Creating a Federated Identity Service for ABAC and Web Access Management

Wade Ellery Western Region Director of Sales

Denise Lores Senior Architect

The Four Pillars of Identity Services

¡  Enhanced user experience ¡  Improved management

of security risks ¡  Efficient development/

deployment of applications ¡ Reusable integration

¡ HIPAA, SOX compliance

¡ Common access logs ¡  Improved

accountability ¡ Common reporting

¡ Reduced administrative tasks

¡ Reduced help desk calls ¡  Improved process

efficiency ¡ Central user information

¡ Reduced administrative tasks

¡ Reduced help desk calls ¡  Improved security ¡  Accountability ¡ Cost savings

User Self-Service & Password Management

Virtual Directory Web Access Management/SSO Centralized Audit

Delegated Administration

Synchronization/ Replication

Federated Identity Management/SSO

Logging and Monitoring

Automated Approvals and Workflows

Meta Directory

Authentication & Authorization Access Certification

Enterprise Role Definition Directory Storage Standard APIs Reporting

Audit, Role & Compliance

Access Management

Identity Management

Identity Data Services

RadiantOne: Your Foundation to a Complete Identity Service

HR Databases Applications Databases LDAP Directories Cloud Apps

IDM

Supporting Multiple Repositories is Costly: Traditional IDM Attempted to Mitigate

Existing Identity

Infrastructure

Legacy Applications

IDM

Existing Identity

Infrastructure

Legacy Applications

New Applications and Customers Increase complexity, support, and risk

Existing Identity

Infrastructure

SaaS/Cloud/BYOD/ Partner Apps

RadiantOne  

Existing Identity

Infrastructure

SaaS/Cloud/BYOD/ Partner Apps

RadiantOne The Identity Hub

IDM

Legacy Applications

Federated  Iden-ty  Service  

Existing Identity

Infrastructure

SaaS/Cloud/BYOD/ Partner Apps

Federated Identity Service Able to Sunset Identity Stores

IDM

Legacy Applications

Identity as a service through Virtualization The Key to Solving the Identity Integration Challenge

•  Acting as an abstraction layer RadiantOne creates attribute rich global user profiles spanning multiple identity silos.

•  Aggregation, Correlation, Transformation, and Normalization of the user identity provides the ability to serve that identity to applications in the format they expect.

Agg

rega

tion

Cor

rela

tion

Inte

grat

ion

Virtualization

Population C

Population B

Population A

Groups Roles

LDAP

SQL

Web Services

/SOA

App A

App B

App C

App D

App E

App F

Contexts

Ser

vice

s

SCIM REST

More Identities, Better Scope—the Secret to Boosting Your Ping federation IdP Deployment

Administrator

Standard User

Manager

Sales

Marketing

Product Management

People ID/identifiers

Product 1

Product 2

Product 3

Web Content

Lead Generation

Direct Sales

Indirect Sales

•  If you have those attributes somewhere already, instead of having static assignment, the groups memberships can be data-driven.

Where do the Attributes Come From?

Existing Data Sources!

Groups Roles Departments Divisions Location

RadiantOne Methodology Leveraging Existing Contexts to Build User Profiles

RadiantOne Methodology Joining across Data Silos Links Identities to Context

•  RadiantOne is made of two main parts: •  An integration layer based on virtualization •  A storage layer: Persistent Cache

•  LDAP (up to v6.2) •  HDAP (based on big data technologies, v7.0)

RadiantOne Integration Layer and Cache/Storage Layer

Integration Layer

Integration Layer +

Storage (Persistent Cache)

HDAP

Storage (Persistent Cache)

HR Database

LDAP Directory

Active Directory

Normalizing Attributes Across Sources to Support Policy Authoring and Policy Decision Point

employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com uid=AFuller ntitle=VP Sales ClearanceLevel=1 Region=PA memberOf=Sales nDepartment=Sales

Correlated Identity Virtual View

employeeNumber=2  samAccountName=Andrew_Fuller  objectClass=user  mail:  andrew_fuller@setree1.com  departmentNumber=234  ?tle=Sales,  VP  

uid=AFuller  ?tle=Vice  Pres.  Sales  givenName=Andrew  sn=Fuller  departmentNumber=234  

EmployeeID=509-­‐34-­‐5855  ClearanceLevel=1  Region=PA  UserID=EMP_Andrew_Fuller  DeptID=Sales234    

cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: •  ClearanceLevel=1 •  nTitle=VP Sales •  Region=PA

Dynamic Groups Virtual View

Com

pute

d A

ttrib

ute

Normalized Attribute Values Federated Identity Attribute Server

Normalized Attributes Attribute: nDepartment Values:

Accounting Administration Business Development Distribution Marketing Production Research Sales Shipping

Attribute: nTitle Values:

CEO CIO CISO VP Sales VP Marketing …

Oracle DB User = LCallahan Co = Sutton Ryan MemberOf = Sales

RadiantOne as Single Identity Source

Access Management

Portal

ODSEE

Enterprise App A

(MemberOf = Sales)

Enterprise App B

(MemberOf = Finc)

Claims Enabled App C

(Security = High)

Claims SaaS App D

(Security = Low)

Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low

saMAccountName = JSmythe Name = John_Smythe MemberOf = IT, Finc Security = High

saMAccountName = JSeed Name = Jill_Seed MemberOf = Sales

SaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High

John’s AD Profile User = JSmythe MemberOf = IT, Finc

SAP ERP Profiles John_Smythe = High Laura_Callahan = Low

AD

AD Profile saMAccountName = JSmythe MemberOf=Sales

IDM Profile User = JSmythe GUID = 23185798306=4 User = LCallahan GUID = 39583201202=3

Customer App Profiles User = LCallahan Co = Sutton Ryan MemberOf = Sales

RadiantOne as Single Identity Source for IDaaS and Portal

Portal

IDaaS

NorAm AD Enterprise

App A (MemberOf =

Sales)

Enterprise App B

(MemberOf = Finc)

Claims Enabled App C

(Security = High)

Claims SaaS App D

(Security = Low)

Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low

saMAccountName = JSeed Name = John_Seed MemberOf = IT, Finc Security = High

saMAccountName = Jsmythe Name = Jill_Smythe MemberOf = Sales

IDaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High

John’s AD Profile saMAccountName = JSeed MemberOf = IT, Finc

SAP ERP Profiles John_Seed = High Laura_Callahan = Low

Sync

with VDS

EMEA AD

Jill AD Profile saMAccountName = JSmythe MemberOf=Sales

Confidential and proprietary materials for authorized Radiant Logic personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Why RadiantOne

•  Portals, Content Management, Collaboration

•  Federated Access - SaaS/Cloud Apps/Claims

•  Web SSO – Access Management

•  Partner/Vendor/Customer IAM

•  Fine Grained Authorization (ABAC, XACML)

•  Mergers, Acquisitions, Divestitures, Reorgs

•  Directory Re-architecture, Replacement, Decommission

•  Active Directory Consolidation and Partitioning