based open standard data formatfor exchanging
authentication and authorization data between parties,in
particular,between an identity provider and a service provider.
Active Directory Federation
Services (ADFS)
A software componentdeveloped by Microsoft that can be
installed on Windows Server operating systems to provide
users with Single Sign-On access to systems and applications
located across organizational boundaries.
7. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 7
Term/Acronym Definition
Federated Identity The linking of a person’s electronic identityand attributes,
stored across multiple distinctidentitymanagementsystems.
Public-key cryptography A system requiring two separate keys,one of which is secret
(Private) and one of which is public.
Public Key Infrastructure (PKI) A set of hardware,software,people,policies,and procedures
needed to create, manage,distribute,use,store,and revoke
digital certificates.
Digital Certificate A mathematical scheme for demonstrating the authenticityof a
digital message or document.Sometimes known as a digital
signature.
Public key certificate An electronic documentthatuses a digital signature to bind a
public key with an identity.
Non-repudiation A service that provides proofof the integrity and origin of data,
both in an unforgeable relationship, which can be verified by
any third party at any time.
Digital Signature A mathematical scheme for demonstrating the authenticityof a
digital message or document
Kerberos A computer network authentication protocol which works on the
basis of “tickets” to allow nodes communicating over a non-
secure network to prove their identity to one another in a
secure manner.
NT LAN Manager (NTLM) A legacy suite of Microsoft security protocols that provides
authentication,integrity, and confidentialityto users.
Generic Security Services
Application Program Interface
(GSSAPI)
An application programming interface for programs to access
security services.
Simple and Protected GSSAPI
Negotiation Mechanism
(SPNEGO)
A “pseudo mechanism” thatis used to negotiate one of a
number ofpossible real mechanisms.SPNEGOis used when
a clientapplication wants to authenticate to a remote server,
but neither end is sure what authentication protocols the other
supports.
Secure Socket Layers (SSL) Provides communication securityacross a network connection
via cryptographic protocols.
WS-Security An extension to SOAP to apply securityto web services. The
protocol specifies how integrity and confidentiality can be
enforced on messages and allows the communication of
various security token formats,such as SAML, Kerberos, and
X.509. Its main focus is the use of XML Signature and XML
Encryption to provide end-to-end security.
Provisioning A methodologyfor providing users access to access to data
repositories or grantauthorization to systems,network
applications and databases based on a unique user identity;
and, appropriate for their use of hardware resources,such as
computers,mobile phones and pagers.
Regulatory compliance Conforming to a rule,such as a specification,policy,standard
or law.
8. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 8
Term/Acronym Definition
Network Access Control An approach to computer network securitythat attempts to
unify endpointsecuritytechnology(such as antivirus,host
intrusion prevention,and vulnerability assessment),user or
system authentication and network securityenforcement.
802.1x An IEEE port-based Network Access Control standard.
Extensible Authentication
Protocol (EAP)
An authentication framework frequentlyused in wireless
networks and Point-to-Pointconnections.
Mobile Device Management
(MDM)
A software application that secures,monitors,manages and
supports mobile devices deployed across mobile operators,
service providers and enterprises
Smart Card Any pocket-sized card with embedded integrated s thatcan
provide identification,authentication,data storage and
application processing.
Microsoft Exchange Server A mail server, calendaring software and contactmanager
developed by Microsoft.
Wi-Fi Alliance A trade association thatpromotes Wi-Fi technologyand
certifies Wi-Fi products if they conform to certain standards of
interoperability.
Wi-Fi Protected Access II (WPA2) A security protocol and security certification program
developed by the Wi-Fi Alliance to secure wireless computer
networks.
Protected Extensible
Authentication Protocol (PEAP)
An authentication protocol frequentlyused in wireless
networks.
Remote Access Dial In User
Service (RADIUS)
A networking protocol that provides centralized Authentication,
Authorization, and Accounting management for computers that
connectand use a network service.
9. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 9
Identity, Access Management and Single Sign-On
The following sections detail the recommendations for implementation of an identity and access management
solution offering single sign-on capabilities into the Global Organization enterprise.
Overview
Identity and access management is defined as a shared platform and consistent processes for managing
information about users: who they are, how they are authenticated and what they can access.
Enterprise Identity and Access Management (IAM) is defined as a set of processes and technologies to effectively
and consistently manage modest numbers of users and entitlements across multiple systems. In this definition,
there are typically significantly fewer than a million users, but users typically have access to multiple systems and
applications.
Enterprise identity and access management scenarios should include:
Password synchronization and self-service password reset.
User provisioning, including identity synchronization, auto-provisioning and automatic access
deactivation, self-service security requests, approvals workflow and consolidated reporting.
Enterprise single sign-on – automatically filling login prompts on client applications.
Web single sign-on – consolidating authentication and authorization processes across multiple web
applications.
The figure below illustrates the basic concepts of identity and access management:
Figure 1 Identity and Access Management concepts
Current Global Organization EnterpriseEnvironment
The following sections detail the current Global Organization system and application environment.
Active Directory
The following sections detail information concerning Global Organization’s Active Directory forest implementation.
Multiple Active Directory Forests
Global Organization has multiple Active Directory forests deployed to support operations. In order to meet
compliance with Federal and Global Organization customer security requirements, Global Organization has
deployed Active Directory forests which have no trust relationships with other Active Directory forests. The lack of
trust relationship prevents users in one forest from using their credentials to access resources in another forest.
10. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 10
ADFS/SAML
Global Organization has implemented Active Directory Federation Services (ADFS) and Security Access Markup
Language (SAML) version 2 to provide users with Single Sign-On access to systems and applications located
across organizational boundaries. It uses a claims-based access control authorization model to maintain
application security and implement federated identity. Although SAML 2.0 is the industry standard, not all
application vendors have developed support models to allow utilization; and, legacy applications within the Global
Organization environment may not be capable of support.
Kerberos/NTLM
Systems and applications which use the user’s Active Directory credentials to grant access to resources use
either the Kerberos or NT LAN Manager (NTLM) protocols. NTLM does not support any recent cryptographic
methods, such as AES or SHA-256; and, Kerberos has replaced NTLM as the default authentication protocol in
Active Directory. 1
Public Key Infrastructure/Certificate Authority
Global Organization does not have an Enterprise Certificate Authority implemented. Global Organization has
implemented a limited Active Directory Certificate Authority, which requires certificate requester explicitly supply all
identifying information about themselves and the type of certificate that is wanted in the certificate request. The
administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store or
users must perform that task themselves.
Identity Management
The following sections detail how identities are managed in the current Global Organization system and
application environment.
NetIQ Directoryand Resource Administrator
Account properties and values for Active Directory objects (e.g. user’s accounts, computer objects, printers, etc.)
are managed with the NetIQ Directory and Resource Administrator (DRA). The NetIQ DRA solution has been
deployed throughout the Global Organization environment globally. 2
Open SourceSoftware
Identity creation on Open Source Software is on an ad hoc basis by the system administrators for those systems.
A project has been initiated to implement a management solution that will include implementing the utilization
Active Directory credentials and authentication to grant access to Open Source Software systems and
applications.
1 See Kerberos Explainedin the documentfor additionalinformation.
2 See NetIQ Account and Resource Management SYS-ADR-NIQ-MGT in this documentfor additionalinformation.
11. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 11
GlobalOrganization Applications
Global Organization applications include; but are not limited to the following3:
SAP
ADP
SharePoint
Service Now
Success Factors
WebEx
Global Organization Business Connect
Gentrify
Citrix
Access Management
The following sections detail how users are granted access to resources in the current Global Organization
system and application environment.
Access via Active DirectorySecurity Groups
Applications and systems using Active Directory credentials and authentication (Kerberos or NTLM) should use
membership in Active Directory security groups to grant access to resources. Membership in security groups is
controlled by the NetIQ DRA solution.
MicrosoftExchange Server
Global Organization has Microsoft Exchange Server deployed in the environment to meet client requirements for
messaging systems which Google mail does not meet. Mail-enabled Active Directory user objects and
membership in Active Directory security groups is used to control access to Exchange server mailboxes.
NetIQ Aegis
NetIQ Aegis is a process automation tool which shall be used for user account provisioning. NetIQ Aegis
integrates tightly with the NetIQ Directory and Resource Administrator solution currently deployed in the Global
Organization production environment.
Google Mail
Users access Google Mail by providing their Active Directory credentials (username and password) into a HTML
form.
3Not all applications are supported by the GlobalOrganizationCallCenter; thus this listshould notbeconsidered allinclusiveofall applications deployed
in the GlobalOrganizationproduction environment.
12. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 12
Open SourceSoftware
Access management on Open Source Software is on an ad hoc basis by the system administrators for those
systems. A project has been initiated to implement a management solution that will include implementing the
utilization Active Directory credentials and authentication to grant access to Open Source Software systems and
applications.
Wireless Access
Access to the wireless access networks is granted via WPA2-AES with PEAP using RADIUS (as an unknown
user) to authenticate the user against Active Directory.
GlobalOrganization Applications
Global Organization applications include; but are not limited to the following:
SAP
ADP
SharePoint
Service Now
Success Factors
WebEx
Global Organization Business Connect
Gentrify
Citrix
Requirements
The following sections details the requirements for implementation of an identity and access management
solution offering single sign-on capabilities into the Global Organization enterprise.
The implemented solution must meet the following requirements:
Stake holders in technical and business areas must be identified.
Executive-level sponsorship must be secured to broker agreements between stake holders.
Solution must support multiple Active Directory forests with no trust relationships.
Solution must support NTLM/Kerberos/SAML/Certificate/Web Cookie authentication protocols.
Solution must support potential multiple authoritative identity sources for enterprise IDs (partners, clients,
external service providers, etc.).
Solution must offer auditing and reporting of enterprise identity access and utilization.
Solution flexible enough to provide SSO service to future applications.
Solution must support multiple-factor authentication.
Solution must support application to application authentication.
Solution must offer redundancy to avoid single point of failure during maintenance windows.
13. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 13
Solution must allow segregation of administrative staff to meet compliance with Federal regulatory
requirements, such as DOD, ITAR, etc. for business units doing work with the Federal government.
Solution will need to offer seamless, multiple method password changes.
Solution must support the IEEE standard 802.1x for integration with Cisco ISE.
Solution must support the Tangoe MDM solution.
Solution must provide an access management component.
Solution must employ full-time resources from the engineering, application and operations technical
teams from the start of implementation.
The figure below illustrates the required components of an enterprise identity and access management solution:
Figure 2 Identity and Access Management Required Components
Solution Models
The following sections detail proposed solution models and a recommended implementation methodology.
Third-Party Solution
A third-party software solution should offer a centralized technical identity data from multiple sources transformed
into rich, business-relevant information allowing enforcement of role-based access across the diverse enterprise
applications within Global Organization. An integrated solution would prioritize compliance and security efforts by
assess the risk of each person, application and system resource, and allow detection and prevention of policy
violations. By centralizing identity management into a central identity warehouse repository, governance would be
achieved by enabling provisioning of user accounts and orchestration of changes to user access across multiple
systems. Role modeling and risk analysis would locate and identify risks associated with inappropriate or
excessive access privileges. Administrative overhead associated with compliance reporting would be reduced by
enterprise governance, access request, and provisioning policies within the governance platform.
14. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 14
User frustration and administrative overhead would also be reduced by a decrease in the number of identities and
passwords required to access resources within the Global Organization environment; and, the associated amount
of time required by the diverse number of technical teams responsible for troubleshooting access management of
those resources.
CurrentADFS/SAML Implementation
Global Organization has implemented Active Directory Federation Services (ADFS) and Security Access Markup
Language (SAML) version 2 to provide users with Single Sign-On access to systems and applications located
across organizational boundaries.
However, not all Active Directory forests in the Global Organization environment have ADFS and SAML
implemented and additional systems and configuration would need to be implemented. A large number of legacy
systems in the environment are not SAML-capable and users would continue to be required to input credentials
into those solutions. In addition, Global Organization has encountered vendors with SAML solutions which only
function when all users are contained within a single domain.
Extensive modification of the current ADFS and SAML infrastructure could be required to implement the existing
solution into all Global Organization Active Directory forests and domains.
Recommended ImplementationMethodology
It is recommended that a multi-phased approach be used for the project implementation. Each application
deployed into the Global Organization production environment should have the method of identity and access and
security controls documented; and, then be tested on a case-by-case basis. It is required that all new applications
and systems to be introduced into the environment be compliant with the selected identity and access
management solution.
15. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 15
References
NetIQ Account and Resource Management SYS-ADR-NIQ-MGT
https://docs.google.com/a/Global
Organization.com/viewer?a=v&pid=sites&srcid=amFiaWwuY29tfGl0LWVuZ2luZWVyaW5nLW1lZGlhLWxpYnJhcnl
8Z3g6NDE0YzNmNDQxNDZjMDRiYw
Homeland Security Presidential Directive 12 (HSPD-12)
http://hspd12.usda.gov/about.html
RFC 3478 Extensible Authentication Protocol (EAP)
https://tools.ietf.org/html/rfc3748
Active Directory Trust Types
http://technet.microsoft.com/en-us/library/cc775736(v=ws.10).aspx
Active Directory Federation Services
http://technet.microsoft.com/en-us/library/cc736690(v=ws.10).aspx
Kerberos Explained
http://technet.microsoft.com/en-us/library/bb742516.aspx
Kerberos Authentication Technical Reference
http://technet.microsoft.com/en-us/library/cc739058(v=ws.10).aspx
NTLM Authentication in Windows
http://support.microsoft.com/kb/102716
Understanding Federation Designs
http://technet.microsoft.com/en-us/library/cc753352.aspx
The ABCs of Identity Management
http://www.csoonline.com/article/205053/the-abcs-of-identity-management
Defense Systems Intelligence Agency Identity and Access Management
http://www.disa.mil/Services/Enterprise-Services/Identity-and-Access-Management
16. Global Organization
Enterprise Identity and Access Management Design Criteria
Documentation Sample 16
Strengthen Access Control with Enterprise Identity-Management Architecture
http://msdn.microsoft.com/en-us/library/bb447668.aspx
SANS - Adding Enterprise Access Management to Identity Management
http://www.sans.org/reading_room/analysts_program/foxt-identity-mgt-web.pdf
What identity management strategies should enterprises deploy for cloud environments?
http://www.computerweekly.com/opinion/What -identity-management-strategies-should-enterprises-deploy-for-
cloud-environments