![Page 1: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/1.jpg)
Enterprise Architecture 2014
Take No Pretenders: Identity and Access Management
ITS Webinar 10/7/2014
Eric Goodman, IAM Architect
![Page 2: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/2.jpg)
Enterprise Architecture 2014
Webinar Overview • IAM Basics
– IAM as an element of EA – Brief overview of IAM – Federated Authentication overview
• IAM and UCOP
– Support Federated Authentication! – Other Considerations for Developers and Integrators – UC and UCOP IAM Resources
• IAM systemwide directions
– MFA – IdP Proxy – Global IDs – Data Release 2
![Page 3: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/3.jpg)
Enterprise Architecture 2014
IAM Basics
What is Identity and Access Management?
3
![Page 4: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/4.jpg)
Enterprise Architecture 2014
How Does IAM Apply to ITS? • IAM is an area of Enterprise Architecture (EA) focus
– EA describes significant structural components such as information, process and technology assets and how they are used to support optimized business execution.
– EA supports shared services, interoperability and IT<->business alignment
4
![Page 5: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/5.jpg)
Enterprise Architecture 2014
What is IAM? • Identity and Access Management
– aka IDM, IdM or Identity Management
• Purpose of IAM
• Ensure correct people have access to the appropriate IT resources
• Approach • Establish and maintain one “identity” per person • Central management user accounts
• With support for Delegated and Self-Service functions
• Provision and reconcile accounts 5
![Page 6: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/6.jpg)
Enterprise Architecture 2014
From Identity to Accounts
6
![Page 7: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/7.jpg)
Enterprise Architecture 2014
What is IAM? • Mixture of Technology and Process
• Business Processes
– Common business definitions – Service eligibility – Onboarding processes
• Common Technologies – Database, LDAP, AD, Kerberos, Grouper – CAS, WebAuth, Shibboleth/SAML
7
![Page 8: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/8.jpg)
Enterprise Architecture 2014
Elements of IAM
8
![Page 9: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/9.jpg)
Enterprise Architecture 2014
Elements of IAM • Data Collection
– Onboarding, ideally via Systems of Record (SoR) – “The Merge”
• Account Management – Administrator Account Controls – Self-Service Functions (Change/Reset Pwd, Data Updates)
• Auditing – Central logs tracking account activity/access
9
![Page 10: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/10.jpg)
Enterprise Architecture 2014
Elements of IAM • Provisioning
– Managing and reconciling accounts in external systems • Authentication
– Verifying who you are (aka “login”) • Authorization
– Privilege/permission management
See UCPath IAM Webinar #1 (first half) for more IAM detail: https://sp2010.ucop.edu/sites/its/ppsrepl/default.aspx > Technical Webinars > IAM Webinars > 1 Identity Access Management and UCPath
10
![Page 11: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/11.jpg)
Enterprise Architecture 2014
FEDERATED AUTHENTICATION
11
![Page 12: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/12.jpg)
Enterprise Architecture 2014
Authentication Approaches • Local Authentication
• Pass-thru Authentication
• Federated Authentication
12
![Page 13: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/13.jpg)
Enterprise Architecture 2014
Local Authentication
13
![Page 14: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/14.jpg)
Enterprise Architecture 2014
Local Authentication - Scaling
14
• Pros – Flexibility
• Different usernames and passwords for each site
– No need to integrate with anything else
• Cons – Usability
• Different usernames and passwords for each site • Doesn’t integrate with anything else
– Security • Risk that users will reuse passwords (can’t be audited) • Passwords are used everywhere
![Page 15: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/15.jpg)
Enterprise Architecture 2014
Local Authentication - Scaling
15
![Page 16: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/16.jpg)
Enterprise Architecture 2014
Pass-thru Authentication
“Borrowing your credentials”
16
![Page 17: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/17.jpg)
Enterprise Architecture 2014
Pass-thru Authentication
17
![Page 18: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/18.jpg)
Enterprise Architecture 2014
Pass-thru Authentication - Scaling
18
• Pros – Consistency
• Same username password at each site • Single database for account/password changes
• Cons – Security
• May have to grant external applications access to internal systems • Many sites handle user passwords • Trains users to enter passwords on any web site
– User has no way to validate website • Authentication service can’t distinguish you from the application
– Application is “pretending to be you” – Audit, access issues
![Page 19: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/19.jpg)
Enterprise Architecture 2014
Pass-thru Authentication - Scaling
19
Passwords everywhere!
![Page 20: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/20.jpg)
Enterprise Architecture 2014
Federated Authentication
Authentication as a service
20
![Page 21: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/21.jpg)
Enterprise Architecture 2014
Federated AuthN • What is Federated Authentication?
– Isolates authentication into a separate service – Use your “home” account to access “remote” systems
• Federation Basics – Security Assertion Markup Language (SAML) – Shibboleth – Other protocols and programs exist
• Examples – TRS, Connexxus, LMS
21
![Page 22: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/22.jpg)
Enterprise Architecture 2014
Federated Authentication
22
![Page 23: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/23.jpg)
Enterprise Architecture 2014
Federated Authentication - Scaling
23
![Page 24: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/24.jpg)
Enterprise Architecture 2014
Federated Authentication – Scaling • Pros
– Security • Single application handles all passwords • Users always enter passwords on same website
– Flexibility • Changes to authentication process can be handled centrally
– Multi-factor, expired accounts • Provides better privacy hooks
– Federation • Allows integration with multiple account stores/IdPs
– Not limited to users from one campus
• Cons – Largely Web-Only – Learning curve is somewhat steep – Vendor implementations are frequently flawed
24
![Page 25: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/25.jpg)
Enterprise Architecture 2014
Common Login Page
25
![Page 26: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/26.jpg)
Enterprise Architecture 2014
Federated Authentication For more detail on Federated Authentication, see UCPath
IAM Webinar #3 https://sp2010.ucop.edu/sites/its/ppsrepl/default.aspx > Technical Webinars > IAM Webinars > 3 Logging Into UCPath and Federated Authentication
26
![Page 27: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/27.jpg)
Enterprise Architecture 2014
IAM and UCOP
What does IAM mean to me?
27
![Page 28: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/28.jpg)
Enterprise Architecture 2014
For New Applications • Use Federated Authentication
– More secure than other mechanisms – Especially important when working with vendors
• Insist on SAML integration support
• Avoid Pass Thru Authentication – In some circumstances (esp. non-web applications) Pass-
Thru may be acceptable. – Less secure than SAML integration
• Do not design around local accounts – Users are nearly guaranteed to reuse passwords – Adds account management burden locally
28
![Page 29: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/29.jpg)
Enterprise Architecture 2014
Preparing for IAM Integration • Separate code that performs Authentication
– Write code expecting external (SAML) Authentication
• Account != Permission – Rely on Roles or Attributes for access controls (RBAC/ABAC) – Roles and Attributes can be sourced externally
• Use defined UCTrust attributes; don’t create your own
– https://spaces.ais.ucla.edu/display/uctrustwg/UCTrust+OIDs
29
![Page 30: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/30.jpg)
Enterprise Architecture 2014
IAM Resources and Organization • UCOP IAM Team
– Tim Hanson, Manager – Mark Boyce – Krishna Mohan
• Systemwide IAM Support
– Eric Goodman, IAM Architect
• UCTrust – UC-specific “trust web” supporting Federated Authentication
• InCommon
– Higher Ed “trust web” supporting Federated Authentication 30
![Page 31: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/31.jpg)
Enterprise Architecture 2014
Systemwide Directions
Projects underway or under consideration
31
![Page 32: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/32.jpg)
Enterprise Architecture 2014
System-wide Directions • IdP Proxy
– Supports vendors with limited SAML support – Allows for central data enhancement during authentication
• Multi-Factor Authentication
– Various projects at different campuses – Desire to see more prevalent system-wide
• Global ID
– Goal is to provide systemwide IDs across UC populations – Let me know if you have use cases!
• Data Release Standardization
– Simplify process of approving and configuring data release
32
![Page 33: Take No Pretenders: Identity and Access Managementucop.edu/.../webinars/Identity-Access-Management.pdf · 07/10/2014 · – aka IDM, IdM or Identity Management • Purpose of IAM](https://reader034.vdocuments.net/reader034/viewer/2022052008/601d8ca5da194f78a95ce913/html5/thumbnails/33.jpg)
Enterprise Architecture 2014
Question & Answer
Additional questions or consultations? Contact Eric Goodman, [email protected]
33