connected identity : the role of the identity bus
TRANSCRIPT
Connected Identity & the role of the Identity Bus
Prabath SiriwardenaDirector of Security Architecture
WSO2
In U.S only, mergers and acquisitions volume totaled to $865.1 billion in the first nine months of 2013, according to Dealogic
Gartner predicts, by 2020, 60% of all digital identities interacting with enterprises will come from external IdPs
Identity Broker Pattern
Fundamental #1: Federation protocol agnostic : • Should not couple into a specific federation
protocol like SAML, OpenID Connect. • Ability to connect multiple identity providers over
heterogeneous identity federation protocols. • Should have ability transform ID tokens between
heterogeneous federation protocols.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #2: Transport protocol agnostic : • Should not couple into a specific transport protocol
– HTTP, MQTT
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #3: Authentication protocol agnostic: • Should not couple into a specific authentication
protocol, username/password, FIDO, OTP.• Pluggable authenticators.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #4: Claim Transformation: • Should have the ability to transform identity
provider specific claims into service provider specific claims.
• Simple claim transformations and complex transformations.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #5: Home Realm Discovery: • Should have the ability to find the home identity
provider corresponding to the incoming federation request looking at certain attributes in the request.
• Filter based routing.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #6: Multi-option Authentication: • Should have the ability present multiple login
options to the user, by service provider.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #7: Multi-step Authentication: • Should have the ability present multiple step
authentication (MFA) to the user, by service provider.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #8: Adaptive Authentication: • Should have the ability change the authentication
options based on the context.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #9: Identity Mapping: • Should have the ability map identities between
different identity providers. • User should be able to maintain multiple identities
with multiple identity providers.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #10: Multiple Attribute Stores: • Should have the ability connect to multiple
attribute stores and build an aggregated view of the end user identity.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #11: Just-in-time Provisioning: • Should have the ability to provision users to
connected user stores in a protocol agnostic manner.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #12: Manage Identity Relationships: • Should have the ability to manage identity
relationships between different entities and take authentication and authorization decisions based on that.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #13: Trust Brokering: • Each service provider should identify which
identity providers it trusts.
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #14: Centralized Access Control: • Who gets access to which user attribute? Which
resources the user can access at the service provider?
Fifteen Fundamentals
Identity Broker Pattern
Fundamental #15: Centralized Monitoring: • Should have the ability monitor and generate
statistics on each identity transaction flows through the broker.
Fifteen Fundamentals
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #1: More than humans - It’s also about Identities of things, devices, services, and apps
Fundamental #2: Multiple Identity Providers - We will not manage all identities internally anymore and trust will vary
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #3: Multiple Attribute Providers - There will no longer be a single source of truth and information on identities anymore
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #4: Multiple Identities - Many users will use different identities (or personas) and flexibly switch between these
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #5: Multiple Authenticators - There is no single authenticator that works for all
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #6: Identity Relationships - We must map humans to things, devices, and apps
Seven Fundamental of Future IAM
By Martin Kuppinger
Fundamental #7: Context - Identity and Access Risk varies in context
Seven Fundamental of Future IAM
By Martin Kuppinger