Deploying an Identity Provider in a Complex,

Federated and Siloed World

PING Conference - July 2013

1

• Challenges you will face:

• How to accommodate new requirements

• Problems you can encounter and why• Authentication

• Authorization

• Approach to solving these challenges:

• A federated identity service• Identity Hub storage

• Aggregation

• Mapping

• Correlation

• Join

• Caching

• Leveraging the federated identity service for not just cloud apps, but also

legacy apps as well.

Talking Points

2

The Challenges

3

SAML

Authentication and Federation:

The Cloud and Web Apps Imperative

OpenID

ConnectOAuth 2.0

4

The Current Security Conundrum

Security Means:

SAML, OAuth,

OpenID

Identity

Infrastructure

A complete

federation

solution requires

federating both

access and

identities

5

The Directory

Original Model for Security

• Any security system based on identity is composed of two parts:

• A registry of identity information

• The security means (which is supported by the identity information)

Kerberos, SASL, SSL

6

Current Infrastructure:

Multiple Doors and Locks

AD Sun

RACF

LDAPHR

Role DB

7

The Challenge of a Fragmented Distributed Identity

System

Existing Identity Infrastructure

Legacy Applications

SaaS/Cloud/BYOD/

Partner Apps

8

The Challenges

• For many initiatives, such as federation and portal security, you need:

1. One global reference identity source for authenticating users.

2. And to support authorization, you want that one identity source to contain the

richest profile possible for each identity.

• But you cannot afford to just create another green field directory because:

1. It would be a huge effort to populate it

2. The information already exists in other silos

• You need one central access point, but don’t want to start over from

scratch.

9

Identity Provider Challenges

10

Authentication Challenges – The Details

Goal: Enable Authentication and SSO Across Multiple Sources

1. The first step is identification, or finding the user entry that needs to be authenticated. But

• Identities are spread across multiple data sources, such as multiple AD domains/forests.

• Identities are described differently in each source, such as “uid” vs. “sAMAccountName” vs. “LOGIN.”

2. The second step is credential checking. Each source supports its own authentication mechanism:

• Different encryption of passwords and schema elements (such as userPassword vs. unicodePwd, etc).

• Existing internal (employee) user IDs & passwords in Active Directory.

• External user credentials may be stored elsewhere (SunOne, Oracle, etc).

11

Goal: Attribute-Based or Groups-Based Authorization

1. Profile information exists in multiple data sources

2. Data sources have their own schema elements (object classes and attributes)

• group/member (AD)

• groupOfUniqueNames/uniquemember (Sun)

3. Inflexible group definition

• Static (hard-coded) group members

• Rely on client application logic to build members via an extra search (based on memberURL attribute)

Authorization Challenges – The Details

12

User Identification Challenges

sa

me

pe

rso

n, d

iffe

rent id

en

tifiers

diffe

rent p

eo

ple

sa

me

ide

ntifiers

13

Identification Challenges of SSO

LDAP DirectoryActive Directory

employeeNumber=E562098000ZsamAccountName=Andrew_FullerobjectClass=usermail: andrew_fuller@radiant.comdepartmentNumber=234

uid=AFullertitle=VP SalesgivenName=Andrewsn=FullerdepartmentNumber=234employeeID=562_09_8000

Name=Andrew_FullerID: andrew_fuller@setree1.com

login=AFullerID=562_09_8000

Salesforce knows Andrew by an ID of andrew_fuller@radiant.com

SharePoint knows Andrew by an ID of AFuller

14

Attribute-Driven Authorization Challenges

LDAP DirectoryActive Directory HR Database

employeeNumber=2samAccountName=Andrew_FullerobjectClass=usermail: andrew_fuller@setree1.comdepartmentNumber=234memberOf=cn=AllUsers,ou=Groups,dc=ad

uid=AFullertitle=VP SalesgivenName=Andrewsn=FullerdepartmentNumber=234

cn=Regional Salesobjectclass=groupOfUniqueNamesunqiueMemeber=uid=afuller,ou=people,o=sun

EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Andrew_FullerDeptID=Sales234

Is this the same person?

If so, what groups is he a member of?

If so, how can I get a global profile when there is no single common identifier?

15

Solving Challenges

16

A Federated Identity Service

Existing Identity Infrastructure

Legacy Applications

SaaS/Cloud/BYOD/

Partner Apps

17

Identity Integration

Accounting

Marketing Support

Business

Development

Call Center Fulfillment

Order Mgmt.

Sales

HR

18

Federated Identity ServiceThe High Level Components

The “Identity Hub” supported by

Identity and context virtualization

The “storage” is a directory (for

speed and scalability)

The “services” are metadata extraction,

view design, mapping, correlation, join,

synchronization (persistent cache with

auto-refresh)

19

Identity and Context Virtualization Process

20

Identity Integration (Aggregation and Correlation)

21

• Union requires some kind

of criteria, one or more

attributes, to detect and

correlate same-users

across systems. This is

the common, global

identifier.

• A match based on this

attributes(s) allows us to

remove duplicates.

• The result is a “union

compatible” operation,

where all users are

represented exactly once,

and only once, in the

virtualized global list.

emplogin firstname lastname

smatthews Sarah Matthews

lanalandry Lana Landry

employeeID givenName sn title

llandry Lana Landry Writer

smatthews Steve Matthews Janitor

LOGIN firstname lastname role group homephone

llandry Lana Landry Tech Writer Marketing 4152096800

smatthews Sarah Matthews CEO Admin 4152096802

firstname lastname

Sarah Matthews

Lana Landry

Steve Matthews

System A

System B

System C

Global List (Union)

Identity Correlation Example- Creating a UNION Set

22

Identity Views Delivered in Format and Content

Expected by Applications

23

Solving Authentication Challenges

How does a Federated Identity Service help solve authentication challenges?

Step Challenge Can be solved by

Identification Identities spread across

multiple sources

Integrating users from multiple

sources

Identities described

differently in each source

Object and Attribute Mapping to

provide a common schema

Credential

Checking

Different encryption of

passwords and schema

elements

Providing a single form of

authentication to application,

and the flexibility to delegate

the credential checking to the

backend or customize some

other validation mechanism

24

Solving Authorization Challenges

Type Challenge Can be solved by

Attribute-

Based

Profile attributes spread

across multiple sources

Integrating users from multiple

sources, in order to build a

global profile

Groups-Based Existing groups and

potential group members

spread across multiple

data silos

Offering Flexible Group Definitions:

- Aggregate/map existing groups- Build new group definitions with dynamic members

How does a Federated Identity Service help solve authorization challenges?

25

Example: Identity Correlation and Profile Creation

LDAP Directory

Active Directory

HR Database

employeeNumber=2

samAcountName=Andrew_Fuller

objectClass=user

mail: andrew_fuller@setree1.com

uid=AFuller

title=VP Sales

ClearanceLevel=1

Region=PA

Corr

ela

ted Identity

Vie

w

employeeNumber=2samAccountName=Andrew_FullerobjectClass=usermail: andrew_fuller@setree1.comdepartmentNumber=234

uid=AFullertitle=VP SalesgivenName=Andrewsn=FullerdepartmentNumber=234

EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Andrew_FullerDeptID=Sales234

26

Example: Dynamic Group Creation and Profile

Extension

cn=Sales

objectClass=group

member=Andrew_Fuller

**Based on identities that have:

• ClearanceLevel=1

• title=VP Sales

• Region=PA

Co

rre

late

d Id

en

tity

Vie

wD

yn

am

ic G

roup

s V

iew

Co

mp

ute

d A

ttrib

ute

(m

em

be

rOf)

base

d o

n a

lo

oku

p in

th

e

dynam

ic g

roups v

iew

employeeNumber=2

samAcountName=Andrew_Fuller

objectClass=user

mail: andrew_fuller@setree1.com

uid=AFuller

title=VP Sales

ClearanceLevel=1

Region=PA

memberOf=cn=Sales

27

Example: Dynamic Group Creation

28

Persistent (disk-based) Cache

Sources

View Definitions

P. CACHE

Materialized

View

Sources

View Definitions

Run Time View

No Cache

Addressing Performance Challenges

Sources

View Definitions

Memory Cache

Memory Cache

29

Introduction to Common Use Cases

30

Support for Authentication and as an Attribute

Server

31

Use Case: PAM AuthenticationCredentials Checking Delegated to Backend

UNIX/LINUX Clients

Authentication Request

Re-use existing users

and credentials!

AD Domain 1 AD Domain 2 Sun

Credentials Checking forwarded to

authoritative source

32

Use Case: PAM AuthenticationStoring PAM Specific Attribute Extension in VDS

sAMAccountName=jsmith

sn=Smith

givenName=John

title=operations manager

uidNumber = 100

gidNumber = 108

gecos = Andrew Fuller

loginshell = /bin/zsh

homedirectory = /home/afuller

shadowLastChange = 10877

…

sAMAccountName=jsmith

sn=Smith

givenName=John

title=operations manager

Base Profile

Extended AttributesThese extended attributes

can be stored in any source:

“local” or some other backend

Join of all attributes and

presented as a single entry

UNIX/LINUX Clients

AD Domain 1

33

Use Case: Oracle Names Resolution

Oracle Clients

Oracle DB Servers

VDS local LDAP stores oracle context data

Schema extended at VDS

Each client configured to point to VDS to lookup DB

34

Use Case: Global Address List for Email Clients

LDAP Directory

Active Directory

HR Database

employeeNumber=9

samAcountName=Alice_Lee

objectClass=user

mail: alee@mycompanycom

cn=Alice Lee

title=VP Sales

ClearanceLevel=1

Region=PA

departmentNumber=234

telephoneNumber=415-520-2203

Correlated Identity View

employeeNumber=9samAccountName=Alice_LeeobjectClass=usermail: alee@mycompany.comdepartmentNumber=234

uid=Aleetitle=VP SalesgivenName=Alicesn=LeetelephoneNumber=415-520-2203

EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Alice_LeeDeptID=Sales234

35

Compliance

LDAP Directory

Active Directory

HR Database

employeeNumber=9

samAcountName=Alice_Lee

objectClass=user

mail: alee@mycompanycom

cn=Alice Lee

title=Guru Inside Sales Manager

ClearanceLevel=1

Region=PA

departmentNumber=234

telephoneNumber=415-520-2203

source=HR Database

source=LDAP Directory

source= Active Directory

Correlated Identity View

employeeNumber=9samAccountName=Alice_LeeobjectClass=usermail: alee@mycompany.comdepartmentNumber=234

uid=Aleetitle=Guru Inside Sales ManagergivenName=Alicesn=LeetelephoneNumber=415-520-2203

EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Alice_LeeDeptID=Sales234

Reports

Which Data Sources Does Alice Have Active Accounts In?

36

Use Case: FID and Provisioning

Legacy Applications(and respective stores)

AD Sun LDAP

Cloud Apps

LDAP/

SQL/

SPML

FIDas reference image

SPML

SCIM

37

• Summary

• In order to accommodate new requirements you will face challenges around

authentication and authorization.• Multiple existing different identity silos means

• Many methods for credentials checking

• Many locations housing different aspects (attributes/groups) of an identity

• These challenges can be solved with a Federated Identity Service based on

virtualization.

• You can leverage the federated identity service for not just cloud apps, but also

legacy apps and other initiatives as well.

• Coming Up: A Foundation for the Future

• Michel Prompt shows you how the Federated Identity Service you put in place

today is a key piece of infrastructure that prepares you for the future.

Summary

39