gartner for technical professionals workshop: how to build...

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."

Mary Ruddy

Gartner for Technical Professionals — Workshop: How to Build a Modern Federation Architecture for a Cloud, Mobile and Social World

http://pvs.gartner.com/technology/about/policies/usage_guidelines.jsp

http://pvs.gartner.com/technology/about/ombudsman/omb_guide2.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Traditional Federation


Modern Federation


How do you architect to meet the demands of social,

mobile, cloud, and big data ...

Without chasing after point solutions?


Dance Analogy: A World of Modern Federation


Workshop

1. Introductions

2. Federation Exercises

3. Five Key Patterns Driving Federation Evolution

4. Key Patterns Exercise

5. Break (Unstructured Discussion)

6. Group Discussion

7. Evaluation Criteria for Federation Technology

8. Discussion


Exercise 1: Warm-up

Working by yourself for this first step,

identify

where your organization currently has federation,

who is served, and

what applications they access


Exercise 1: Group

In groups of two to three

discuss your lists from warm-up together

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Five Key Patterns

Driving Federation Evolution


Core Enterprise

Domain


Core Enterprise

Domain

Apps


Users

Core Enterprise

Domain

Apps


Users

Core Enterprise

Domain

Apps

Devices


IAM

Users

Core Enterprise

Domain

Apps

Devices


Subdomains

IAM

Users

Core Enterprise

Domain

Apps

Devices


Cross-domain access is becoming more of a rule than

exception


Changes in Federation

Architecture to Meet Increased

Needs


Trends and Architectural Impacts

• Products and suites continue to add federation

• Federation technology is becoming more central to IAM architecture

• SaaS has sparked federation connector war

• A "cloud only" strategy is rarely the norm


Federation Standards Are Evolving

• SAML

• OAuth 2.0

• OpenID Connect

• SCIM 1.1

• XACML 3.0

Standards support is not a check box


STS Is Evolving

• Broader role of bridging silos

• Multi-protocol:

- Token issuance

- Transformation

• Gumball machine


Software Is Becoming More Modular

• Products and suites are becoming more modular

• Federation modules have sub-modules:

- STS

- Federation IDP

- Federation SP

• Federation sub-modules aren't monolithic either:

- They are becoming more like services


Federation and Authorization

• Enhancement of federation through the addition of EAM

• Benefits include:

- Centralized authorization policy management

- Richer authorization policy language


Federation and EAM

Federation

Module PEP PDP PIP


Federation and EAM

Federation

Module PEP PDP PIP

Federation IDP

Federation SP

STS


Social Identity Is Driving Adaptive Access

Enterprise

Application

Enterprise-specific Trust Requirements

Available Identities

Trust Gap


Adaptive Access Control Is Emerging

• Being added to federation offerings

• Being added to IAM offerings …

• (Banks have been doing this for a while)


Modern Federation Architecture Elements

• Cloud

• Support for multiple open standards

• Modular

• STS bridges silos

• Social identities

• Adaptive access control


Exercise 2

In groups of two to three

discuss challenges caused by these five patterns and how associated architectural elements apply

to your organization in the next nine months


Subdomains

IAM

Users

Core Enterprise

Domain

Apps

Devices


Evaluation Criteria for Federation

Technology Toolkit


Need for Broader Federation Criteria

• Spreadsheet toolkit (and report)

• Lists capabilities needed to be a forward looking enterprise grade federation offering:

- List is sorted by 14 categories

- Categories are sorted by required, preferred, optional

- Specific enterprise needs will vary


Federation Criteria Toolkit — Categories

1. Core Capabilities

2. Inbound Federation (Fed SP)

3. Repositories of Identity (Fed IDP)

4. Identity Standards

5. OAuth

6. XACML

7. User Management


Federation Criteria Toolkit — Categories

8. Policy Administration

9. Other IAM Capabilities

10.Administrator Authentication

11.End-user Authentication

12.Client Access

13.System Integration

14.Operations Management


Repositories of Identity (Federation IDP) — Required Criteria

Required Yes/No

LDAP

Microsoft Active Directory

Oracle

Microsoft SQL Server

MySQL

OpenID-based providers such as AOL, Google, PayPal and Yahoo

Facebook

Commercial attribute provider support

Preferred Criteria Evaluated/Score: 0


Standards — Required Criteria

Required Yes/No

SAML 2.0 Protocols

SAML 2.0 Bindings

SAML 2.0 Metadata

WS-Federation 1.2

WS-Policy 1.5

WS-Trust 1.4

Token transformation services for Kerberos

Token transformation services for Username

Required Criteria Evaluated/Score: 0


Standards — Preferred Criteria

Required Yes/No SAML 2.0 U.S. Federal ICAM Profile NO

SAML 2.0 U.S. Federal ICAM Backend Attribute Exchange (BAE) 2.0 Profile NO

SAML x.509 Attribute Sharing (XASP)

OpenID 2.0 YES

OpenID 2.0 U.S. Federal ICAM deployment profile

Shibboleth

OpenID Connect

OpenID Connect reference implementation

OpenID Connect Basic Client

OpenID Connect Implicit Client

OpenID Connect Standard

OpenID Connect Messages

SCIM 1.1

SPML v2

WS-MetadataExchange (MEX) 1.1

Token transformation for X.509 certificate

Token transformation for Web access management systems

WS-Security

XML Signature

Preferred Criteria Evaluated/Score: 3


Standards — Optional Criteria

Required Yes/No

SAML 1.x Protocols

SAML 1.x Bindings

SAML 2.0 Asynchronous Single Logout Profile Extension Version 1.0 Committee Specification 01

Other SAML 2.0 Profiles

Other OpenID 2.0 Profiles

OpenID Connect Discovery

OpenID Connect Dynamic Client Registration

OpenID Connect Session Management

OAuth 2.0 Multiple Response Types

SCIM 1.0

ID-FF 1.2

Token transformation for RACF

Token transformation for other formats

XML Encryption

RESTful API security

Other identity standards


Federation Criteria Toolkit Scorecards

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Required

Preferred

Optional

Solution Scorecard


Recommendations


Recommendations

Plan on supporting multi-domain scenarios

Take a broader view of federation and include in general IAM planning

Make sure your federation product supports all needed standards capabilities

Choose federation products based on alignment of approach with longer term needs


Action Plan for Enterprises

Monday Morning:

- Review IAM plan and identify where federation issues are relevant

Next 90 Days:

- Inventory current federation needs

- Inventory future federation needs

- Prioritize and group them

- Identify gaps in current federation infrastructure

Next 12 Months:

- Use evaluation criteria as input to next RFI/RFP

- Some enterprises will need multiple federation offerings


Recommended Gartner Research

Understanding Modern Federation Trends and Their Influence on Identity and Access Architecture Mary E. Ruddy (G00251840)

Evaluation Criteria for Federation Technology Mary E. Ruddy (G00250194)

Decision Point for Identity and Access Management in Mobility Projects Ian Glazer (G00231043)

Decision Point for Federated Identity Mark Diodati and Bob Blakley (G00235089)

Identity Bridges: Uniting Users and Applications Across the Hybrid Cloud Mark Diodati (G00229282)

For more information, stop by Gartner Research Zone.

http://www.gartner.com/document/2535415?ref=QuickSearch

http://www.gartner.com/document/2535415?ref=QuickSearch

http://www.gartner.com/resId=2175016

http://www.gartner.com/document/2444215?ref=QuickSearch&sthkw=G00250194

http://www.gartner.com/resId=1991215






© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. 43

Get more

Gartner for Technical Professionals

research at Catalyst Conference 2014

August 11-14, San Diego, CA

Gartner.com/us/catalyst

Research written for technologists by technologists…

gartner for technical professionals workshop: how to build...

Documents