Utah Architecture Review Single Sign-On


Published on

Presentation to the Utah Architecture Review Board on Single Sign-On and the Utah Master Directory

Published in: Economy & Finance, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Utah Architecture Review Single Sign-On

  1. 1. TA Review – Authentication and Single Sign-On Utah Department of Technology Services March 2008
  2. 2. Introduction The Utah Master Directory (UMD) and related SiteMinder architecture was designed in 2001. There is a need to validate current practices against best practice industry solutions with an objective of wider adoption of the Single Sign-On (SSO) and related directory and access control infrastructure.
  3. 3. Types of Single Sign-on
  4. 4. Identity Access Mgmt Ecosystem
  5. 5. Current Architecture <ul><li>UMD Directory </li></ul><ul><li>SiteMinder </li></ul><ul><li>Credential Collector </li></ul><ul><li>AppProfile System </li></ul><ul><li>AppAdmin </li></ul><ul><li>JAAS Providers to Application Servers </li></ul>
  6. 6. User Adoption <ul><li>Overall integration with existing applications inventory is less than 30%. </li></ul><ul><li>Application specific directory and authorization is used by 65.4% of all production applications. </li></ul><ul><li>Direct LDAP to agency directory information is utilized by 23.1% of production applications. </li></ul>
  7. 7. Successful Features of UMD <ul><li>Integration with NDS to Synchronize LAN Passwords </li></ul><ul><li>Availability of UMD/SiteMinder Infrastructure </li></ul><ul><li>Identity Management </li></ul><ul><li>Simplified Maintenance of User Access Privileges </li></ul><ul><li>UMD Support Services </li></ul>
  8. 8. Obstacles that keep agencies from using UMD Services <ul><ul><li>Difficulty Using the UMD with New Applications: 22.7% </li></ul></ul><ul><ul><li>Difficulty Using the UMD with Existing Applications: 22.7% </li></ul></ul><ul><ul><li>Direct LDAP Access: 18.2% </li></ul></ul><ul><ul><li>Reliability and Scalability Concerns: 18.2% </li></ul></ul><ul><ul><li>Inadequate Documentation: 13.6% </li></ul></ul><ul><ul><li>Cost Concerns: 13.6% </li></ul></ul><ul><ul><li>Availability of UMD Web Services: 13.6% </li></ul></ul><ul><ul><li>Application Profile Management: 9.1% </li></ul></ul><ul><ul><li>SSO Security Concerns: 9.1% </li></ul></ul><ul><ul><li>Concerns with the Use of “Cookies”: 4.5% </li></ul></ul>
  9. 9. Help Desk Call Data for Password Resets and UMD Related Inquiries Industry Average is abt 30% - IT Security Journal 8.6% 8.7% 9.1% 8.8% 8.7% 7.6% % PW Resets 6,813 7,604 19,089 19,342 18,240 17,812 Total Tickets 588 662 1746 1708 1585 1354 Total 242 264 624 594 618 484 UMD PW Reset 101 147 382 421 380 385 Mainframe PW Reset 245 251 740 693 587 485 Network/LAN PW Reset Feb ‘08 Jan ‘08 4 th Q ‘07 3 rd Q ‘07 2 nd Q ‘07 1 st Q ‘07
  10. 10. Best Practices <ul><li>Application Coverage </li></ul><ul><li>Ease and Flexibility of Deployment </li></ul><ul><li>Authentication Capabilities </li></ul><ul><li>Shared Work Environments </li></ul><ul><li>Overall Security Objectives </li></ul><ul><li>User Access Management </li></ul><ul><li>Single Sign-Off </li></ul><ul><li>Enterprise Reliability and Scalability </li></ul><ul><li>Legacy Application Integration </li></ul>
  11. 11. Industry Reports Forrester Gartner
  12. 12. Extending Enterprise ID Across the Web
  13. 13. Federal E-Authentication The E-Authentication Solution created the US E-Authentication Identity Federation which allows Federation members to recognize and trust log-in IDs that are issued by other trusted Federation members. The trusted members that issue these log-in IDs may be other government agencies, academic institutions, or commercial entities, such as banks or other financial services institutions. There is opportunity for Utah to participate in this initiative by establishing the UMD as a trusted entity.
  14. 14. Recommendations <ul><li>Position UMD Services as more than just a directory or SSO solution but as a comprehensive IAM solution. </li></ul><ul><li>Establish the UMD as a trusted identity source so State users can use UMD identity to access Federal applications and services as a trusted partner. </li></ul><ul><li>Add third party reporting software, such as eIQ, LogRhythm, etc., to facilitate audit tracking of who has access to directory enabled resources, and when they had access. </li></ul><ul><li>Improve the user interface for AppAdmin and AppProfile so they are easier to use by the development and application business management communities. </li></ul><ul><li>Provide capability for direct LDAP access by agencies within security model constraints. </li></ul><ul><li>Appoint a study group to review UI authentication and look at possible integration of their 36,857 directory subscribers with the UMD directory as a specialized container. </li></ul>