This document discusses enterprise identity and access management. It covers foundational concepts like identity, authentication, authorization and accounting. It also discusses managing identity operations, including provisioning, privileged access management and synchronization. Managing identity in the extended enterprise through identity federation and identity as a service is also covered. The document concludes with considerations around identity management compliance and operations.
2. AGENDA
• The Changing Landscape for Identity and
Access Management
• Enterprise Identity – Foundational Concepts
• Enterprise Identity Operations Management
• Managing Identity in the Extended Enterprise
– Identity Federation
– Identity as a Service
• Identity Management Compliance and
Operations Considerations
IT Directors Community of Practice
3. Changing Landscape for Enterprise
Identity and Access Management
– In the extended enterprise, business workflow is
not confined within the company’s infrastructure
• SaaS vendors
• Cloud-based services
– People outside the enterprise are accessing the
company’s infrastructure
• Customers
• Business allies
• Contractors and temporary workers
• Service providers
– How does this affect the threat landscape?
IT Directors Community of Practice
5. High-profile, sharing applications
represent lower than expected threat
volume
– Social networking, video, and file sharing
applications represent
• 25% of the applications,
• 20% of the bandwidth but only
• 0.4% of the threat logs, primarily exploits
– This is not to say these applications are low risk
– The volume is low when compared to the volume
and frequency of use, and the threats found in the
other applications
Source: Palo Alto Networks, Application Usage and Threat Report, 10th Edition
summarizes network traffic assessments performed on > 3,000 networks, encompassing 1,395
applications, 12.6 petabytes of bandwidth, 5,307 unique threats and 264 million threat logs
IT Directors Community of Practice
6. Exploits Target High-value, Business
Applications and Assets
– Crunchy on the outside:
• Exploits are bypassing the “crunchy” perimeter
security and targeting enterprises’ most valued
assets – their “tender” business applications.
– Tender on the inside:
• Out of 1,395 applications found, 10 were
responsible for 97% of all exploit logs observed
• 9 of them are business critical applications.
IT Directors Community of Practice
7. – While small in volume, unknown/custom traffic is
high in risk, exemplifying the 80%-20% rule
– The highest volume of malware logs (55%) were
found in custom or unknown udp
– Yet it represented only 2% of all bandwidth
Conclusion: high value assets are in need
of added levels of security
Custom/unknown Applications and
Malware have Low Incidence Rate, but
Pose the Greatest Risk
IT Directors Community of Practice
8. Access Methods are Evolving
Separate password
for each application
Separate password
for each IdP*
*IdP = Identity Provider
?
Shared standards are evolving for identity, authentication, and authorization.
User
selectionAnalogy to ATM Networks
IT Directors Community of Practice
9. Enterprise Identity
• So what is enterprise identity?
• Identity is a set of attributes that describes a profile
of an individual, business organization, or software
entity.
• The set of attributes for an individual, for
example, could include
– driver's license
– social security number
– travel preferences
– medical history
– financial data
– Etc.
IT Directors Community of Practice
11. Identity Management Roles
Service
providers
(SP)
Identity
Providers
(IdP)
Individuals*
with multiple
identity
profiles
• Healthcare profile
• Employee profile
• Investor profile
• Social profile
• Business profile
Equal and
interoperable
identity
providers
Control over
ownership and
disclosure
Manage
privacy and
preferences
*A person, a business, a software entity
IT Directors Community of Practice
12. Evolution of Identity Networks
Organizations can maintain their own customer/employee data while sharing identity
data with partners based on their business objectives and customer preferences.
IT Directors Community of Practice
13. IdM Nomenclature - Identification
• Identification Comparing presented
credentials to a set of
attributes that describes a
profile of an
individual, business
organization, or software
entity
IT Directors Community of Practice
14. IdM Nomenclature - Authentication
• Authentication
Confirming the truth of
an attribute of a datum
or entity. This might
involve confirming the
identity of a person or
software program.
Authentication often
involves verifying the
validity of at least one
form of identification.
IT Directors Community of Practice
15. • Authentication Attributes
– What you have
– What you know
– What you are
– Where you are
– Combinations
• 2-factor, 3-factor authentication
• Hybrid
• Mutual authentication
• Authentication
IdM Nomenclature - Authentication
IT Directors Community of Practice
16. Cross-Domain Authentication
Two or more user directory
domains within the same
enterprise are implicitly connected
by two-way, transitive trusts.
Authentication requests made
from one domain to another are
successfully routed in order to
provide a seamless coexistence
of resources across domains.
Users gain access to resources in
other domains after first being
authenticated in their ―home‖ domain.
MS Active Directory Federation
Services (ADFS)
Two or more systems use tokens to
exchange credentials. ADFS employs the
MS claims-based access control and
authorization model.
SAML
OASIS-based, browser-oriented, XML-
based standard for exchanging
authentication credentials over the Internet.
WS- Trust
OASIS-based standard that employs web
services to exchange security tokens across
domains. This can be used for security key
exchange.
WS-Trust fails to address some requirements
of federation (eg. privacy)
IT Directors Community of Practice
17. IdM Nomenclature - Authorization
• Authorization
Process of managing
access to resources and
access rights or
privileges; using access
control rules to decide
whether access requests
from already
authenticated requesters
shall be approved
(granted) or disapproved
(rejected).
IT Directors Community of Practice
18. IdM Nomenclature – Logon/Login
• Logon Process
1. Presenting the credentials
required to obtain access
to a computer system or
other restricted area
2. The process by which
individual access to a
computer system or
network is controlled by
evaluating the presented
identity and credentials
IT Directors Community of Practice
19. IdM Nomenclature - Accounting
• Accounting
Managing information about
the relationship of users and
the resources they are/are not
permitted to access, including
• access history
• account control
• access audits
Employs mechanisms to
• synchronize users
• access rules or constraints
• manage/review/report on access
to system and/or cloud-enabled
resources
IT Directors Community of Practice
20. Assertion Query
• The ―A‖ in SAML is Assertion
– Security Assertion Markup Language
– An assertion is simply 1 or more statements
– An assertion query is a request
IT Directors Community of Practice
samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ForceAuthn="true"
AssertionConsumerServiceURL="http://www.example.com/"
AttributeConsumingServiceIndex="0" ProviderName="string"
ID="abe567de6"
Version="2.0"
IssueInstant="2005-01-31T12:00:00Z"
Destination="http://www.example.com/"
Consent="http://www.example.com/" >
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:emailAddress">
j.doe@company.com
</saml:NameID>
</saml:Subject>
</samlp:Authn
In this example, a SAML
assertion is being
requested pertaining to
the supplied
subject, (j.doe@compa
ny.com)
21. Attribute Definitions
• User Attributes
– Each piece of identifying information about a user
– Users have identity attributes, each of which may be stored
on one or more target systems.
– The individual claiming an attribute may only grant selective
access to its information
• Attributing party
– Trusts that the claim of an attribute (such as
name, location, role as an employee, or age) is both
• Correct
• Associated with the person or thing presenting the attribute.
• Contextual identity
– Digital identity is better understood as a particular
viewpoint within a mutually-agreed relationship than as an
objective property.
IT Directors Community of Practice
23. Automatic Provisioning
Process to grant users access
to data repositories or grant
authorization to
systems, network applications
and databases based on a
unique user identity.
Creation, maintenance and
deactivation of user objects
and user attributes, as they
exist in one or more
systems, directories or
applications, in response to
automated or interactive
business processes
• Examples
– Process to monitor an HR
application and automatically
create new users on other
systems and applications when
new employee records appear in
the HR database.
– Automatically deactivate user
objects for users, such as
contractors, whose scheduled
termination date has passed.
IT Directors Community of Practice
24. Privileged Accounts Management
• Grant administrators only the access rights
required for their jobs
• Base those rights on established and controlled
policy
– Policy-based delegation of elevated access privileges
– Secure the process of requesting, approving and issuing
access to those accounts
critical application-to-application (A2A) access
application-to-database (A2D)
separation of duties for privileged access
– Manage policy, rights and activities performed through
privileged access
IT Directors Community of Practice
25. Privileged Accounts Management
48% of data breaches were caused by privileged misuse
- Verizon, Data Breach Investigations Report
―Shared superuser accounts — typically system-defined in
operating systems, databases, network devices and elsewhere
— present significant risks when the passwords are routinely
shared by multiple users‖
- Gartner, MarketScope for Shared-Account/Software-Account
Password Management
75% of responding DBA’s reported that ―Our organizations do
not have a means to prevent privileged database users from
reading or tampering with human resources, financial or other
business application data in the databases
- Oracle DBA Survey
IT Directors Community of Practice
26. Synchronized Identities Model
• Multiple identity models
or systems are
synchronized
• An authoritative identity
source is built from
multiple identity sources
• The identities are stored
in a reference
directory, such as LDAP
• Synchronization
– Changes to identities
in the authoritative
directory are
propagated to the
reference directory
– Access rights are
then updated
IT Directors Community of Practice
27. Proxied Authentication
• Uses a middle-tier server for authentication
Three types
1. An application user, or an application, authenticates
itself with the middle-tier server.
– Client identities can be maintained all the way through to
the database.
2. The client's identity and database password are
passed through the middle-tier server to the database
server for authentication.
3. The client, that is, a global user, is authenticated by
the middle-tier server, and passes either a
Distinguished name (DN)* or a Certificate through the
middle tier for retrieving the client's user name.
*DN is a global name in lieu of the password of the user being proxied
CREATE USER jeff IDENTIFIED GLOBALLY AS 'CN=jeff,OU=americas,O=oracle,L=redwoodshores,ST=ca,C=us';
ALTER USER jeff GRANT CONNECT THROUGH scott AUTHENTICATED USING DISTINGUISHED NAME;
29. The Extended Enterprise
• In the emerging ―extended enterprise‖ business
function workflows often extend beyond the
boundaries of the enterprise
• The ―extended enterprise’s security practices
must treat internal and external users in the
same manner
IT Directors Community of Practice
30. Identity Federation
• The technologies, standards and use-cases which serve
to enable the portability of identity information across
otherwise autonomous security domains
• Identity federation goal: enable users of one domain to
securely and seamlessly access data or systems of
another domain without the need for redundant user
administration.
• Scenarios
– User controlled
– user-centric
– enterprise controlled
– B2B
IT Directors Community of PracticeIT Directors Community of Practice
31. Identity Federation Goals
Identity portability
achieved in a
non-
proprietary, standards-
based manner
IT Directors Community of Practice
Cross-domain, web-based
– single sign-on
– user account provisioning
– entitlement management
– user attribute exchange
Automatic use cases
– user-to-user
– user-to-application
– application-to-application
IT Directors Community of Practice
32. Federation Types
• Identity-based Federation
• Identity based federation - only the SSO functionality of SAML is being required to be
registered in both organizations. If Joe is registered with the IdP and wishes a resource
on SP in another organization then that same identity will be registered at the SP. The
identity of the Principal is carried in the <subject> of the <assertion> header.
• Attribute-based Federation
• Similar to Identity-based Federation, but the type of session and the access right the
user has on the SP is based on attribute information transported in the SAML
assertion. While the user name can be used for auditing purposes it is not used for
access management purposes. An example is using a Role attribute, for example, "HR
Member".
– Attributes are carried in the <AttributeStatement> of a SAML assertion.
Attribute Based Access Control (ABAC) is used by Grid Systems, in which the
relationship between users and resources is ad hoc.
IT Directors Community of Practice
33. SSO in a Federation
• A process that is used across multiple IT
systems and organizations to authenticate
access to a resource for an individual or
system
• A user's single authentication ticket, or
token, is trusted across multiple IT systems
and/or even organizations.
• SSO relates to authentication, only, and does
not include authorization.
IT Directors Community of Practice
34. Federation Termination
Defederation
is the process of terminating the validity of a federated identity with
either an IdP or an SP.
Both the IdP and the SP should notify each other of defederation.
However, it appears there is not a structured or standardized
method for defederation.
The distinction must also be made between terminating a
federated session versus terminating a federation relationship
altogether.
IT Directors Community of Practice
35. Identity Federation Solution
Providers
Radiant Logic: Radiant One
Radiant One Federated Identity Platform
Virtual Directory Server
VDS extracts identity and context information out of various application and data silos. It
re-maps the underlying sources and presents the identity data in customized views.
Identity Correlation and Synchronization Server (ICS)
Identifies relationships between identities represented in heterogeneous data sources. ICS
builds a common identity out of multiple systems to create a unified view of identity
data, eliminating user overlaps.
Cloud Federation Service (CFS)
Provides the RadiantOne suite with a complete identity provider (IdP), an authentication
module which verifies a security token once and then uses it for each system it needs to
access for on-premise and cloud-based applications, enabling single sign-on for users.
IT Directors Community of PracticeIT Directors Community of Practice
36. Identity Federation Solution
Providers
Ping Identity
PingFederate
Outbound and inbound solutions for single sign-on, federated identity management, mobile identity
security, Tier 1 SSO extends employee, customer and partner identities across domains without
passwords, using standard identity protocols (SAML, WS-Fed, OpenID.) PingFederate translates
customer and partner standard tokens into local tokens. For outbound use cases, PingFederate
authenticates user credentials, regardless of how they authenticate, and translates them into
standard tokens.
PingOne Identity as a Service
PingFederate can be deployed in conjunction with PingOne Cloud Access Services for faster and
more flexible employee access to SaaS applications.
IT Directors Community of PracticeIT Directors Community of Practice
37. Identity Federation Solution
Providers
OneLogin
OneLogin focuses primarily on companies that operate in the cloud and integrates with
cloud apps using SAML, WS-Federation, OpenID and web services integration.
The company's cloud-based IAM market now includes 700 enterprise customers in 35
countries, including AAA, Gensler, Netflix, News International, Pandora, Steelcase and PBS.
OneLogin has continued on a path of innovation and
growth, including:
• First iPad app for identity management
• First Federated Cloud Search IAM product that enables secure, real-time search across
public cloud applications such as Box, Google Apps, Salesforce, Yammer and Zendesk
• Pre-integration with 2,800 cloud apps, more than any other IAM vendor
• Open Source SAML Toolkits, now used by over 70 SaaS vendors and over 30 app
vendors to make their apps more secure
IT Directors Community of PracticeIT Directors Community of Practice
38. Identity Federation Solution
Providers
PasswordBank Technologies Inc.: PasswordBank Federation
• Federated Single Sign-On allows a user to login once and then access all
authorized cloud and on-premise services across Mac, Linux and
Windows, without the need for a password at each service.
• Enables the Enterprise to maintain full and centralized control over
access to all applications of the organization.
– Two-factor strong authentication,
– Account provisioning and deprovisioning
– Centralized audit repository
• PasswordBank IdentityBroker allows identity-related information to be
shared securely between the Enterprise, Service Providers and Identity
Providers (cloud and on-premise applications).
IT Directors Community of PracticeIT Directors Community of Practice
39. Identity as a Service
• Authentication
infrastructure hosted by a
third party
• SSO in the cloud
• IDaaS for enterprises’
SaaS applications
• A cloud IDaaS service
provider may
– Securely manage cloud
identities for SaaS applications
– Maintain federated trusts
– Manage account
provisioning/deprovisioning
– Host applications
– Provide subscribers with role-
based access to specific
applications
– Provide entire virtualized
desktops through a secure
portal
– Provide Identity auditing
IT Directors Community of Practice
40. Stateless Identity
• Just-in-time identity data and services
received from authoritative domains
• Similar to Windows Azure Access Control
Services and carried outside the enterprise
• Once authorizations are configured, a user coming
to an application via ACS arrives at the application
―entrance‖ with not only an authentication
token, but also a set of authorization claims
attached to the token
IT Directors Community of Practice
41. Authentication Service
• Open API
– Not limited to LDAP and AD
• Called by both internal and external apps
• Performs
identification, authentication, and attribute
delivery of all users under enterprise
control
IT Directors Community of Practice
42. Provisioning Service
• Open API for account synchronization among
internal, SaaS, and partner apps
– Called by both internal and external apps
– Supports deprovisioning
– Enables provisioning workflows loosely coupled
with internal directory and database infrastructure
– Available connectors for many enterprise systems
and apps
IT Directors Community of Practice
43. SAML to Token Service
IT Directors Community of Practice
A client obtains a SAML 2.0 bearer assertion and makes an HTTP request to the PingFederate OAuth
AS to exchange the SAML assertion for an access token. The AS validates the assertion and returns an
access token. The client uses the token in an API call to the Resource Server to obtain data.
1. Some user-initiated or client-initiated event (for example, a mobile application or a scheduled task)
requests access to Software as a Service (SaaS) protected resources from an OAuth client application.
2. The client application obtains a SAML 2.0 bearer assertion from a local Identity Provider (IdP) for
example, PingFederate.
3. The client makes an HTTP
request to the PingFederate
OAuth AS to exchange the
SAML assertion for an access
token.
The AS validates the assertion
and returns the access token.
4. The client application adds the
access token to its API call to
the Resource Server.
The Resource Server returns
the requested data to the
client.
.
44. Identity Discovery Problem
A user interacting with a service provider wants to access to restricted content on
a site within a federation:
1. The user, via web browser, connects to the target service provider; and requests to view
restricted content.
2. The service provider receives this request, and needs to know information about the
person.
3. In the federated world, this means that the user needs to be sent to their home
organization's identity provider, which will "vouch" for that person and pass across
information about them to the resource provider.
4. The service provider "discovers" which is the user's home institution
5. The service provider redirects the user to their home institution's identity provider.
6. The user authenticates at their identity provider (IdP), which responds to the service
provider (SP), letting them know that this user authenticated successfully, and often
providing some information about that user.
7. The service provider receives this information, and then either grants or denies access
based upon the information it received.
Q: How does the SP figure out which is the user’s “home” IdP?
IT Directors Community of Practice
45. Identity Discovery Solutions
A user interacting with a SP wants to access restricted content on a site
within a federation.
Solution Options
1. Avoid Discovery (IdP-initiated SSO)
Each institution can configure a page (usually their existing library portal page) to
list all resources available to their users along with links to these resources. These
links are constructed such that they send the user
1. to that institution's identity provider*. After the user has successfully
authenticated,
2. directly onto that resource.
Thus, the service provider never has to ``discover'' which institution the user is
from, since the first time they see the user the user has already authenticated.
IT Directors Community of Practice
*But suppose the user starts on the site where the target content is located?
46. A user interacting with a SP wants to access restricted content on a site
within a federation.
Solution Options
2. Client-less Discovery (SP-Initiated SSO)
The SP asks the user to manually tell them which is their
home organization. This method of discovery comes in
two forms:
1. The user tells the service provider directly; or
2. The SP sends the user to a centrally provided service;
the user tells this service.
IT Directors Community of Practice
Identity Discovery Solutions
*OMG the user has to do this manually every time? Really?
47. Identity Discovery Solutions
A user interacting with a SP wants to access restricted content on a site
within a federation:
Solution Options
3. Client-mediated Discovery
The client is configured to tell the SP what the user’s
home organization is.
1. The user's client tells the service provider where
the person is from; or
2. The user's client is the identity provider; or
3. The user's client proxies the identity provider.
IT Directors Community of Practice
48. Enterprise Cloud Identity & Access
Management Providers
• Security and risk professionals see IAM as a cost
center and
• Prefer not to build out or expand IAM capabilities
• Cost-effective, SaaS-based IAM solutions that
complement on-premises ones are available
IT Directors Community of PracticeIT Directors Community of Practice
49. Client-Mediated Discovery
The client is configured to tell the SP what the user’s
home organization is.
1. The user's client tells the service provider where the
person is from
– Enhanced client or proxy (user’s browser plugin)*
– Plugin “listens” for WAYF requests from SP
– Automatically answers
2. The user’s client is the Identity provider (self-issued
identity);
3. The client sends this request on to the user's identity
provider (it proxies it), receives the response, and in turn
sends this response back to the service provider. **
IT Directors Community of Practice
*SAML 2 Specification for ECP ** The SP never needs to know who the IdP is
50. WAYF
• Where Are You From
– You must answer that question when you log into a
web based service using WAYF login.
– WAYF login is a Single Sign-On system* which permits
using one single login to access several web-based
services.
• Creates connections between the login systems at the
connected institutions and external web based services.
• Ensures that users consent to have information about them
passed on to the web-based services.
– WAYF login does not store any personally identifiable
data.
IT Directors Community of Practice
*Provided by the Danish government in collaboration with many identity and
service providers and institutions
51. Authorization Service
Central authorization repository
– Authorization model information used to provide complex access controls
based on data or information or policies including user attributes, user roles
/groups, actions taken, access channels, time, resources requested, external
data and business rules
– Policies that are stored in an IAM policy store
Frameworks
– Spring Security
• Access control framework; released under an Apache 2.0 license
• Used to secure numerous demanding environments including government
agencies, military applications and central banks.
– Seam Framework
• Programming model with a Security API (an optional Seam feature) that provides
authentication and authorization features for securing access to domain and web
page resources, components, and component methods
• Can be used to display/hide web page content based on user privileges
• Includes a comprehensive authorization framework, supporting user
roles, persistent and rule-based permissions, and a pluggable permission resolver
for easily implementing customized security logic.
IT Directors Community of Practice
52. Enterprise Cloud Identity & Access
Management Providers
Intel Cloud SSO
• Standards-based identity as a service (IDaaS) solution
• Context-aware Strong Authentication
– invokes mobile or hardware assisted, 2-factor authentication based on the target
app, network, time of day, mobile browser and other parameters.
• Connects Identity Stores
– Authenticates, provision/de-provisions user access to cloud systems from inside
or outside the corporate firewall, leveraging directory services including Active
Directory, LDAP, Salesforce.com, or Intel Cloud SSO identity stores.
IT Directors Community of PracticeIT Directors Community of Practice
53. Enterprise Cloud Identity & Access
Management Providers
Okta Cloud Identity and
Access Management
• Access control to SaaS
applications
• User account provisioning for
SaaS and in-house applications
User access recertification
• User repositories supported
• Multitenancy & protection of
personally identifiable
information
• Auditing and reporting
• Strong authentication support.
IT Directors Community of PracticeIT Directors Community of Practice
• Good integration with strong
authenticators & broad SaaS
application support
• Runs on Amazon Web Services
under the covers
• Many pre-integrated SaaS
business applications
• Extensively supports Integrated
Windows Authentication (IWA)
• Supports inbound SAML for
identity provider (IdP) proxying*
• No support for disabling users
automatically after a period of
inactivity, or for attestation.
*May limit usefulness for large clients
54. Enterprise Cloud Identity & Access
Management Providers
Symplified Cloud Identity and
Access Management
• One of the longest-standing in
the cloud IAM market
• Architecturally stable via its
Identity Router customer-
premises equipment
infrastructure
• Can be deployed as a software or
hardware appliance, or as a cloud
connector
• Broad protocol and endpoint
support
• Partners with Symantec’s VIP
service for strong authentication
IT Directors Community of PracticeIT Directors Community of Practice
• CSC is reseller and provides
system integration
• Does not support implicit or just-
in-time provisioning
• Dashboards and reporting are
fairly immature
• No workflow designer — only an
implicit workflow for access
request management and
approvals
• By design, no support for
hierarchies of multi-
tenancy, which may limit its
usefulness at large clients
55. Enterprise Cloud Identity & Access
Management Providers
Covisint Cloud Identity and
Access Management
• Access control to SaaS
applications
• User account provisioning for
SaaS and in-house applications
User access recertification
• User repositories supported
• Multitenancy & protection of
personally identifiable
information
• Auditing and reporting
• Strong authentication support.
IT Directors Community of PracticeIT Directors Community of Practice
• Good integration with strong
authenticators & broad SaaS
application support
• Runs on Amazon Web Services
under the covers
• Many pre-integrated SaaS
business applications
• Extensively supports Integrated
Windows Authentication (IWA)
• Supports inbound SAML for
identity provider (IdP) proxying*
• No support for disabling users
automatically after a period of
inactivity, or for attestation.
*May limit usefulness for large clients
57. Identity Compliance and Privacy
• A user signs-in and out of Identity Provider (IdP) systems or security token services
(STS) via explicit messages or implicitly via a request
• The issued tokens may either represent the principal's primary identity or some
pseudonym appropriate for the scope
• The IdP or STS issues messages to interested and authorized recipients.
• Principals are registered with the attribute/pseudonym services and attributes and
pseudonyms are added and used.
• Authorized services can query attribute/pseudonym services using the provided
identities to obtain authorized information about the identity.
• Such queries can potentially be anonymous which means that the party requesting
the information has an opaque token, and is not aware of the real identity of the
object of the query
IT Directors Community of Practice
58. Name Mapping and Linking
• In a federated environment, with identity information and other assertions
passing through a network between systems, protecting the user’s privacy
becomes paramount.
• With SSO, it is possible to track the user across several SPs.
• Pseudonyms provide a way to obfuscate the identity of the user across SPs.
• When the IdP delivers the assertions to the SP, the use of pseudonyms
makes it possible to have a different user ID for the same user at each SP
• Persistent Pseudonym - the SP will see the same pseudonym each time the
user accesses the SP.
• Transient Pseudonym - the SP is presented with a different pseudonym
each time a user gains access to the SP.
IT Directors Community of Practice
59. Single Logoff Operations
• When the user selects logoff in an application, two potential
options must be offered.
1. Does the user want to logoff from this specific
application, maintaining the current SSO session, or
2. Does the user want to end their SSO session, closing all
individual application sessions?
• Solution for #2
– SP communicates the logoff request to the IdP. The
IdP, based on its session store and information from the
metadata, issues a logoff request to all SPs for which an
active session is present.
– When the SP receives a logout request, it will close the
current session and notify the application, allowing the
application to perform required cleanup.
IT Directors Community of Practice
60. Session Timeout Operations
• With SSO, the user is using the same login for
• several applications, potentially across several
systems
• Managing SSO session timeouts by each
application is inefficient
• With Single Log Off, applications can, through the
IdP, centrally manage a user’s idle time
• Consolidating session timeouts and establishing a
consistent session timeout period is another policy
that must be considered when a federation forms.
IT Directors Community of Practice
61. Conclusion
Enterprise Identity Management has matured with the expansion of established
standards and interoperability approaches. The growing number of enterprise
applications accessed by internal employees in collaboration with sales
partners, distribution partners, customers, and other business channels.
Enterprise IT executives with limited development, deployment, and infrastructure
budgets are differentiating strategic, proprietary systems from utilities that are now
widely available outside the enterprise firewalls. Many enterprise strategies include
integrating identity federation into their IT vision, strategy, infrastructure, and
application support models.
CIOs also recognize the growing importance of understanding the whole spectrum
of identity management capabilities, including how to handle identity-based Web
services. Implementing identity federations is now feasible and increasingly
mandated by business partners, affiliates, and customers. With the growing number
of cloud and access management solutions, strategic partnerships with solution
providers and consultants will be central to a successful outcome.
Editor's Notes
A user, say jeff, has to connect to the database through another user, say scott. The proxy user, scott, should have an active authenticated connection. A proxy session is then created on this active connection, with the driver issuing a command to the server to create a session for the user, jeff. The server returns the new session id, and the driver sends a session switch command to switch to this new session.
OAuth is an open standard for authorization. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.The OAuth 1.0 Protocol was published as RFC 5849, an informational Request for Comments, in April 2010.
Client-mediated discovery may be the best solution to the discovery problem: it is fairly intuitive and effortless (other than initial setup of the client) for the user, a good end user experience. However, the user needs to have a client installed and configured correctly. At the present time, such clients are relatively uncommon, and thus client-less discovery will remain important for at least the short to medium term future. Even long term, clientless discovery may have to remain an option for those cases where users wish to gain access to restricted content via federated means when not using a client managed by them, or using a device which does not support such a client. A preferred, user-orientedapproach for handling this has not yet emerged, and there is a wide range of approaches per a study described at https://sites.google.com/site/publisherinterfacestudy/home/3-existing-discovery-problem