Co p


Published on

  • Be the first to comment

  • Be the first to like this

Co p

  1. 1. Managing EnterpriseIdentity and Access in 2013IT DirectorsMay 14, 2013 Allyn McGillicuddy and Melvin Vaughan
  2. 2. AGENDA• The Changing Landscape for Identity andAccess Management• Enterprise Identity – Foundational Concepts• Enterprise Identity Operations Management• Managing Identity in the Extended Enterprise– Identity Federation– Identity as a Service• Identity Management Compliance andOperations ConsiderationsIT Directors Community of Practice
  3. 3. Changing Landscape for EnterpriseIdentity and Access Management– In the extended enterprise, business workflow isnot confined within the company’s infrastructure• SaaS vendors• Cloud-based services– People outside the enterprise are accessing thecompany’s infrastructure• Customers• Business allies• Contractors and temporary workers• Service providers– How does this affect the threat landscape?IT Directors Community of Practice
  4. 4. Today’s Threat Landscape
  5. 5. High-profile, sharing applicationsrepresent lower than expected threatvolume– Social networking, video, and file sharingapplications represent• 25% of the applications,• 20% of the bandwidth but only• 0.4% of the threat logs, primarily exploits– This is not to say these applications are low risk– The volume is low when compared to the volumeand frequency of use, and the threats found in theother applicationsSource: Palo Alto Networks, Application Usage and Threat Report, 10th Editionsummarizes network traffic assessments performed on > 3,000 networks, encompassing 1,395applications, 12.6 petabytes of bandwidth, 5,307 unique threats and 264 million threat logsIT Directors Community of Practice
  6. 6. Exploits Target High-value, BusinessApplications and Assets– Crunchy on the outside:• Exploits are bypassing the “crunchy” perimetersecurity and targeting enterprises’ most valuedassets – their “tender” business applications.– Tender on the inside:• Out of 1,395 applications found, 10 wereresponsible for 97% of all exploit logs observed• 9 of them are business critical applications.IT Directors Community of Practice
  7. 7. – While small in volume, unknown/custom traffic ishigh in risk, exemplifying the 80%-20% rule– The highest volume of malware logs (55%) werefound in custom or unknown udp– Yet it represented only 2% of all bandwidthConclusion: high value assets are in needof added levels of securityCustom/unknown Applications andMalware have Low Incidence Rate, butPose the Greatest RiskIT Directors Community of Practice
  8. 8. Access Methods are EvolvingSeparate passwordfor each applicationSeparate passwordfor each IdP**IdP = Identity Provider?Shared standards are evolving for identity, authentication, and authorization.UserselectionAnalogy to ATM NetworksIT Directors Community of Practice
  9. 9. Enterprise Identity• So what is enterprise identity?• Identity is a set of attributes that describes a profileof an individual, business organization, or softwareentity.• The set of attributes for an individual, forexample, could include– drivers license– social security number– travel preferences– medical history– financial data– Etc.IT Directors Community of Practice
  11. 11. Identity Management RolesServiceproviders(SP)IdentityProviders(IdP)Individuals*with multipleidentityprofiles• Healthcare profile• Employee profile• Investor profile• Social profile• Business profileEqual andinteroperableidentityprovidersControl overownership anddisclosureManageprivacy andpreferences*A person, a business, a software entityIT Directors Community of Practice
  12. 12. Evolution of Identity NetworksOrganizations can maintain their own customer/employee data while sharing identitydata with partners based on their business objectives and customer preferences.IT Directors Community of Practice
  13. 13. IdM Nomenclature - Identification• Identification Comparing presentedcredentials to a set ofattributes that describes aprofile of anindividual, businessorganization, or softwareentityIT Directors Community of Practice
  14. 14. IdM Nomenclature - Authentication• AuthenticationConfirming the truth ofan attribute of a datumor entity. This mightinvolve confirming theidentity of a person orsoftware program.Authentication ofteninvolves verifying thevalidity of at least oneform of identification.IT Directors Community of Practice
  15. 15. • Authentication Attributes– What you have– What you know– What you are– Where you are– Combinations• 2-factor, 3-factor authentication• Hybrid• Mutual authentication• AuthenticationIdM Nomenclature - AuthenticationIT Directors Community of Practice
  16. 16. Cross-Domain AuthenticationTwo or more user directorydomains within the sameenterprise are implicitly connectedby two-way, transitive trusts.Authentication requests madefrom one domain to another aresuccessfully routed in order toprovide a seamless coexistenceof resources across domains.Users gain access to resources inother domains after first beingauthenticated in their ―home‖ domain.MS Active Directory FederationServices (ADFS)Two or more systems use tokens toexchange credentials. ADFS employs theMS claims-based access control andauthorization model.SAMLOASIS-based, browser-oriented, XML-based standard for exchangingauthentication credentials over the Internet.WS- TrustOASIS-based standard that employs webservices to exchange security tokens acrossdomains. This can be used for security keyexchange.WS-Trust fails to address some requirementsof federation (eg. privacy)IT Directors Community of Practice
  17. 17. IdM Nomenclature - Authorization• AuthorizationProcess of managingaccess to resources andaccess rights orprivileges; using accesscontrol rules to decidewhether access requestsfrom alreadyauthenticated requestersshall be approved(granted) or disapproved(rejected).IT Directors Community of Practice
  18. 18. IdM Nomenclature – Logon/Login• Logon Process1. Presenting the credentialsrequired to obtain accessto a computer system orother restricted area2. The process by whichindividual access to acomputer system ornetwork is controlled byevaluating the presentedidentity and credentialsIT Directors Community of Practice
  19. 19. IdM Nomenclature - Accounting• AccountingManaging information aboutthe relationship of users andthe resources they are/are notpermitted to access, including• access history• account control• access auditsEmploys mechanisms to• synchronize users• access rules or constraints• manage/review/report on accessto system and/or cloud-enabledresourcesIT Directors Community of Practice
  20. 20. Assertion Query• The ―A‖ in SAML is Assertion– Security Assertion Markup Language– An assertion is simply 1 or more statements– An assertion query is a requestIT Directors Community of Practicesamlp:AuthnRequestxmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"ForceAuthn="true"AssertionConsumerServiceURL=""AttributeConsumingServiceIndex="0" ProviderName="string"ID="abe567de6"Version="2.0"IssueInstant="2005-01-31T12:00:00Z"Destination=""Consent="" ><saml:Subjectxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"<saml:NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"></saml:NameID></saml:Subject></samlp:AuthnIn this example, a SAMLassertion is beingrequested pertaining tothe suppliedsubject, (
  21. 21. Attribute Definitions• User Attributes– Each piece of identifying information about a user– Users have identity attributes, each of which may be storedon one or more target systems.– The individual claiming an attribute may only grant selectiveaccess to its information• Attributing party– Trusts that the claim of an attribute (such asname, location, role as an employee, or age) is both• Correct• Associated with the person or thing presenting the attribute.• Contextual identity– Digital identity is better understood as a particularviewpoint within a mutually-agreed relationship than as anobjective property.IT Directors Community of Practice
  23. 23. Automatic ProvisioningProcess to grant users accessto data repositories or grantauthorization tosystems, network applicationsand databases based on aunique user identity.Creation, maintenance anddeactivation of user objectsand user attributes, as theyexist in one or moresystems, directories orapplications, in response toautomated or interactivebusiness processes• Examples– Process to monitor an HRapplication and automaticallycreate new users on othersystems and applications whennew employee records appear inthe HR database.– Automatically deactivate userobjects for users, such ascontractors, whose scheduledtermination date has passed.IT Directors Community of Practice
  24. 24. Privileged Accounts Management• Grant administrators only the access rightsrequired for their jobs• Base those rights on established and controlledpolicy– Policy-based delegation of elevated access privileges– Secure the process of requesting, approving and issuingaccess to those accounts critical application-to-application (A2A) access application-to-database (A2D) separation of duties for privileged access– Manage policy, rights and activities performed throughprivileged accessIT Directors Community of Practice
  25. 25. Privileged Accounts Management48% of data breaches were caused by privileged misuse- Verizon, Data Breach Investigations Report―Shared superuser accounts — typically system-defined inoperating systems, databases, network devices and elsewhere— present significant risks when the passwords are routinelyshared by multiple users‖- Gartner, MarketScope for Shared-Account/Software-AccountPassword Management75% of responding DBA’s reported that ―Our organizations donot have a means to prevent privileged database users fromreading or tampering with human resources, financial or otherbusiness application data in the databases- Oracle DBA SurveyIT Directors Community of Practice
  26. 26. Synchronized Identities Model• Multiple identity modelsor systems aresynchronized• An authoritative identitysource is built frommultiple identity sources• The identities are storedin a referencedirectory, such as LDAP• Synchronization– Changes to identitiesin the authoritativedirectory arepropagated to thereference directory– Access rights arethen updatedIT Directors Community of Practice
  27. 27. Proxied Authentication• Uses a middle-tier server for authenticationThree types1. An application user, or an application, authenticatesitself with the middle-tier server.– Client identities can be maintained all the way through tothe database.2. The clients identity and database password arepassed through the middle-tier server to the databaseserver for authentication.3. The client, that is, a global user, is authenticated bythe middle-tier server, and passes either aDistinguished name (DN)* or a Certificate through themiddle tier for retrieving the clients user name.*DN is a global name in lieu of the password of the user being proxiedCREATE USER jeff IDENTIFIED GLOBALLY AS CN=jeff,OU=americas,O=oracle,L=redwoodshores,ST=ca,C=us;ALTER USER jeff GRANT CONNECT THROUGH scott AUTHENTICATED USING DISTINGUISHED NAME;
  29. 29. The Extended Enterprise• In the emerging ―extended enterprise‖ businessfunction workflows often extend beyond theboundaries of the enterprise• The ―extended enterprise’s security practicesmust treat internal and external users in thesame mannerIT Directors Community of Practice
  30. 30. Identity Federation• The technologies, standards and use-cases which serveto enable the portability of identity information acrossotherwise autonomous security domains• Identity federation goal: enable users of one domain tosecurely and seamlessly access data or systems ofanother domain without the need for redundant useradministration.• Scenarios– User controlled– user-centric– enterprise controlled– B2BIT Directors Community of PracticeIT Directors Community of Practice
  31. 31. Identity Federation GoalsIdentity portabilityachieved in anon-proprietary, standards-based mannerIT Directors Community of PracticeCross-domain, web-based– single sign-on– user account provisioning– entitlement management– user attribute exchangeAutomatic use cases– user-to-user– user-to-application– application-to-applicationIT Directors Community of Practice
  32. 32. Federation Types• Identity-based Federation• Identity based federation - only the SSO functionality of SAML is being required to beregistered in both organizations. If Joe is registered with the IdP and wishes a resourceon SP in another organization then that same identity will be registered at the SP. Theidentity of the Principal is carried in the <subject> of the <assertion> header.• Attribute-based Federation• Similar to Identity-based Federation, but the type of session and the access right theuser has on the SP is based on attribute information transported in the SAMLassertion. While the user name can be used for auditing purposes it is not used foraccess management purposes. An example is using a Role attribute, for example, "HRMember".– Attributes are carried in the <AttributeStatement> of a SAML assertion.Attribute Based Access Control (ABAC) is used by Grid Systems, in which therelationship between users and resources is ad hoc.IT Directors Community of Practice
  33. 33. SSO in a Federation• A process that is used across multiple ITsystems and organizations to authenticateaccess to a resource for an individual orsystem• A users single authentication ticket, ortoken, is trusted across multiple IT systemsand/or even organizations.• SSO relates to authentication, only, and doesnot include authorization.IT Directors Community of Practice
  34. 34. Federation TerminationDefederationis the process of terminating the validity of a federated identity witheither an IdP or an SP.Both the IdP and the SP should notify each other of defederation.However, it appears there is not a structured or standardizedmethod for defederation.The distinction must also be made between terminating afederated session versus terminating a federation relationshipaltogether.IT Directors Community of Practice
  35. 35. Identity Federation SolutionProvidersRadiant Logic: Radiant OneRadiant One Federated Identity PlatformVirtual Directory ServerVDS extracts identity and context information out of various application and data silos. Itre-maps the underlying sources and presents the identity data in customized views.Identity Correlation and Synchronization Server (ICS)Identifies relationships between identities represented in heterogeneous data sources. ICSbuilds a common identity out of multiple systems to create a unified view of identitydata, eliminating user overlaps.Cloud Federation Service (CFS)Provides the RadiantOne suite with a complete identity provider (IdP), an authenticationmodule which verifies a security token once and then uses it for each system it needs toaccess for on-premise and cloud-based applications, enabling single sign-on for users.IT Directors Community of PracticeIT Directors Community of Practice
  36. 36. Identity Federation SolutionProvidersPing IdentityPingFederateOutbound and inbound solutions for single sign-on, federated identity management, mobile identitysecurity, Tier 1 SSO extends employee, customer and partner identities across domains withoutpasswords, using standard identity protocols (SAML, WS-Fed, OpenID.) PingFederate translatescustomer and partner standard tokens into local tokens. For outbound use cases, PingFederateauthenticates user credentials, regardless of how they authenticate, and translates them intostandard tokens.PingOne Identity as a ServicePingFederate can be deployed in conjunction with PingOne Cloud Access Services for faster andmore flexible employee access to SaaS applications.IT Directors Community of PracticeIT Directors Community of Practice
  37. 37. Identity Federation SolutionProvidersOneLoginOneLogin focuses primarily on companies that operate in the cloud and integrates withcloud apps using SAML, WS-Federation, OpenID and web services integration.The companys cloud-based IAM market now includes 700 enterprise customers in 35countries, including AAA, Gensler, Netflix, News International, Pandora, Steelcase and PBS.OneLogin has continued on a path of innovation andgrowth, including:• First iPad app for identity management• First Federated Cloud Search IAM product that enables secure, real-time search acrosspublic cloud applications such as Box, Google Apps, Salesforce, Yammer and Zendesk• Pre-integration with 2,800 cloud apps, more than any other IAM vendor• Open Source SAML Toolkits, now used by over 70 SaaS vendors and over 30 appvendors to make their apps more secureIT Directors Community of PracticeIT Directors Community of Practice
  38. 38. Identity Federation SolutionProvidersPasswordBank Technologies Inc.: PasswordBank Federation• Federated Single Sign-On allows a user to login once and then access allauthorized cloud and on-premise services across Mac, Linux andWindows, without the need for a password at each service.• Enables the Enterprise to maintain full and centralized control overaccess to all applications of the organization.– Two-factor strong authentication,– Account provisioning and deprovisioning– Centralized audit repository• PasswordBank IdentityBroker allows identity-related information to beshared securely between the Enterprise, Service Providers and IdentityProviders (cloud and on-premise applications).IT Directors Community of PracticeIT Directors Community of Practice
  39. 39. Identity as a Service• Authenticationinfrastructure hosted by athird party• SSO in the cloud• IDaaS for enterprises’SaaS applications• A cloud IDaaS serviceprovider may– Securely manage cloudidentities for SaaS applications– Maintain federated trusts– Manage accountprovisioning/deprovisioning– Host applications– Provide subscribers with role-based access to specificapplications– Provide entire virtualizeddesktops through a secureportal– Provide Identity auditingIT Directors Community of Practice
  40. 40. Stateless Identity• Just-in-time identity data and servicesreceived from authoritative domains• Similar to Windows Azure Access ControlServices and carried outside the enterprise• Once authorizations are configured, a user comingto an application via ACS arrives at the application―entrance‖ with not only an authenticationtoken, but also a set of authorization claimsattached to the tokenIT Directors Community of Practice
  41. 41. Authentication Service• Open API– Not limited to LDAP and AD• Called by both internal and external apps• Performsidentification, authentication, and attributedelivery of all users under enterprisecontrolIT Directors Community of Practice
  42. 42. Provisioning Service• Open API for account synchronization amonginternal, SaaS, and partner apps– Called by both internal and external apps– Supports deprovisioning– Enables provisioning workflows loosely coupledwith internal directory and database infrastructure– Available connectors for many enterprise systemsand appsIT Directors Community of Practice
  43. 43. SAML to Token ServiceIT Directors Community of PracticeA client obtains a SAML 2.0 bearer assertion and makes an HTTP request to the PingFederate OAuthAS to exchange the SAML assertion for an access token. The AS validates the assertion and returns anaccess token. The client uses the token in an API call to the Resource Server to obtain data.1. Some user-initiated or client-initiated event (for example, a mobile application or a scheduled task)requests access to Software as a Service (SaaS) protected resources from an OAuth client application.2. The client application obtains a SAML 2.0 bearer assertion from a local Identity Provider (IdP) forexample, PingFederate.3. The client makes an HTTPrequest to the PingFederateOAuth AS to exchange theSAML assertion for an accesstoken.The AS validates the assertionand returns the access token.4. The client application adds theaccess token to its API call tothe Resource Server.The Resource Server returnsthe requested data to theclient..
  44. 44. Identity Discovery ProblemA user interacting with a service provider wants to access to restricted content ona site within a federation:1. The user, via web browser, connects to the target service provider; and requests to viewrestricted content.2. The service provider receives this request, and needs to know information about theperson.3. In the federated world, this means that the user needs to be sent to their homeorganizations identity provider, which will "vouch" for that person and pass acrossinformation about them to the resource provider.4. The service provider "discovers" which is the users home institution5. The service provider redirects the user to their home institutions identity provider.6. The user authenticates at their identity provider (IdP), which responds to the serviceprovider (SP), letting them know that this user authenticated successfully, and oftenproviding some information about that user.7. The service provider receives this information, and then either grants or denies accessbased upon the information it received.Q: How does the SP figure out which is the user’s “home” IdP?IT Directors Community of Practice
  45. 45. Identity Discovery SolutionsA user interacting with a SP wants to access restricted content on a sitewithin a federation.Solution Options1. Avoid Discovery (IdP-initiated SSO)Each institution can configure a page (usually their existing library portal page) tolist all resources available to their users along with links to these resources. Theselinks are constructed such that they send the user1. to that institutions identity provider*. After the user has successfullyauthenticated,2. directly onto that resource.Thus, the service provider never has to ``discover which institution the user isfrom, since the first time they see the user the user has already authenticated.IT Directors Community of Practice*But suppose the user starts on the site where the target content is located?
  46. 46. A user interacting with a SP wants to access restricted content on a sitewithin a federation.Solution Options2. Client-less Discovery (SP-Initiated SSO)The SP asks the user to manually tell them which is theirhome organization. This method of discovery comes intwo forms:1. The user tells the service provider directly; or2. The SP sends the user to a centrally provided service;the user tells this service.IT Directors Community of PracticeIdentity Discovery Solutions*OMG the user has to do this manually every time? Really?
  47. 47. Identity Discovery SolutionsA user interacting with a SP wants to access restricted content on a sitewithin a federation:Solution Options3. Client-mediated DiscoveryThe client is configured to tell the SP what the user’shome organization is.1. The users client tells the service provider wherethe person is from; or2. The users client is the identity provider; or3. The users client proxies the identity provider.IT Directors Community of Practice
  48. 48. Enterprise Cloud Identity & AccessManagement Providers• Security and risk professionals see IAM as a costcenter and• Prefer not to build out or expand IAM capabilities• Cost-effective, SaaS-based IAM solutions thatcomplement on-premises ones are availableIT Directors Community of PracticeIT Directors Community of Practice
  49. 49. Client-Mediated DiscoveryThe client is configured to tell the SP what the user’shome organization is.1. The users client tells the service provider where theperson is from– Enhanced client or proxy (user’s browser plugin)*– Plugin “listens” for WAYF requests from SP– Automatically answers2. The user’s client is the Identity provider (self-issuedidentity);3. The client sends this request on to the users identityprovider (it proxies it), receives the response, and in turnsends this response back to the service provider. **IT Directors Community of Practice*SAML 2 Specification for ECP ** The SP never needs to know who the IdP is
  50. 50. WAYF• Where Are You From– You must answer that question when you log into aweb based service using WAYF login.– WAYF login is a Single Sign-On system* which permitsusing one single login to access several web-basedservices.• Creates connections between the login systems at theconnected institutions and external web based services.• Ensures that users consent to have information about thempassed on to the web-based services.– WAYF login does not store any personally identifiabledata.IT Directors Community of Practice*Provided by the Danish government in collaboration with many identity andservice providers and institutions
  51. 51. Authorization ServiceCentral authorization repository– Authorization model information used to provide complex access controlsbased on data or information or policies including user attributes, user roles/groups, actions taken, access channels, time, resources requested, externaldata and business rules– Policies that are stored in an IAM policy storeFrameworks– Spring Security• Access control framework; released under an Apache 2.0 license• Used to secure numerous demanding environments including governmentagencies, military applications and central banks.– Seam Framework• Programming model with a Security API (an optional Seam feature) that providesauthentication and authorization features for securing access to domain and webpage resources, components, and component methods• Can be used to display/hide web page content based on user privileges• Includes a comprehensive authorization framework, supporting userroles, persistent and rule-based permissions, and a pluggable permission resolverfor easily implementing customized security logic.IT Directors Community of Practice
  52. 52. Enterprise Cloud Identity & AccessManagement ProvidersIntel Cloud SSO• Standards-based identity as a service (IDaaS) solution• Context-aware Strong Authentication– invokes mobile or hardware assisted, 2-factor authentication based on the targetapp, network, time of day, mobile browser and other parameters.• Connects Identity Stores– Authenticates, provision/de-provisions user access to cloud systems from insideor outside the corporate firewall, leveraging directory services including ActiveDirectory, LDAP,, or Intel Cloud SSO identity stores.IT Directors Community of PracticeIT Directors Community of Practice
  53. 53. Enterprise Cloud Identity & AccessManagement ProvidersOkta Cloud Identity andAccess Management• Access control to SaaSapplications• User account provisioning forSaaS and in-house applicationsUser access recertification• User repositories supported• Multitenancy & protection ofpersonally identifiableinformation• Auditing and reporting• Strong authentication support.IT Directors Community of PracticeIT Directors Community of Practice• Good integration with strongauthenticators & broad SaaSapplication support• Runs on Amazon Web Servicesunder the covers• Many pre-integrated SaaSbusiness applications• Extensively supports IntegratedWindows Authentication (IWA)• Supports inbound SAML foridentity provider (IdP) proxying*• No support for disabling usersautomatically after a period ofinactivity, or for attestation.*May limit usefulness for large clients
  54. 54. Enterprise Cloud Identity & AccessManagement ProvidersSymplified Cloud Identity andAccess Management• One of the longest-standing inthe cloud IAM market• Architecturally stable via itsIdentity Router customer-premises equipmentinfrastructure• Can be deployed as a software orhardware appliance, or as a cloudconnector• Broad protocol and endpointsupport• Partners with Symantec’s VIPservice for strong authenticationIT Directors Community of PracticeIT Directors Community of Practice• CSC is reseller and providessystem integration• Does not support implicit or just-in-time provisioning• Dashboards and reporting arefairly immature• No workflow designer — only animplicit workflow for accessrequest management andapprovals• By design, no support forhierarchies of multi-tenancy, which may limit itsusefulness at large clients
  55. 55. Enterprise Cloud Identity & AccessManagement ProvidersCovisint Cloud Identity andAccess Management• Access control to SaaSapplications• User account provisioning forSaaS and in-house applicationsUser access recertification• User repositories supported• Multitenancy & protection ofpersonally identifiableinformation• Auditing and reporting• Strong authentication support.IT Directors Community of PracticeIT Directors Community of Practice• Good integration with strongauthenticators & broad SaaSapplication support• Runs on Amazon Web Servicesunder the covers• Many pre-integrated SaaSbusiness applications• Extensively supports IntegratedWindows Authentication (IWA)• Supports inbound SAML foridentity provider (IdP) proxying*• No support for disabling usersautomatically after a period ofinactivity, or for attestation.*May limit usefulness for large clients
  57. 57. Identity Compliance and Privacy• A user signs-in and out of Identity Provider (IdP) systems or security token services(STS) via explicit messages or implicitly via a request• The issued tokens may either represent the principals primary identity or somepseudonym appropriate for the scope• The IdP or STS issues messages to interested and authorized recipients.• Principals are registered with the attribute/pseudonym services and attributes andpseudonyms are added and used.• Authorized services can query attribute/pseudonym services using the providedidentities to obtain authorized information about the identity.• Such queries can potentially be anonymous which means that the party requestingthe information has an opaque token, and is not aware of the real identity of theobject of the queryIT Directors Community of Practice
  58. 58. Name Mapping and Linking• In a federated environment, with identity information and other assertionspassing through a network between systems, protecting the user’s privacybecomes paramount.• With SSO, it is possible to track the user across several SPs.• Pseudonyms provide a way to obfuscate the identity of the user across SPs.• When the IdP delivers the assertions to the SP, the use of pseudonymsmakes it possible to have a different user ID for the same user at each SP• Persistent Pseudonym - the SP will see the same pseudonym each time theuser accesses the SP.• Transient Pseudonym - the SP is presented with a different pseudonymeach time a user gains access to the SP.IT Directors Community of Practice
  59. 59. Single Logoff Operations• When the user selects logoff in an application, two potentialoptions must be offered.1. Does the user want to logoff from this specificapplication, maintaining the current SSO session, or2. Does the user want to end their SSO session, closing allindividual application sessions?• Solution for #2– SP communicates the logoff request to the IdP. TheIdP, based on its session store and information from themetadata, issues a logoff request to all SPs for which anactive session is present.– When the SP receives a logout request, it will close thecurrent session and notify the application, allowing theapplication to perform required cleanup.IT Directors Community of Practice
  60. 60. Session Timeout Operations• With SSO, the user is using the same login for• several applications, potentially across severalsystems• Managing SSO session timeouts by eachapplication is inefficient• With Single Log Off, applications can, through theIdP, centrally manage a user’s idle time• Consolidating session timeouts and establishing aconsistent session timeout period is another policythat must be considered when a federation forms.IT Directors Community of Practice
  61. 61. ConclusionEnterprise Identity Management has matured with the expansion of establishedstandards and interoperability approaches. The growing number of enterpriseapplications accessed by internal employees in collaboration with salespartners, distribution partners, customers, and other business channels.Enterprise IT executives with limited development, deployment, and infrastructurebudgets are differentiating strategic, proprietary systems from utilities that are nowwidely available outside the enterprise firewalls. Many enterprise strategies includeintegrating identity federation into their IT vision, strategy, infrastructure, andapplication support models.CIOs also recognize the growing importance of understanding the whole spectrumof identity management capabilities, including how to handle identity-based Webservices. Implementing identity federations is now feasible and increasinglymandated by business partners, affiliates, and customers. With the growing numberof cloud and access management solutions, strategic partnerships with solutionproviders and consultants will be central to a successful outcome.