Successfully reported this slideshow.

Beyond SPML: Access Provisioning in a Services World

5

Share

Upcoming SlideShare
Compuware APM Solution
Compuware APM Solution
Loading in …3
×
1 of 33
1 of 33

Beyond SPML: Access Provisioning in a Services World

5

Share

  1. 1. Beyond SPML: Access Provisioning in a Services World Nishant Kaushik Lead Strategist, Identity & Access Management, Oracle
  2. 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. 3. The Evolution of Provisioning Native Administration Tools Governance Controls Automated Account Management IT Optimization & ROI Regulatory Compliance
  4. 4. Provisioning at Center of Enterprise IdM Partner Application SPML Connector Users Major Managers Cloud-based Proprietary Apps Connector APIs Administrators Provisioning Cloud-based System Services ? Connector Internal Applications Auditors Connector User Stores (SSO, IdP, Fed) Connector
  5. 5. Provisioning Got Complicated Partner Application SPML Connector Users Request Portal Major Managers Cloud-based Provisioning Connector Policy Engine APIs Proprietary Apps Engine Administrators Provisioning Audit Module Cloud-based System Services ? Connector Internal Applications Auditors Connector User Stores (SSO, IdP, Fed) Connector
  6. 6. Provisioning.Current Effective, but Overburdened & Brittle • Does what it needs to do, but implementation too difficult • Scope of Identity Data has grown • Connectors is a constant battle • SPML hasn’t delivered • Consolidating access requests into single portal increases deployment complexity, decreases usability • Compliance already extracted into focused GRC tools Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  7. 7. So What is Provisioning.Next? Native Administration Tools Governance Controls Automated Account Management Provisioning.Next IT Optimization & ROI ? Regulatory Compliance
  8. 8. Identity Externalization
  9. 9. Evolution of Application Architecture User Tables externalized to Identity Store Native U/P Authentication externalized to SSO Native Authorization Engine externalized to Entitlements Server
  10. 10. Evolution of Application Architecture User Tables externalized to Identity Store Native U/P Authentication externalized to SSO Native Authorization Engine externalized to Entitlements Server The Future of Identity is Pull - Bob Blakley, Burton Group
  11. 11. Service-Oriented Security • Applications pull identity data from a centralized (if necessary virtualized) identity store • Authorization based on attributes and roles IGF (ArisID) OpenAZ • ISP provides developer Identity Services Platform friendly API layer that plugs into Service Providers based SAML LDAP XACML on standards SSO Identity Entitlement Server Store Server
  12. 12. Is Provisioning Out On The Street Now? IGF (ArisID) OpenAZ Identity Services Platform SAML LDAP XACML Provisioning Engine SSO Identity Entitlement Server Store Server
  13. 13. Or Just Getting More Specialized? • Provisioning still holds the policy keys for “who should have access to what” • Responds to identity events and keeps identity store consistent IGF (ArisID) OpenAZ • More importantly, ensures that identities have Identity Services Platform necessary attributes/roles to satisfy authorization checks SAML LDAP XACML Identity Events Ad-Hoc Requests Provisioning SSO Identity Entitlement Engine Server Store Server
  14. 14. Provisioning-as-a-Service HR Activities, User Registration, Access Requests, Profile Updates • Any application can be an “identity source” also Users • Applications now own their Managers contextual access requests • Handles both enterprise and application roles ? IGF (ArisID) OpenAZ • Collaborative identity Identity Services Platform management (by apps) SPML SAML LDAP XACML Provisioning SSO Identity Entitlement Administrators Service Server Store Server Approvers
  15. 15. New Challenges for Applications Request Handling • Partial Registration • Gap Handling, User Notification, Feedback Loops Identity-Based Access Control • Support mix of RBAC and ABAC for Provisioning • Greater degree of automation: Policy-based Auto-Provisioning and Auto- Approval of Requests Holistic Role Management • Centralized Management of Enterprise Roles and Application Roles • Enterprise to Application Role Mappings
  16. 16. Provisioning.Evolved Delivering Provisioning-as-a-Service • Provisioning becoming more about policy, less about data • Managing identity store • Supports automated and ad-hoc (manual) decision-making that is compliant, informed • Returning control over usability back to application • Support intelligent UI • Implement feedback loop Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  17. 17. Identity Federations & the Cloud
  18. 18. It’s All About The Cloud Now
  19. 19. Some Legends Are Meant To Be Retold
  20. 20. Ian Glazer proclaimed… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
  21. 21. I Couldn’t Not Respond…
  22. 22. A lively battle ensued… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
  23. 23. And at the end… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
  24. 24. My Secret Weapon: JIT Provisioning Just-In-Time Provisioning • Not new, but never mainstream • Real-time provisioning triggered by User arriving at RP needing access • Light-touch provisioning based on standards, not integrations • Challenge has always been trust and policy model
  25. 25. JIT Provisioning and the Cloud Just-In-Time Provisioning On-the-fly federations enable • Not new, but never & secure short-lived and mainstream limited-use cloud services for • Real-time provisioning the enterprise triggered by User arriving at RP needing access • Light-touch provisioning based on standards, not integrations
  26. 26. External User Coming In Federation or Cloud Scenario IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims ? IGF (ArisID) OpenAZ Identity Services Platform SPML SAML LDAP XACML Provisioning SSO / Fed Identity Entitlement Server Server Store Server
  27. 27. External User Coming In Federation or Cloud Scenario IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims ? IGF (ArisID) OpenAZ Identity Services Platform SPML SAML LDAP XACML Request w/ Claims Provisioning SSO / Fed Identity Entitlement Server Server Store Server
  28. 28. Provisioning needs more Identity Data IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims OAuth based authorization to access IdP data ? IGF (ArisID) OpenAZ Identity Services Platform CARML SPML SAML LDAP XACML Request w/ Claims IGF based Data Retrieval Provisioning SSO / Fed Identity Entitlement Provisioning AAPML Server Server Store Server Constraints based IdP
  29. 29. OAuth as Trust Framework IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Requests Token User Issues Request Token Provisioning Provisioning Server Server User “approves” introduction of Provisioning Engines • User must be on list of users authorized to do this • Acts as basis of (limited) trust • Initiates a review on IdP side • IdP Provisioning Engine can validate RP against black list/white list
  30. 30. IGF (ArisID) as Data Retrieval API IDENTITY PROVIDER RP policyPARTY/SERVICE PROVIDER RELYING disclosures include • How, why it intends to use data • Certifications (e.g. SAS 70) • Change notification requirements CARML IGF based Data Retrieval Provisioning AAPML Provisioning Server Constraints Server Provisioning Engine makes decision IdP policy constraints include • Based on configured policies • Expectations around data • Based on RP policy disclosures management • Based on approvals • Change notification details
  31. 31. Change Notification IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Notifies About Change CARML IGF based Data Retrieval Provisioning AAPML Provisioning Server Constraints Server Doesn’t send changes (data), just notifies RP pulls data if needed • Per IGF agreement when data access was granted (previous steps) • Doesn’t have to be immediate • Only for changes RP is interested in • Can be ignored in favor of JIT pull when user comes back • No standard exists for this, though there is discussion in SSTC (SAML)
  32. 32. Provisioning.Next • Engine for delivering Provisioning-as-a-Service • Management & Policy Enforcement of Identity Store • Request Engine for Approval- based Provisioning • Automation Engine for Role- and Attribute-based Provisioning • Policy-compliant Identity Data Exchange with IdPs • For federated & cloud contexts • SPML-based Batch Provisioning Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  33. 33. Learn More oracle.com/identity Connect, Discuss @nishantk blog.talkingidentity.com
  1. 1. Beyond SPML: Access Provisioning in a Services World Nishant Kaushik Lead Strategist, Identity & Access Management, Oracle
  2. 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. 3. The Evolution of Provisioning Native Administration Tools Governance Controls Automated Account Management IT Optimization & ROI Regulatory Compliance
  4. 4. Provisioning at Center of Enterprise IdM Partner Application SPML Connector Users Major Managers Cloud-based Proprietary Apps Connector APIs Administrators Provisioning Cloud-based System Services ? Connector Internal Applications Auditors Connector User Stores (SSO, IdP, Fed) Connector
  5. 5. Provisioning Got Complicated Partner Application SPML Connector Users Request Portal Major Managers Cloud-based Provisioning Connector Policy Engine APIs Proprietary Apps Engine Administrators Provisioning Audit Module Cloud-based System Services ? Connector Internal Applications Auditors Connector User Stores (SSO, IdP, Fed) Connector
  6. 6. Provisioning.Current Effective, but Overburdened & Brittle • Does what it needs to do, but implementation too difficult • Scope of Identity Data has grown • Connectors is a constant battle • SPML hasn’t delivered • Consolidating access requests into single portal increases deployment complexity, decreases usability • Compliance already extracted into focused GRC tools Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  7. 7. So What is Provisioning.Next? Native Administration Tools Governance Controls Automated Account Management Provisioning.Next IT Optimization & ROI ? Regulatory Compliance
  8. 8. Identity Externalization
  9. 9. Evolution of Application Architecture User Tables externalized to Identity Store Native U/P Authentication externalized to SSO Native Authorization Engine externalized to Entitlements Server
  10. 10. Evolution of Application Architecture User Tables externalized to Identity Store Native U/P Authentication externalized to SSO Native Authorization Engine externalized to Entitlements Server The Future of Identity is Pull - Bob Blakley, Burton Group
  11. 11. Service-Oriented Security • Applications pull identity data from a centralized (if necessary virtualized) identity store • Authorization based on attributes and roles IGF (ArisID) OpenAZ • ISP provides developer Identity Services Platform friendly API layer that plugs into Service Providers based SAML LDAP XACML on standards SSO Identity Entitlement Server Store Server
  12. 12. Is Provisioning Out On The Street Now? IGF (ArisID) OpenAZ Identity Services Platform SAML LDAP XACML Provisioning Engine SSO Identity Entitlement Server Store Server
  13. 13. Or Just Getting More Specialized? • Provisioning still holds the policy keys for “who should have access to what” • Responds to identity events and keeps identity store consistent IGF (ArisID) OpenAZ • More importantly, ensures that identities have Identity Services Platform necessary attributes/roles to satisfy authorization checks SAML LDAP XACML Identity Events Ad-Hoc Requests Provisioning SSO Identity Entitlement Engine Server Store Server
  14. 14. Provisioning-as-a-Service HR Activities, User Registration, Access Requests, Profile Updates • Any application can be an “identity source” also Users • Applications now own their Managers contextual access requests • Handles both enterprise and application roles ? IGF (ArisID) OpenAZ • Collaborative identity Identity Services Platform management (by apps) SPML SAML LDAP XACML Provisioning SSO Identity Entitlement Administrators Service Server Store Server Approvers
  15. 15. New Challenges for Applications Request Handling • Partial Registration • Gap Handling, User Notification, Feedback Loops Identity-Based Access Control • Support mix of RBAC and ABAC for Provisioning • Greater degree of automation: Policy-based Auto-Provisioning and Auto- Approval of Requests Holistic Role Management • Centralized Management of Enterprise Roles and Application Roles • Enterprise to Application Role Mappings
  16. 16. Provisioning.Evolved Delivering Provisioning-as-a-Service • Provisioning becoming more about policy, less about data • Managing identity store • Supports automated and ad-hoc (manual) decision-making that is compliant, informed • Returning control over usability back to application • Support intelligent UI • Implement feedback loop Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  17. 17. Identity Federations & the Cloud
  18. 18. It’s All About The Cloud Now
  19. 19. Some Legends Are Meant To Be Retold
  20. 20. Ian Glazer proclaimed… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
  21. 21. I Couldn’t Not Respond…
  22. 22. A lively battle ensued… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
  23. 23. And at the end… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
  24. 24. My Secret Weapon: JIT Provisioning Just-In-Time Provisioning • Not new, but never mainstream • Real-time provisioning triggered by User arriving at RP needing access • Light-touch provisioning based on standards, not integrations • Challenge has always been trust and policy model
  25. 25. JIT Provisioning and the Cloud Just-In-Time Provisioning On-the-fly federations enable • Not new, but never & secure short-lived and mainstream limited-use cloud services for • Real-time provisioning the enterprise triggered by User arriving at RP needing access • Light-touch provisioning based on standards, not integrations
  26. 26. External User Coming In Federation or Cloud Scenario IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims ? IGF (ArisID) OpenAZ Identity Services Platform SPML SAML LDAP XACML Provisioning SSO / Fed Identity Entitlement Server Server Store Server
  27. 27. External User Coming In Federation or Cloud Scenario IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims ? IGF (ArisID) OpenAZ Identity Services Platform SPML SAML LDAP XACML Request w/ Claims Provisioning SSO / Fed Identity Entitlement Server Server Store Server
  28. 28. Provisioning needs more Identity Data IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims OAuth based authorization to access IdP data ? IGF (ArisID) OpenAZ Identity Services Platform CARML SPML SAML LDAP XACML Request w/ Claims IGF based Data Retrieval Provisioning SSO / Fed Identity Entitlement Provisioning AAPML Server Server Store Server Constraints based IdP
  29. 29. OAuth as Trust Framework IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Requests Token User Issues Request Token Provisioning Provisioning Server Server User “approves” introduction of Provisioning Engines • User must be on list of users authorized to do this • Acts as basis of (limited) trust • Initiates a review on IdP side • IdP Provisioning Engine can validate RP against black list/white list
  30. 30. IGF (ArisID) as Data Retrieval API IDENTITY PROVIDER RP policyPARTY/SERVICE PROVIDER RELYING disclosures include • How, why it intends to use data • Certifications (e.g. SAS 70) • Change notification requirements CARML IGF based Data Retrieval Provisioning AAPML Provisioning Server Constraints Server Provisioning Engine makes decision IdP policy constraints include • Based on configured policies • Expectations around data • Based on RP policy disclosures management • Based on approvals • Change notification details
  31. 31. Change Notification IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Notifies About Change CARML IGF based Data Retrieval Provisioning AAPML Provisioning Server Constraints Server Doesn’t send changes (data), just notifies RP pulls data if needed • Per IGF agreement when data access was granted (previous steps) • Doesn’t have to be immediate • Only for changes RP is interested in • Can be ignored in favor of JIT pull when user comes back • No standard exists for this, though there is discussion in SSTC (SAML)
  32. 32. Provisioning.Next • Engine for delivering Provisioning-as-a-Service • Management & Policy Enforcement of Identity Store • Request Engine for Approval- based Provisioning • Automation Engine for Role- and Attribute-based Provisioning • Policy-compliant Identity Data Exchange with IdPs • For federated & cloud contexts • SPML-based Batch Provisioning Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  33. 33. Learn More oracle.com/identity Connect, Discuss @nishantk blog.talkingidentity.com

More Related Content

Related Audiobooks

Free with a 30 day trial from Scribd

See all

×