cis14: creating a federated identity service for abac and webaccess management cis
DESCRIPTION
Matt Tatro, Denise Lores, Wade Ellery Radiant Logic How to create a federated identity service that will build a bridge from the old world of groups to the new world of ABAC, improving your authorizations and Web Access Management.TRANSCRIPT
Creating a Federated Identity Service for ABAC and Web Access Management
Wade Ellery Western Region Director of Sales
Denise Lores Senior Architect
The Four Pillars of Identity Services
¡ Enhanced user experience ¡ Improved management
of security risks ¡ Efficient development/
deployment of applications ¡ Reusable integration
¡ HIPAA, SOX compliance
¡ Common access logs ¡ Improved
accountability ¡ Common reporting
¡ Reduced administrative tasks
¡ Reduced help desk calls ¡ Improved process
efficiency ¡ Central user information
¡ Reduced administrative tasks
¡ Reduced help desk calls ¡ Improved security ¡ Accountability ¡ Cost savings
User Self-Service & Password Management
Virtual Directory Web Access Management/SSO Centralized Audit
Delegated Administration
Synchronization/ Replication
Federated Identity Management/SSO
Logging and Monitoring
Automated Approvals and Workflows
Meta Directory
Authentication & Authorization Access Certification
Enterprise Role Definition Directory Storage Standard APIs Reporting
Audit, Role & Compliance
Access Management
Identity Management
Identity Data Services
RadiantOne: Your Foundation to a Complete Identity Service
HR Databases Applications Databases LDAP Directories Cloud Apps
IDM
Supporting Multiple Repositories is Costly: Traditional IDM Attempted to Mitigate
Existing Identity
Infrastructure
Legacy Applications
IDM
Existing Identity
Infrastructure
Legacy Applications
New Applications and Customers Increase complexity, support, and risk
Existing Identity
Infrastructure
SaaS/Cloud/BYOD/ Partner Apps
RadiantOne
Existing Identity
Infrastructure
SaaS/Cloud/BYOD/ Partner Apps
RadiantOne The Identity Hub
IDM
Legacy Applications
Federated Iden-ty Service
Existing Identity
Infrastructure
SaaS/Cloud/BYOD/ Partner Apps
Federated Identity Service Able to Sunset Identity Stores
IDM
Legacy Applications
Identity as a service through Virtualization The Key to Solving the Identity Integration Challenge
• Acting as an abstraction layer RadiantOne creates attribute rich global user profiles spanning multiple identity silos.
• Aggregation, Correlation, Transformation, and Normalization of the user identity provides the ability to serve that identity to applications in the format they expect.
Agg
rega
tion
Cor
rela
tion
Inte
grat
ion
Virtualization
Population C
Population B
Population A
Groups Roles
LDAP
SQL
Web Services
/SOA
App A
App B
App C
App D
App E
App F
Contexts
Ser
vice
s
SCIM REST
More Identities, Better Scope—the Secret to Boosting Your Ping federation IdP Deployment
Administrator
Standard User
Manager
Sales
Marketing
Product Management
People ID/identifiers
Product 1
Product 2
Product 3
Web Content
Lead Generation
Direct Sales
Indirect Sales
• If you have those attributes somewhere already, instead of having static assignment, the groups memberships can be data-driven.
Where do the Attributes Come From?
Existing Data Sources!
Groups Roles Departments Divisions Location
RadiantOne Methodology Leveraging Existing Contexts to Build User Profiles
RadiantOne Methodology Joining across Data Silos Links Identities to Context
• RadiantOne is made of two main parts: • An integration layer based on virtualization • A storage layer: Persistent Cache
• LDAP (up to v6.2) • HDAP (based on big data technologies, v7.0)
RadiantOne Integration Layer and Cache/Storage Layer
Integration Layer
Integration Layer +
Storage (Persistent Cache)
HDAP
Storage (Persistent Cache)
HR Database
LDAP Directory
Active Directory
Normalizing Attributes Across Sources to Support Policy Authoring and Policy Decision Point
employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: [email protected] uid=AFuller ntitle=VP Sales ClearanceLevel=1 Region=PA memberOf=Sales nDepartment=Sales
Correlated Identity Virtual View
employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234 ?tle=Sales, VP
uid=AFuller ?tle=Vice Pres. Sales givenName=Andrew sn=Fuller departmentNumber=234
EmployeeID=509-‐34-‐5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234
cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • nTitle=VP Sales • Region=PA
Dynamic Groups Virtual View
Com
pute
d A
ttrib
ute
Normalized Attribute Values Federated Identity Attribute Server
Normalized Attributes Attribute: nDepartment Values:
Accounting Administration Business Development Distribution Marketing Production Research Sales Shipping
Attribute: nTitle Values:
CEO CIO CISO VP Sales VP Marketing …
Oracle DB User = LCallahan Co = Sutton Ryan MemberOf = Sales
RadiantOne as Single Identity Source
Access Management
Portal
ODSEE
Enterprise App A
(MemberOf = Sales)
Enterprise App B
(MemberOf = Finc)
Claims Enabled App C
(Security = High)
Claims SaaS App D
(Security = Low)
Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low
saMAccountName = JSmythe Name = John_Smythe MemberOf = IT, Finc Security = High
saMAccountName = JSeed Name = Jill_Seed MemberOf = Sales
SaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High
John’s AD Profile User = JSmythe MemberOf = IT, Finc
SAP ERP Profiles John_Smythe = High Laura_Callahan = Low
AD
AD Profile saMAccountName = JSmythe MemberOf=Sales
IDM Profile User = JSmythe GUID = 23185798306=4 User = LCallahan GUID = 39583201202=3
Customer App Profiles User = LCallahan Co = Sutton Ryan MemberOf = Sales
RadiantOne as Single Identity Source for IDaaS and Portal
Portal
IDaaS
NorAm AD Enterprise
App A (MemberOf =
Sales)
Enterprise App B
(MemberOf = Finc)
Claims Enabled App C
(Security = High)
Claims SaaS App D
(Security = Low)
Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low
saMAccountName = JSeed Name = John_Seed MemberOf = IT, Finc Security = High
saMAccountName = Jsmythe Name = Jill_Smythe MemberOf = Sales
IDaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High
John’s AD Profile saMAccountName = JSeed MemberOf = IT, Finc
SAP ERP Profiles John_Seed = High Laura_Callahan = Low
Sync
with VDS
EMEA AD
Jill AD Profile saMAccountName = JSmythe MemberOf=Sales
Confidential and proprietary materials for authorized Radiant Logic personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Why RadiantOne
• Portals, Content Management, Collaboration
• Federated Access - SaaS/Cloud Apps/Claims
• Web SSO – Access Management
• Partner/Vendor/Customer IAM
• Fine Grained Authorization (ABAC, XACML)
• Mergers, Acquisitions, Divestitures, Reorgs
• Directory Re-architecture, Replacement, Decommission
• Active Directory Consolidation and Partitioning