SlideShare a Scribd company logo

CIS14: Creating a Federated Identity Service for Better SSO

CloudIDSummit
CloudIDSummit

The document discusses the challenges of fragmented identity systems in large enterprises and introduces the RadiantOne Federated Identity Service as a solution to simplify deployment, management, and security through federation. It highlights the need for a unified identity provider (IdP) to navigate multiple authentication systems and streamline access to various applications. The service supports multi-tenancy, enhances security with multi-factor authentication, and allows for adaptability to organizational needs and changes.

Technology
1 of 30
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
What's Under Your Cloud? On-Premises IdP for Today's Business Creating a Federated Identity Service for Better SSO Matt Tatro – Midwest Sales Manager – Radiant Logic Denise Lores – Solution Architect – Radiant Logic
•  Describe the challenges around moving to cloud apps for large enterprises consisting of many heterogeneous user stores. •  Introduce Federation concepts and requirements. •  Introduce the RadiantOne Federated Identity Service as a key piece of infrastructure to radically simplify deployment, management, and security by federating identity to provide one logical access point to the cloud. Agenda
The World of Access Keeps Expanding App sourcing and hosting User populations App access channels SasS apps Apps in public clouds Partner apps Apps in private clouds On-premise enterprise apps Enterprise computers Enterprise-issued devices Public computers Personal devices Employees Contractors Customers Partners Members
The Challenge of a Fragmented Distributed Identity System AD Forest/Domain A Identity Sources AD Forest/Domain B Databases Internal Enterprise Apps Directories Cloud Apps Look familiar? This is why many clients report that the business views them as a bottleneck
•  A wide range of identity stores are maintained for internal users, partners/suppliers and customers. •  On average, large enterprises have: •  41 stores for internal users •  71 stores for partners/suppliers •  62 stores for customers •  75% of internal users and 38% of external users are in multiple directories •  Organizations manage user attributes in, on average around 13 different data stores! •  By 2020, 70% of enterprises will use ABAC as the dominant mechanism to protect critical assets, up from less than 5% today (Gartner) Reality: Multiple Heterogeneous Data Stores Osterman Research Survey Findings
Challenges of a Scattered Identity Infrastructure •  Each application manages its own user list, attributes and is accessed using different protocols.
Mapping identities across SaaS applications Obstacle for STS to achieve true SSO LDAP Directory Active Directory employeeNumber=E562098000Z   samAccountName=Johnny_Appleseed   objectClass=user   mail:  johnny_appleseed@setree1.com   departmentNumber=234   memberOf=Sales   memberOf=AllUsers   memberOf=InventoryRead   uid=JAppleseed   Otle=VP  Sales   givenName=Johnny   sn=Appleseed   departmentNumber=234   employeeID=562_09_8000   isMemberOf=InternalUsers   Name=Johnny_Appleseed   ID:  johnny_appleseed@setree1.com   login=JAppleseed   ID=562_09_8000   Salesforce  knows  Johnny  as:   johnny_appleseed@setree1.com   Google  knows  Johnny  as:   JAppleseed  
Federation is the Solution But deployment is often the challenge! Federation Cloud Apps Federation requires An Identity Provider (Idp) Internal Authentication and SSO? Attributes for authorization? Enterprise Identity Data Sources ? ?? Implementation SAML 2.0 (Open-Id Connect) Federated Access1. 2. 3. Mapping from internal ID to Tokens?
FEDERATION REQUIRES FEDERATED ACCESS AND FEDERATED IDENTITY
Simplify and/or Evolve your IdP deployment with a Federated Identity Hub The identity hub component federates identity from across the infrastructure into a single hub, rationalizing duplicate accounts as necessary. The STS component sends user information to applications in secure tokens to perform external federation. This layer is provided by vendors such as PING and ADFS.
Mapping identities across SaaS applications LDAP Directory Active Directory employeeNumber=E562098000Z   samAccountName=Johnny_Appleseed   objectClass=user   mail:  johnny_appleseed@setree1.com   departmentNumber=234   memberOf=Sales   memberOf=AllUsers   memberOf=InventoryRead   uid=JAppleseed   Otle=VP  Sales   givenName=Johnny   sn=Appleseed   departmentNumber=234   employeeID=562_09_8000   isMemberOf=InternalUsers   Name=Johnny_Appleseed   ID:  johnny_appleseed@setree1.com   login=JAppleseed   ID=562_09_8000   Salesforce  knows  Johnny  as:   johnny_appleseed@setree1.com   Google  knows  Johnny  as:   JAppleseed  
Value of the Identity Hub and Global Profile LDAP DirectoryActive Directory employeeNumber=E562098000Z samAcountName=Johnny_Appleseed objectClass=user mail: johnny_appleseed@setree1.com uid=JAppleseed title=VP Sales departmentNumber=234 memberOf=Sales memberOf=AllUsers memberOf=InventoryRead memberOf=InternalUsers ref = cn=johhny_appleseed,dc=ad,dc=vds ref = uid=JAppleseed,dc=ldap,dc=vds CorrelatedIdentityView CorrelaOon  rules/logic.  An  exisOng     single  unique  idenOfier  not  required.   This  provides  the  reference  image  for  claims!   employeeNumber=E562098000Z   samAccountName=Johnny_Appleseed   objectClass=user   mail:  johnny_appleseed@setree1.com   departmentNumber=234   memberOf=Sales   memberOf=AllUsers   memberOf=InventoryRead   uid=JAppleseed   Otle=VP  Sales   givenName=Johnny   sn=Appleseed   departmentNumber=234   employeeID=562_09_8000   isMemberOf=InternalUsers  
Token Contents are Not Standardized SAML Attribute Set B SAML Attribute Set C SAML Attribute Set A SAML defines a common framework, a “menu” of information in a common format from which applications can choose which they require. The appropriate subset of attributes required by the Service Provider, is encrypted in a token, and sent to the SP, by an Identity Provider.
APPLICATION LAYER VIRTUALIZATION LAYER DATA SOURCES Directories Databases Web Services Active Directory Together CFS and VDS act as a complete Identity Provider, authenticating users, gathering their attributes, and sending them in the appropriate format in security tokens to applications. CFS is the Security Token Service RadiantOne Virtual Directory Service (VDS) is the federated identity hub RadiantOne Federated Identity Service VDS + CFS offers a complete IdP
•  Because the commonly used federation standards (like SAML and WS- Federation) don’t enforce a rigid set of attributes that all applications must accept, the IdP must generate a different token for each Service Provider. •  Would you turn away a business partner because your IdP won’t mesh with their apps? The IdP Must Generate Applicable Token Mappings Token Contents: Authentication Attributes email Certificate_id Authorization Attributes Groups Roles Identity Provider Token Contents: Authentication Attributes UPN ImmutableID nameidentifier Authorization Attributes Groups
•  In many scenarios, an Identity Provider will have to search for a user in more than one Authentication System. An IdP must be able to navigate this “last mile” to authenticate users and gather attributes •  Avoid a lengthy, costly re-architecture of the identity repository you intend to act as your IdP The IdP Must Support Multiple Authentication Systems AUTHENTICATION SYSTEMS •  Handle authentication of the users. •  Return necessary attributes to the Identity Provider, to be used for authorization. Identity Provider
THE RADIANTONE FEDERATED IDENTITY SERVICE
Support for Multiple Authentication Systems •  CFS supports the following systems for authenticating users: 1.  Forms Based Authentication through VDS (essential for mobile devices!). Users enter their credentials, and VDS delegates the authentication to the authoritative enterprise identity store. 2.  Radiant Trust Connectors (RTCs) allow users stored in Active Directory to be authenticated in their local domain using Windows Integrated Authentication (Kerberos/NTLM – Windows Integrated Authentication). 3.  Certificate Authentication through VDS. 4.  Leverage third party trusted IDP: FaceBook, Twitter, PayPal, ADFS 2, Azure ACS, OpenAM
•  The Radiant Trust Connector (RTC) is an application that runs inside IIS. IIS handles authentication with Windows Integrated Authentication – either via Kerberos or NTLM. •  RTCs handle the retrieval of user data from Internet Information Services and pass the user data to CFS (via the browser) in a token. CFS then matches the identity from the RTC with an identity in VDS, and transforms the user data into the claim format the application expects, thus enabling SSO for AD users. How CFS federates Active Directory domains (Similar Implementation than with ADFS)
•  Map authenticated identity to Enterprise Identity Identity Mapping Rules Example Identification Rule: RTC (nameidentifier)à VDS (uid) = JAppleseednameidentifier employeeNumber=E562098000Z samAcountName=Johnny_Appleseed objectClass=user mail: johnny_appleseed@setree1.com uid=JAppleseed title=VP Sales departmentNumber=234 memberOf=Sales memberOf=AllUsers memberOf=InventoryRead memberOf=InternalUsers ref = cn=johhny_appleseed,dc=ad,dc=vds ref = uid=JAppleseed,dc=ldap,dc=vds
Application Configuration with Templates
•  Retrieve attributes applicable to the application and map/transform them accordingly. •  Built-in functions simplify the mapping/transformation. Application Token Mapping Rules
User experience: CFS Portal SSO to Applications User Self-Service: Edit profile attributes, reset-password White Pages: Search for users
Support for both IdP-initiated and SP-initiated Sessions For IdP-initiated access, the user can login to the CFS Portal and select which application they would like to access. For SP-initiated access, the user can attempt to access the application first, and then be redirected to the CFS portal site for authentication. Or if the user has already been authenticated by CFS, they will gain access to the application without having to re-authenticate. http://sharepointsite
Reference Image for Provisioning Legacy Applications (and respective stores) AD Sun LDAP Cloud Apps LDAP/ SQL/ SPML SPML SCIM
•  Support for Multi tenancy •  For the large enterprise wishing to act as an IdP for third parties, multi tenancy allows the storage of third-party identities on-premises to provide access to cloud applications. •  User registration and management •  Increased end user security •  2-Step Verification (Multi Factor Authentication) •  Requires user name/password and passcode to login. •  Passcode can be sent via an Authenticator app on user’s mobile device or emailed. •  New Access Control Mechanisms: •  Levels of Assurance •  Circle of Trust Additional Capabilities to Consider
•  Each authentication system is assigned a level of assurance (examples shown for Active Directory and Forms-based (with and w/o 2 step verification). •  Each application is assigned a level of assurance. Level of Assurance Configuration
•  When a user logs in, the level of assurance associated with their chosen authentication system will be one of the criteria used by CFS to enforce access to applications. Enforcing Access Based on Level of Assurance
•  When a user logs in, the CoT rules will be evaluated to determine which are applicable. •  For example, if the following rules are defined, and a user logs in from a client with the IP address of 10.11.12.5, then Location=headquarters will be used as criteria for determining which applications the user should have access to. Circle of Trust (CoT) E.g. CoT Rules Defined E.g. CoT Rules Assigned to an Application
•  Simplify the Move Cloud Apps •  There is a lot of focus on federating user access, but you also need to federate your identities! Especially for large, complex identity infrastructures that have: •  No single AD domain containing all users •  Duplicate user accounts across AD domains and forests •  Users outside of AD sources (extend authentication to and/or retrieve profile attributes from) •  Have a single logical place to authenticate users and retrieve a rationalized view of groups. •  Use the global reference image to provision to cloud applications. •  Expand an existing Federation deployment easily •  Support new user populations •  Support new application requirements •  Address custom data requirements •  Customizations/computations can be done at the RadiantOne layer, not by the IdP, letting them focus on the token creation/translation they provide. •  Each application can have their own “virtual view” (specific mappings, computations, attributes). •  Maximize your ROI •  Re-use the Federated Identity Service layer for other initiatives: •  Other applications (e.g. Cisco Unified Communications Manager, Qumu, SiteMinder, SharePoint…etc.) Conclusion

More Related Content

What's hot (18)

PDF
Large Scale User Provisioning with Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
PPTX
Forefront Identity Manager 2010 (Av Rune Lystad)
Microsoft Norge AS
 
PDF
IdM Reference Architecture
Hannu Kasanen
 
PDF
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
PDF
Nyc connect 19 presentations
Sabrina Marechal
 
PDF
How Global Atlantic integrated SE2's Aurum with Salesforce Sales & Service Cl...
Sabrina Marechal
 
PDF
Cloud computing identity management summary
Brandon Dunlap
 
PDF
Serena Request Center
Serena Software
 
PPTX
Intel IT's Identity and Access Management Journey
Intel IT Center
 
PPTX
Platform approach-series-the oracleplatform-final
OracleIDM
 
PDF
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
PPTX
TDNF Seminar
EmpowerID
 
PPTX
Short Overview
EmpowerID
 
PDF
Hitachi ID Identity and Access Management Suite
Hitachi ID Systems, Inc.
 
DOCX
Hayat resume 1
Hayat Azizi
 
PPTX
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
PDF
Microsoft Forefront - Identity and Access Management Whitepaper
Microsoft Private Cloud
 
PDF
SaaS 2001
Onomi
 
Large Scale User Provisioning with Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Microsoft Norge AS
 
IdM Reference Architecture
Hannu Kasanen
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
Profesia Srl, Lynx Group
 
Nyc connect 19 presentations
Sabrina Marechal
 
How Global Atlantic integrated SE2's Aurum with Salesforce Sales & Service Cl...
Sabrina Marechal
 
Cloud computing identity management summary
Brandon Dunlap
 
Serena Request Center
Serena Software
 
Intel IT's Identity and Access Management Journey
Intel IT Center
 
Platform approach-series-the oracleplatform-final
OracleIDM
 
Hitachi ID Password Manager
Hitachi ID Systems, Inc.
 
TDNF Seminar
EmpowerID
 
Short Overview
EmpowerID
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Systems, Inc.
 
Hayat resume 1
Hayat Azizi
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
Microsoft Forefront - Identity and Access Management Whitepaper
Microsoft Private Cloud
 
SaaS 2001
Onomi
 

Viewers also liked (19)

PDF
Open stand overview_072014
CloudIDSummit
 
PDF
CIS14: How I Came to Share Signals and Learned to Love my Identity System
CloudIDSummit
 
PDF
CIS13: The Power of the Cloud and Transformation in the Enterprise
CloudIDSummit
 
PDF
CIS13: Bringing the User Back into User-Centric Identity
CloudIDSummit
 
PDF
CIS13: FCCX and IDESG: An Industry Perspectives
CloudIDSummit
 
PDF
CIS14: Implementing MITREid
CloudIDSummit
 
PDF
CIS14: Network-Aware IAM
CloudIDSummit
 
PDF
CIS13: NSTIC Update and Reports from Pilots
CloudIDSummit
 
PDF
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CloudIDSummit
 
PDF
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CloudIDSummit
 
PDF
CIS14: Mobilize Your Workforce with Secure Identity Services
CloudIDSummit
 
PDF
CIS13: Federation Protocol Cross-Section
CloudIDSummit
 
PDF
CIS13: Identity is the New Currency
CloudIDSummit
 
PDF
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CloudIDSummit
 
PDF
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CloudIDSummit
 
PDF
CIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital Age
CloudIDSummit
 
PDF
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
PDF
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CloudIDSummit
 
Open stand overview_072014
CloudIDSummit
 
CIS14: How I Came to Share Signals and Learned to Love my Identity System
CloudIDSummit
 
CIS13: The Power of the Cloud and Transformation in the Enterprise
CloudIDSummit
 
CIS13: Bringing the User Back into User-Centric Identity
CloudIDSummit
 
CIS13: FCCX and IDESG: An Industry Perspectives
CloudIDSummit
 
CIS14: Implementing MITREid
CloudIDSummit
 
CIS14: Network-Aware IAM
CloudIDSummit
 
CIS13: NSTIC Update and Reports from Pilots
CloudIDSummit
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
CloudIDSummit
 
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CloudIDSummit
 
CIS14: Mobilize Your Workforce with Secure Identity Services
CloudIDSummit
 
CIS13: Federation Protocol Cross-Section
CloudIDSummit
 
CIS13: Identity is the New Currency
CloudIDSummit
 
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CloudIDSummit
 
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CloudIDSummit
 
CIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital Age
CloudIDSummit
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CloudIDSummit
 
Ad

Similar to CIS14: Creating a Federated Identity Service for Better SSO (20)

PPTX
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
Scott Hoag
 
PPTX
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
Scott Hoag
 
PDF
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
Scott Hoag
 
PPSX
AzureAAD
TonyHotko
 
PPTX
SSO IN/With Drupal and Identitiy Management
Manish Harsh
 
PDF
O365con14 - moving from on-premises to online, the road to follow
NCCOMMS
 
PPT
Up 2011-ken huang
Ken Huang
 
PDF
SAML and Other Types of Federation for Your Enterprise
Denis Gundarev
 
PPTX
Developing and deploying Identity-enabled applications for the cloud
Maarten Balliauw
 
PPTX
Office 365-single-sign-on-with-adfs
amitchachra
 
PDF
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CloudIDSummit
 
PDF
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
Kumton Suttiraksiri
 
PPTX
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
Scott Hoag
 
PPTX
3 Building Blocks For Managing Cloud Applications Webinar
Todd Clayton
 
PPTX
MCSA 70-412 Chapter 08
Computer Networking
 
PDF
CIS13: Identity at Scale
CloudIDSummit
 
PPTX
JoTechies - Cloud identity
JoTechies
 
PDF
Saas security
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
PDF
CIS14: Identity at Scale: Building from the Ground Up
CloudIDSummit
 
PDF
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
NCCOMMS
 
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
Scott Hoag
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
Scott Hoag
 
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
Scott Hoag
 
AzureAAD
TonyHotko
 
SSO IN/With Drupal and Identitiy Management
Manish Harsh
 
O365con14 - moving from on-premises to online, the road to follow
NCCOMMS
 
Up 2011-ken huang
Ken Huang
 
SAML and Other Types of Federation for Your Enterprise
Denis Gundarev
 
Developing and deploying Identity-enabled applications for the cloud
Maarten Balliauw
 
Office 365-single-sign-on-with-adfs
amitchachra
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CloudIDSummit
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
Kumton Suttiraksiri
 
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
Scott Hoag
 
3 Building Blocks For Managing Cloud Applications Webinar
Todd Clayton
 
MCSA 70-412 Chapter 08
Computer Networking
 
CIS13: Identity at Scale
CloudIDSummit
 
JoTechies - Cloud identity
JoTechies
 
Saas security
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
CIS14: Identity at Scale: Building from the Ground Up
CloudIDSummit
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
NCCOMMS
 
Ad

More from CloudIDSummit (20)

PPTX
CIS 2016 Content Highlights
CloudIDSummit
 
PPTX
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
PDF
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
PDF
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
PDF
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
PDF
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
PDF
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
PDF
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
PDF
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
PDF
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
PDF
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
PDF
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
PDF
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
PDF
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
PDF
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
PDF
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
PDF
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
PDF
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
CIS 2016 Content Highlights
CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 

Recently uploaded (20)

PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 

CIS14: Creating a Federated Identity Service for Better SSO

  • 1. What's Under Your Cloud? On-Premises IdP for Today's Business Creating a Federated Identity Service for Better SSO Matt Tatro – Midwest Sales Manager – Radiant Logic Denise Lores – Solution Architect – Radiant Logic
  • 2. •  Describe the challenges around moving to cloud apps for large enterprises consisting of many heterogeneous user stores. •  Introduce Federation concepts and requirements. •  Introduce the RadiantOne Federated Identity Service as a key piece of infrastructure to radically simplify deployment, management, and security by federating identity to provide one logical access point to the cloud. Agenda
  • 3. The World of Access Keeps Expanding App sourcing and hosting User populations App access channels SasS apps Apps in public clouds Partner apps Apps in private clouds On-premise enterprise apps Enterprise computers Enterprise-issued devices Public computers Personal devices Employees Contractors Customers Partners Members
  • 4. The Challenge of a Fragmented Distributed Identity System AD Forest/Domain A Identity Sources AD Forest/Domain B Databases Internal Enterprise Apps Directories Cloud Apps Look familiar? This is why many clients report that the business views them as a bottleneck
  • 5. •  A wide range of identity stores are maintained for internal users, partners/suppliers and customers. •  On average, large enterprises have: •  41 stores for internal users •  71 stores for partners/suppliers •  62 stores for customers •  75% of internal users and 38% of external users are in multiple directories •  Organizations manage user attributes in, on average around 13 different data stores! •  By 2020, 70% of enterprises will use ABAC as the dominant mechanism to protect critical assets, up from less than 5% today (Gartner) Reality: Multiple Heterogeneous Data Stores Osterman Research Survey Findings
  • 6. Challenges of a Scattered Identity Infrastructure •  Each application manages its own user list, attributes and is accessed using different protocols.
  • 7. Mapping identities across SaaS applications Obstacle for STS to achieve true SSO LDAP Directory Active Directory employeeNumber=E562098000Z   samAccountName=Johnny_Appleseed   objectClass=user   mail:  [email protected]   departmentNumber=234   memberOf=Sales   memberOf=AllUsers   memberOf=InventoryRead   uid=JAppleseed   Otle=VP  Sales   givenName=Johnny   sn=Appleseed   departmentNumber=234   employeeID=562_09_8000   isMemberOf=InternalUsers   Name=Johnny_Appleseed   ID:  [email protected]   login=JAppleseed   ID=562_09_8000   Salesforce  knows  Johnny  as:   [email protected]   Google  knows  Johnny  as:   JAppleseed  
  • 8. Federation is the Solution But deployment is often the challenge! Federation Cloud Apps Federation requires An Identity Provider (Idp) Internal Authentication and SSO? Attributes for authorization? Enterprise Identity Data Sources ? ?? Implementation SAML 2.0 (Open-Id Connect) Federated Access1. 2. 3. Mapping from internal ID to Tokens?
  • 9. FEDERATION REQUIRES FEDERATED ACCESS AND FEDERATED IDENTITY
  • 10. Simplify and/or Evolve your IdP deployment with a Federated Identity Hub The identity hub component federates identity from across the infrastructure into a single hub, rationalizing duplicate accounts as necessary. The STS component sends user information to applications in secure tokens to perform external federation. This layer is provided by vendors such as PING and ADFS.
  • 11. Mapping identities across SaaS applications LDAP Directory Active Directory employeeNumber=E562098000Z   samAccountName=Johnny_Appleseed   objectClass=user   mail:  [email protected]   departmentNumber=234   memberOf=Sales   memberOf=AllUsers   memberOf=InventoryRead   uid=JAppleseed   Otle=VP  Sales   givenName=Johnny   sn=Appleseed   departmentNumber=234   employeeID=562_09_8000   isMemberOf=InternalUsers   Name=Johnny_Appleseed   ID:  [email protected]   login=JAppleseed   ID=562_09_8000   Salesforce  knows  Johnny  as:   [email protected]   Google  knows  Johnny  as:   JAppleseed  
  • 12. Value of the Identity Hub and Global Profile LDAP DirectoryActive Directory employeeNumber=E562098000Z samAcountName=Johnny_Appleseed objectClass=user mail: [email protected] uid=JAppleseed title=VP Sales departmentNumber=234 memberOf=Sales memberOf=AllUsers memberOf=InventoryRead memberOf=InternalUsers ref = cn=johhny_appleseed,dc=ad,dc=vds ref = uid=JAppleseed,dc=ldap,dc=vds CorrelatedIdentityView CorrelaOon  rules/logic.  An  exisOng     single  unique  idenOfier  not  required.   This  provides  the  reference  image  for  claims!   employeeNumber=E562098000Z   samAccountName=Johnny_Appleseed   objectClass=user   mail:  [email protected]   departmentNumber=234   memberOf=Sales   memberOf=AllUsers   memberOf=InventoryRead   uid=JAppleseed   Otle=VP  Sales   givenName=Johnny   sn=Appleseed   departmentNumber=234   employeeID=562_09_8000   isMemberOf=InternalUsers  
  • 13. Token Contents are Not Standardized SAML Attribute Set B SAML Attribute Set C SAML Attribute Set A SAML defines a common framework, a “menu” of information in a common format from which applications can choose which they require. The appropriate subset of attributes required by the Service Provider, is encrypted in a token, and sent to the SP, by an Identity Provider.
  • 14. APPLICATION LAYER VIRTUALIZATION LAYER DATA SOURCES Directories Databases Web Services Active Directory Together CFS and VDS act as a complete Identity Provider, authenticating users, gathering their attributes, and sending them in the appropriate format in security tokens to applications. CFS is the Security Token Service RadiantOne Virtual Directory Service (VDS) is the federated identity hub RadiantOne Federated Identity Service VDS + CFS offers a complete IdP
  • 15. •  Because the commonly used federation standards (like SAML and WS- Federation) don’t enforce a rigid set of attributes that all applications must accept, the IdP must generate a different token for each Service Provider. •  Would you turn away a business partner because your IdP won’t mesh with their apps? The IdP Must Generate Applicable Token Mappings Token Contents: Authentication Attributes email Certificate_id Authorization Attributes Groups Roles Identity Provider Token Contents: Authentication Attributes UPN ImmutableID nameidentifier Authorization Attributes Groups
  • 16. •  In many scenarios, an Identity Provider will have to search for a user in more than one Authentication System. An IdP must be able to navigate this “last mile” to authenticate users and gather attributes •  Avoid a lengthy, costly re-architecture of the identity repository you intend to act as your IdP The IdP Must Support Multiple Authentication Systems AUTHENTICATION SYSTEMS •  Handle authentication of the users. •  Return necessary attributes to the Identity Provider, to be used for authorization. Identity Provider
  • 18. Support for Multiple Authentication Systems •  CFS supports the following systems for authenticating users: 1.  Forms Based Authentication through VDS (essential for mobile devices!). Users enter their credentials, and VDS delegates the authentication to the authoritative enterprise identity store. 2.  Radiant Trust Connectors (RTCs) allow users stored in Active Directory to be authenticated in their local domain using Windows Integrated Authentication (Kerberos/NTLM – Windows Integrated Authentication). 3.  Certificate Authentication through VDS. 4.  Leverage third party trusted IDP: FaceBook, Twitter, PayPal, ADFS 2, Azure ACS, OpenAM
  • 19. •  The Radiant Trust Connector (RTC) is an application that runs inside IIS. IIS handles authentication with Windows Integrated Authentication – either via Kerberos or NTLM. •  RTCs handle the retrieval of user data from Internet Information Services and pass the user data to CFS (via the browser) in a token. CFS then matches the identity from the RTC with an identity in VDS, and transforms the user data into the claim format the application expects, thus enabling SSO for AD users. How CFS federates Active Directory domains (Similar Implementation than with ADFS)
  • 20. •  Map authenticated identity to Enterprise Identity Identity Mapping Rules Example Identification Rule: RTC (nameidentifier)à VDS (uid) = JAppleseednameidentifier employeeNumber=E562098000Z samAcountName=Johnny_Appleseed objectClass=user mail: [email protected] uid=JAppleseed title=VP Sales departmentNumber=234 memberOf=Sales memberOf=AllUsers memberOf=InventoryRead memberOf=InternalUsers ref = cn=johhny_appleseed,dc=ad,dc=vds ref = uid=JAppleseed,dc=ldap,dc=vds
  • 22. •  Retrieve attributes applicable to the application and map/transform them accordingly. •  Built-in functions simplify the mapping/transformation. Application Token Mapping Rules
  • 23. User experience: CFS Portal SSO to Applications User Self-Service: Edit profile attributes, reset-password White Pages: Search for users
  • 24. Support for both IdP-initiated and SP-initiated Sessions For IdP-initiated access, the user can login to the CFS Portal and select which application they would like to access. For SP-initiated access, the user can attempt to access the application first, and then be redirected to the CFS portal site for authentication. Or if the user has already been authenticated by CFS, they will gain access to the application without having to re-authenticate. http://sharepointsite
  • 25. Reference Image for Provisioning Legacy Applications (and respective stores) AD Sun LDAP Cloud Apps LDAP/ SQL/ SPML SPML SCIM
  • 26. •  Support for Multi tenancy •  For the large enterprise wishing to act as an IdP for third parties, multi tenancy allows the storage of third-party identities on-premises to provide access to cloud applications. •  User registration and management •  Increased end user security •  2-Step Verification (Multi Factor Authentication) •  Requires user name/password and passcode to login. •  Passcode can be sent via an Authenticator app on user’s mobile device or emailed. •  New Access Control Mechanisms: •  Levels of Assurance •  Circle of Trust Additional Capabilities to Consider
  • 27. •  Each authentication system is assigned a level of assurance (examples shown for Active Directory and Forms-based (with and w/o 2 step verification). •  Each application is assigned a level of assurance. Level of Assurance Configuration
  • 28. •  When a user logs in, the level of assurance associated with their chosen authentication system will be one of the criteria used by CFS to enforce access to applications. Enforcing Access Based on Level of Assurance
  • 29. •  When a user logs in, the CoT rules will be evaluated to determine which are applicable. •  For example, if the following rules are defined, and a user logs in from a client with the IP address of 10.11.12.5, then Location=headquarters will be used as criteria for determining which applications the user should have access to. Circle of Trust (CoT) E.g. CoT Rules Defined E.g. CoT Rules Assigned to an Application
  • 30. •  Simplify the Move Cloud Apps •  There is a lot of focus on federating user access, but you also need to federate your identities! Especially for large, complex identity infrastructures that have: •  No single AD domain containing all users •  Duplicate user accounts across AD domains and forests •  Users outside of AD sources (extend authentication to and/or retrieve profile attributes from) •  Have a single logical place to authenticate users and retrieve a rationalized view of groups. •  Use the global reference image to provision to cloud applications. •  Expand an existing Federation deployment easily •  Support new user populations •  Support new application requirements •  Address custom data requirements •  Customizations/computations can be done at the RadiantOne layer, not by the IdP, letting them focus on the token creation/translation they provide. •  Each application can have their own “virtual view” (specific mappings, computations, attributes). •  Maximize your ROI •  Re-use the Federated Identity Service layer for other initiatives: •  Other applications (e.g. Cisco Unified Communications Manager, Qumu, SiteMinder, SharePoint…etc.) Conclusion