gartner for technical professionals workshop: how to build...
TRANSCRIPT
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Mary Ruddy
Gartner for Technical Professionals — Workshop: How to Build a Modern Federation Architecture for a Cloud, Mobile and Social World
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Traditional Federation
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Modern Federation
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
How do you architect to meet the demands of social,
mobile, cloud, and big data ...
Without chasing after point solutions?
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Dance Analogy: A World of Modern Federation
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Workshop
1. Introductions
2. Federation Exercises
3. Five Key Patterns Driving Federation Evolution
4. Key Patterns Exercise
5. Break (Unstructured Discussion)
6. Group Discussion
7. Evaluation Criteria for Federation Technology
8. Discussion
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Exercise 1: Warm-up
Working by yourself for this first step,
identify
where your organization currently has federation,
who is served, and
what applications they access
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Exercise 1: Group
In groups of two to three
discuss your lists from warm-up together
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Five Key Patterns
Driving Federation Evolution
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Core Enterprise
Domain
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Core Enterprise
Domain
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Core Enterprise
Domain
Apps
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Users
Core Enterprise
Domain
Apps
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Users
Core Enterprise
Domain
Apps
Devices
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IAM
Users
Core Enterprise
Domain
Apps
Devices
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Subdomains
IAM
Users
Core Enterprise
Domain
Apps
Devices
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Cross-domain access is becoming more of a rule than
exception
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Changes in Federation
Architecture to Meet Increased
Needs
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Trends and Architectural Impacts
• Products and suites continue to add federation
• Federation technology is becoming more central to IAM architecture
• SaaS has sparked federation connector war
• A "cloud only" strategy is rarely the norm
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Federation Standards Are Evolving
• SAML
• OAuth 2.0
• OpenID Connect
• SCIM 1.1
• XACML 3.0
Standards support is not a check box
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
STS Is Evolving
• Broader role of bridging silos
• Multi-protocol:
- Token issuance
- Transformation
• Gumball machine
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Software Is Becoming More Modular
• Products and suites are becoming more modular
• Federation modules have sub-modules:
- STS
- Federation IDP
- Federation SP
• Federation sub-modules aren't monolithic either:
- They are becoming more like services
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Federation and Authorization
• Enhancement of federation through the addition of EAM
• Benefits include:
- Centralized authorization policy management
- Richer authorization policy language
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Federation and EAM
Federation
Module PEP PDP PIP
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Federation and EAM
Federation
Module PEP PDP PIP
Federation IDP
Federation SP
STS
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Social Identity Is Driving Adaptive Access
Enterprise
Application
Enterprise-specific Trust Requirements
Available Identities
Trust Gap
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Adaptive Access Control Is Emerging
• Being added to federation offerings
• Being added to IAM offerings …
• (Banks have been doing this for a while)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Modern Federation Architecture Elements
• Cloud
• Support for multiple open standards
• Modular
• STS bridges silos
• Social identities
• Adaptive access control
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Exercise 2
In groups of two to three
discuss challenges caused by these five patterns and how associated architectural elements apply
to your organization in the next nine months
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Subdomains
IAM
Users
Core Enterprise
Domain
Apps
Devices
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Evaluation Criteria for Federation
Technology Toolkit
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Need for Broader Federation Criteria
• Spreadsheet toolkit (and report)
• Lists capabilities needed to be a forward looking enterprise grade federation offering:
- List is sorted by 14 categories
- Categories are sorted by required, preferred, optional
- Specific enterprise needs will vary
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Federation Criteria Toolkit — Categories
1. Core Capabilities
2. Inbound Federation (Fed SP)
3. Repositories of Identity (Fed IDP)
4. Identity Standards
5. OAuth
6. XACML
7. User Management
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Federation Criteria Toolkit — Categories
8. Policy Administration
9. Other IAM Capabilities
10.Administrator Authentication
11.End-user Authentication
12.Client Access
13.System Integration
14.Operations Management
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Repositories of Identity (Federation IDP) — Required Criteria
Required Yes/No
LDAP
Microsoft Active Directory
Oracle
Microsoft SQL Server
MySQL
OpenID-based providers such as AOL, Google, PayPal and Yahoo
Commercial attribute provider support
Preferred Criteria Evaluated/Score: 0
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Standards — Required Criteria
Required Yes/No
SAML 2.0 Protocols
SAML 2.0 Bindings
SAML 2.0 Metadata
WS-Federation 1.2
WS-Policy 1.5
WS-Trust 1.4
Token transformation services for Kerberos
Token transformation services for Username
Required Criteria Evaluated/Score: 0
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Standards — Preferred Criteria
Required Yes/No SAML 2.0 U.S. Federal ICAM Profile NO
SAML 2.0 U.S. Federal ICAM Backend Attribute Exchange (BAE) 2.0 Profile NO
SAML x.509 Attribute Sharing (XASP)
OpenID 2.0 YES
OpenID 2.0 U.S. Federal ICAM deployment profile
Shibboleth
OpenID Connect
OpenID Connect reference implementation
OpenID Connect Basic Client
OpenID Connect Implicit Client
OpenID Connect Standard
OpenID Connect Messages
SCIM 1.1
SPML v2
WS-MetadataExchange (MEX) 1.1
Token transformation for X.509 certificate
Token transformation for Web access management systems
WS-Security
XML Signature
Preferred Criteria Evaluated/Score: 3
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Standards — Optional Criteria
Required Yes/No
SAML 1.x Protocols
SAML 1.x Bindings
SAML 2.0 Asynchronous Single Logout Profile Extension Version 1.0 Committee Specification 01
Other SAML 2.0 Profiles
Other OpenID 2.0 Profiles
OpenID Connect Discovery
OpenID Connect Dynamic Client Registration
OpenID Connect Session Management
OAuth 2.0 Multiple Response Types
SCIM 1.0
ID-FF 1.2
Token transformation for RACF
Token transformation for other formats
XML Encryption
RESTful API security
Other identity standards
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Federation Criteria Toolkit Scorecards
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Required
Preferred
Optional
Solution Scorecard
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
Plan on supporting multi-domain scenarios
Take a broader view of federation and include in general IAM planning
Make sure your federation product supports all needed standards capabilities
Choose federation products based on alignment of approach with longer term needs
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Action Plan for Enterprises
Monday Morning:
- Review IAM plan and identify where federation issues are relevant
Next 90 Days:
- Inventory current federation needs
- Inventory future federation needs
- Prioritize and group them
- Identify gaps in current federation infrastructure
Next 12 Months:
- Use evaluation criteria as input to next RFI/RFP
- Some enterprises will need multiple federation offerings
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
Understanding Modern Federation Trends and Their Influence on Identity and Access Architecture Mary E. Ruddy (G00251840)
Evaluation Criteria for Federation Technology Mary E. Ruddy (G00250194)
Decision Point for Identity and Access Management in Mobility Projects Ian Glazer (G00231043)
Decision Point for Federated Identity Mark Diodati and Bob Blakley (G00235089)
Identity Bridges: Uniting Users and Applications Across the Hybrid Cloud Mark Diodati (G00229282)
For more information, stop by Gartner Research Zone.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. 43
Get more
Gartner for Technical Professionals
research at Catalyst Conference 2014
August 11-14, San Diego, CA
Gartner.com/us/catalyst
Research written for technologists by technologists…