cis14: why federated access needs a federated identity
DESCRIPTION
Matt Tatro, Denise Lores, Wade Ellery Radiant Logic How creating a federated identity service gives you a single unified view of ALL identities and their context to improve your federated access, WAM and application deployment.TRANSCRIPT
Why Federated Access Needs a Federated Identity
Wade Ellery Western Region Director of Sales
Denise Lores Senior Architect
The Four Pillars of Identity Services
¡ Enhanced user experience ¡ Improved management
of security risks ¡ Efficient development/
deployment of applications ¡ Reusable integration
¡ HIPAA, SOX compliance
¡ Common access logs ¡ Improved
accountability ¡ Common reporting
¡ Reduced administrative tasks
¡ Reduced help desk calls ¡ Improved process
efficiency ¡ Central user information
¡ Reduced administrative tasks
¡ Reduced help desk calls ¡ Improved security ¡ Accountability ¡ Cost savings
User Self-Service & Password Management
Virtual Directory Web Access Management/SSO Centralized Audit
Delegated Administration
Synchronization/ Replication
Federated Identity Management/SSO
Logging and Monitoring
Automated Approvals and Workflows
Meta Directory
Authentication & Authorization Access Certification
Enterprise Role Definition Directory Storage Standard APIs Reporting
Audit, Role & Compliance
Access Management
Identity Management
Identity Data Services
RadiantOne: Your Foundation to a Complete Identity Service
HR Databases Applications Databases LDAP Directories Cloud Apps
IDM
Supporting Multiple Repositories is Costly: Traditional IDM Attempted to Mitigate
Existing Identity
Infrastructure
Legacy Applications
IDM
Existing Identity
Infrastructure
Legacy Applications
New Applications and Customers Increase complexity, support, and risk
Existing Identity
Infrastructure
SaaS/Cloud/BYOD/ Partner Apps
Existing Identity
Infrastructure
SaaS/Cloud/BYOD/ Partner Apps
RadiantOne The Identity Hub
IDM
Legacy Applications
Federated Iden*ty Service
Federated Iden*ty Service
Existing Identity
Infrastructure
SaaS/Cloud/BYOD/ Partner Apps
Federated Identity Service Able to Sunset Identity Stores
IDM
Legacy Applications
More Identities, Better Scope—the Secret to Boosting Your Ping Federation IdP Deployment
Identity as a service through Virtualization The Key to Solving the Identity Integration Challenge
• Acting as an abstraction layer RadiantOne creates attribute rich global user profiles spanning multiple identity silos.
• Aggregation, Correlation, Transformation, and Normalization of the user identity provides the ability to serve that identity to applications in the format they expect.
Agg
rega
tion
Cor
rela
tion
Inte
grat
ion
Virtualization
Population C
Population B
Population A
Groups Roles
LDAP
SQL
Web Services
/SOA
App A
App B
App C
App D
App E
App F
Contexts
Ser
vice
s
SCIM REST
RadiantOne Methodology Leveraging Existing Contexts to Build User Profiles
RadiantOne Methodology Joining across Data Silos Links Identities to Context
• RadiantOne is made of two main parts: • An integration layer based on virtualization • A storage layer: Persistent Cache
• LDAP (up to v6.2) • HDAP (based on big data technologies, v7.0)
RadiantOne Integration Layer and Cache/Storage Layer
Integration Layer
Integration Layer +
Storage (Persistent Cache)
HDAP
Storage (Persistent Cache)
EmployeeID Clearance Region UserID DeptID 509-‐34-‐5855 1 PA EMP_Andrew_Fuller Sales234
Join With Correlation Rules
employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234
Corporate AcPve Directory
uid=AFuller Ptle=VP Sales givenName=Andrew sn=Fuller departmentNumber234
European Portal Directory
US Click Database
No Single ATribute in Common = No Join
employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: [email protected] uid=Afuller Name=Andrew Fuller Ptle=VP Sales ClearanceLevel=1 Region=PA Dept=234
Correlated IdenPty View
CorrelaPon Rules
Federated Iden*ty Service
Unified Profile View and Portal Agnostic
• Multiple sources of identity with different schemas, protocols, format, and structure.
• Application(s) expects���a single normalized source
Click SaaS
Portal Active Directory
LDAP
Federated Iden*ty Service
Auto-Generated Virtual Groups members (dynamic determined)
userID=12952 cn=john_smith department=Sales userID=12954 cn=leah_scott department=HR userID=12943 cn=todd_jones department=Marketing
employeeID=16473 sAMAccountName=ssmith department=Marketing [email protected] employeeID=16453 sAMAccountName=lgreen department=Sales [email protected]
Active Directory US Domain Active Directory Europe Domain
Virtual Group Entries
ou=groups
cn= Sales cn=HR cn= Marketing
cn=Sales objectclass=group member=john_smith member= lgreen member=jsamon
cn=HR objectclass=group member=leah_scott member= sthalon
cn=Marketing objectclass=group member=todd_jones member= ssmith
Virtual Group Names and members automatically determined based on all possible values of department
Federated Iden*ty Service
EmployeeID Clearance Region UserID DeptID 509-‐34-‐5855 1 PA EMP_Andrew_Fuller Sales234
HR Database
Oracle DB User = LCallahan Co = Sutton Ryan MemberOf = Sales
RadiantOne as Single Identity Source
Access Management
Portal
ODSEE
Enterprise App A
(MemberOf = Sales)
Enterprise App B
(MemberOf = Finc)
Claims Enabled App C
(Security = High)
Claims SaaS App D
(Security = Low)
Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low
saMAccountName = JSmythe Name = John_Smythe MemberOf = IT, Finc Security = High
saMAccountName = JSeed Name = Jill_Seed MemberOf = Sales
SaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High
John’s AD Profile User = JSmythe MemberOf = IT, Finc
SAP ERP Profiles John_Smythe = High Laura_Callahan = Low
AD
AD Profile saMAccountName = JSmythe MemberOf=Sales
IDM Profile User = JSmythe GUID = 23185798306=4 User = LCallahan GUID = 39583201202=3
Customer App Profiles User = LCallahan Co = Sutton Ryan MemberOf = Sales
RadiantOne as Single Identity Source for IDaaS and Portal
Portal
IDaaS
NorAm AD Enterprise
App A (MemberOf =
Sales)
Enterprise App B
(MemberOf = Finc)
Claims Enabled App C
(Security = High)
Claims SaaS App D
(Security = Low)
Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low
saMAccountName = JSeed Name = John_Seed MemberOf = IT, Finc Security = High
saMAccountName = Jsmythe Name = Jill_Smythe MemberOf = Sales
IDaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High
John’s AD Profile saMAccountName = JSeed MemberOf = IT, Finc
SAP ERP Profiles John_Seed = High Laura_Callahan = Low
Sync
with VDS
EMEA AD
Jill AD Profile saMAccountName = JSmythe MemberOf=Sales
Confidential and proprietary materials for authorized Radiant Logic personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Why RadiantOne
• Portals, Content Management, Collaboration
• Federated Access - SaaS/Cloud Apps/Claims
• Web SSO – Access Management
• Partner/Vendor/Customer IAM
• Fine Grained Authorization (ABAC, XACML)
• Mergers, Acquisitions, Divestitures, Reorgs
• Directory Re-architecture, Replacement, Decommission
• Active Directory Consolidation and Partitioning