The document discusses the challenges of deploying an identity provider in an environment with siloed and federated identity systems. It identifies challenges around authentication, which involves identifying users across multiple sources with different identifiers and credential formats. Authorization challenges include attributes and groups being distributed across different data sources. The document proposes addressing these challenges through a federated identity service that acts as a single identity source through identity aggregation, correlation, mapping attributes and groups across sources, and presenting virtualized identity views. This approach can enable single sign-on across applications while leveraging existing identity systems.

1. Deploying an Identity Provider in a Complex,
Federated and Siloed World
PING Conference - July 2013
1

2. • Challenges you will face:
• How to accommodate new requirements
• Problems you can encounter and why
• Authentication
• Authorization
• Approach to solving these challenges:
• A federated identity service
• Identity Hub storage
• Aggregation
• Mapping
• Correlation
• Join
• Caching
• Leveraging the federated identity service for not just cloud apps, but also
legacy apps as well.
Talking Points
2

3. The Challenges
3

4. SAML
Authentication and Federation:
The Cloud and Web Apps Imperative
OpenID
Connect
OAuth 2.0
4

5. The Current Security Conundrum
Security Means:
SAML, OAuth,
OpenID
Identity
Infrastructure
A complete
federation
solution requires
federating both
access and
identities
5

6. The Directory
Original Model for Security
• Any security system based on identity is composed of two parts:
• A registry of identity information
• The security means (which is supported by the identity information)
Kerberos, SASL, SSL
6

7. Current Infrastructure:
Multiple Doors and Locks
AD Sun
RACF
LDAPHR
Role DB
7

8. The Challenge of a Fragmented Distributed Identity
System
Existing Identity Infrastructure
Legacy Applications
SaaS/Cloud/BYOD/
Partner Apps
8

9. The Challenges
• For many initiatives, such as federation and portal security, you need:
1. One global reference identity source for authenticating users.
2. And to support authorization, you want that one identity source to contain the
richest profile possible for each identity.
• But you cannot afford to just create another green field directory because:
1. It would be a huge effort to populate it
2. The information already exists in other silos
• You need one central access point, but don’t want to start over from
scratch.
9

10. Identity Provider Challenges
10

11. Authentication Challenges – The Details
Goal: Enable Authentication and SSO Across Multiple Sources
1. The first step is identification, or finding the user entry that
needs to be authenticated. But
• Identities are spread across multiple data sources, such as multiple
AD domains/forests.
• Identities are described differently in each source, such as “uid” vs.
“sAMAccountName” vs. “LOGIN.”
2. The second step is credential checking. Each source supports
its own authentication mechanism:
• Different encryption of passwords and schema elements (such as
userPassword vs. unicodePwd, etc).
• Existing internal (employee) user IDs & passwords in Active
Directory.
• External user credentials may be stored elsewhere (SunOne,
Oracle, etc).
11

12. Goal: Attribute-Based or Groups-Based Authorization
1. Profile information exists in multiple data sources
2. Data sources have their own schema elements (object classes and
attributes)
• group/member (AD)
• groupOfUniqueNames/uniquemember (Sun)
3. Inflexible group definition
• Static (hard-coded) group members
• Rely on client application logic to build members via an extra search
(based on memberURL attribute)
Authorization Challenges – The Details
12

13. User Identification Challenges
sameperson,differentidentifiers
differentpeoplesameidentifiers
13

14. Identification Challenges of SSO
LDAP Directory
Active Directory
employeeNumber=E562098000Z
samAccountName=Andrew_Fuller
objectClass=user
mail: andrew_fuller@radiant.com
departmentNumber=234
uid=AFuller
title=VP Sales
givenName=Andrew
sn=Fuller
departmentNumber=234
employeeID=562_09_8000
Name=Andrew_Fuller
ID: andrew_fuller@setree1.com
login=AFuller
ID=562_09_8000
Salesforce knows Andrew by an ID of
andrew_fuller@radiant.com
SharePoint knows Andrew
by an ID of AFuller
14

15. Attribute-Driven Authorization Challenges
LDAP DirectoryActive Directory HR Database
employeeNumber=2
samAccountName=Andrew_Fuller
objectClass=user
mail: andrew_fuller@setree1.com
departmentNumber=234
memberOf=cn=AllUsers,ou=Groups,dc=ad
uid=AFuller
title=VP Sales
givenName=Andrew
sn=Fuller
departmentNumber=234
cn=Regional Sales
objectclass=groupOfUniqueNames
unqiueMemeber=uid=afuller,ou=people,o=sun
EmployeeID=509-34-5855
ClearanceLevel=1
Region=PA
UserID=EMP_Andrew_Fuller
DeptID=Sales234
Is this the same person?
If so, what groups is he a member of?
If so, how can I get a global profile when there is no single common identifier?
15

16. Solving Challenges
16

17. A Federated Identity Service
Existing Identity Infrastructure
Legacy Applications
SaaS/Cloud/BYOD/
Partner Apps
17

18. Identity Integration
Accounting
Marketing Support
Business
Development
Call Center Fulfillment
Order Mgmt.
Sales
HR
18

19. Federated Identity Service
The High Level Components
The “Identity Hub” supported by
Identity and context virtualization
The “storage” is a directory (for
speed and scalability)
The “services” are metadata extraction,
view design, mapping, correlation, join,
synchronization (persistent cache with
auto-refresh)
19

20. Identity and Context Virtualization Process
20

21. Identity Integration (Aggregation and Correlation)
21

22. • Union requires some kind
of criteria, one or more
attributes, to detect and
correlate same-users
across systems. This is
the common, global
identifier.
• A match based on this
attributes(s) allows us to
remove duplicates.
• The result is a “union
compatible” operation,
where all users are
represented exactly once,
and only once, in the
virtualized global list.
emplogin firstname lastname
smatthews Sarah Matthews
lanalandry Lana Landry
employeeID givenName sn title
llandry Lana Landry Writer
smatthews Steve Matthews Janitor
LOGIN firstname lastname role group homephone
llandry Lana Landry Tech Writer Marketing 4152096800
smatthews Sarah Matthews CEO Admin 4152096802
firstname lastname
Sarah Matthews
Lana Landry
Steve Matthews
System A
System B
System C
Global List (Union)
Identity Correlation Example
- Creating a UNION Set
22

23. Identity Views Delivered in Format and Content
Expected by Applications
23

24. Solving Authentication Challenges
How does a Federated Identity Service help solve authentication challenges?
Step Challenge Can be solved by
Identification Identities spread across
multiple sources
Integrating users from multiple
sources
Identities described
differently in each source
Object and Attribute Mapping to
provide a common schema
Credential
Checking
Different encryption of
passwords and schema
elements
Providing a single form of
authentication to application,
and the flexibility to delegate
the credential checking to the
backend or customize some
other validation mechanism
24

25. Solving Authorization Challenges
Type Challenge Can be solved by
Attribute-
Based
Profile attributes spread
across multiple sources
Integrating users from multiple
sources, in order to build a
global profile
Groups-Based Existing groups and
potential group members
spread across multiple
data silos
Offering Flexible Group
Definitions:
- Aggregate/map existing
groups
- Build new group
definitions with dynamic
members
How does a Federated Identity Service help solve authorization challenges?
25

26. Example: Identity Correlation and Profile Creation
LDAP Directory
Active Directory
HR Database
employeeNumber=2
samAcountName=Andrew_Fuller
objectClass=user
mail: andrew_fuller@setree1.com
uid=AFuller
title=VP Sales
ClearanceLevel=1
Region=PA
CorrelatedIdentityView
employeeNumber=2
samAccountName=Andrew_Fuller
objectClass=user
mail: andrew_fuller@setree1.com
departmentNumber=234
uid=AFuller
title=VP Sales
givenName=Andrew
sn=Fuller
departmentNumber=234
EmployeeID=509-34-5855
ClearanceLevel=1
Region=PA
UserID=EMP_Andrew_Fuller
DeptID=Sales234
26

27. Example: Dynamic Group Creation and Profile
Extension
cn=Sales
objectClass=group
member=Andrew_Fuller
**Based on identities that have:
• ClearanceLevel=1
• title=VP Sales
• Region=PA
CorrelatedIdentityViewDynamicGroupsView
ComputedAttribute(memberOf)
basedonalookupinthe
dynamicgroupsview
employeeNumber=2
samAcountName=Andrew_Fuller
objectClass=user
mail: andrew_fuller@setree1.com
uid=AFuller
title=VP Sales
ClearanceLevel=1
Region=PA
memberOf=cn=Sales
27

28. Example: Dynamic Group Creation
28

29. Persistent (disk-based) Cache
Sources
View Definitions
P. CACHE
Materialized
View
Sources
View Definitions
Run Time View
No Cache
Addressing Performance Challenges
Sources
View Definitions
Memory Cache
Memory Cache
29

30. Introduction to Common Use Cases
30

31. Support for Authentication and as an Attribute
Server
31

32. Use Case: PAM Authentication
Credentials Checking Delegated to Backend
UNIX/LINUX Clients
Authentication Request
Re-use existing users
and credentials!
AD Domain 1 AD Domain 2 Sun
Credentials Checking forwarded to
authoritative source
32

33. Use Case: PAM Authentication
Storing PAM Specific Attribute Extension in VDS
sAMAccountName=jsmith
sn=Smith
givenName=John
title=operations manager
uidNumber = 100
gidNumber = 108
gecos = Andrew Fuller
loginshell = /bin/zsh
homedirectory = /home/afuller
shadowLastChange = 10877
…
sAMAccountName=jsmith
sn=Smith
givenName=John
title=operations manager
Base Profile
Extended Attributes
These extended attributes
can be stored in any source:
“local” or some other backend
Join of all attributes and
presented as a single entry
UNIX/LINUX Clients
AD Domain 1
33

34. Use Case: Oracle Names Resolution
Oracle Clients
Oracle DB Servers
VDS local LDAP stores oracle context data
Schema extended at VDS
Each client configured to point to VDS to lookup DB
34

35. Use Case: Global Address List for Email Clients
LDAP Directory
Active Directory
HR Database
employeeNumber=9
samAcountName=Alice_Lee
objectClass=user
mail: alee@mycompanycom
cn=Alice Lee
title=VP Sales
ClearanceLevel=1
Region=PA
departmentNumber=234
telephoneNumber=415-520-2203
Correlated Identity View
employeeNumber=9
samAccountName=Alice_Lee
objectClass=user
mail: alee@mycompany.com
departmentNumber=234
uid=Alee
title=VP Sales
givenName=Alice
sn=Lee
telephoneNumber=415-520-2203
EmployeeID=509-34-5855
ClearanceLevel=1
Region=PA
UserID=EMP_Alice_Lee
DeptID=Sales234
35

36. Compliance
LDAP Directory
Active Directory
HR Database
employeeNumber=9
samAcountName=Alice_Lee
objectClass=user
mail: alee@mycompanycom
cn=Alice Lee
title=Guru Inside Sales Manager
ClearanceLevel=1
Region=PA
departmentNumber=234
telephoneNumber=415-520-2203
source=HR Database
source=LDAP Directory
source= Active Directory
Correlated Identity View
employeeNumber=9
samAccountName=Alice_Lee
objectClass=user
mail: alee@mycompany.com
departmentNumber=234
uid=Alee
title=Guru Inside Sales Manager
givenName=Alice
sn=Lee
telephoneNumber=415-520-2203
EmployeeID=509-34-5855
ClearanceLevel=1
Region=PA
UserID=EMP_Alice_Lee
DeptID=Sales234
Reports
Which Data Sources Does Alice Have Active Accounts In?
36

37. Use Case: FID and Provisioning
Legacy Applications
(and respective stores)
AD Sun LDAP
Cloud Apps
LDAP/
SQL/
SPML
FID
as reference image
SPML
SCIM
37

38. • Summary
• In order to accommodate new requirements you will face challenges around
authentication and authorization.
• Multiple existing different identity silos means
• Many methods for credentials checking
• Many locations housing different aspects (attributes/groups) of an identity
• These challenges can be solved with a Federated Identity Service based on
virtualization.
• You can leverage the federated identity service for not just cloud apps, but also
legacy apps and other initiatives as well.
• Coming Up: A Foundation for the Future
• Michel Prompt shows you how the Federated Identity Service you put in place
today is a key piece of infrastructure that prepares you for the future.
Summary
39