cis13: how to build a federated identity service on identity and context virtualization

38
Deploying an Identity Provider in a Complex, Federated and Siloed World Cloud Identity Summit - July 2013 1

Upload: cloudidsummit

Post on 08-May-2015

238 views

Category:

Technology


2 download

DESCRIPTION

Lisa Grady, Senior Solutions Architect, Radiant Logic You've federated access, but what about identity? Lisa Grady, technical guru at Radiant Logic, will offer concrete solutions for deploying an identity provider in a complex, federated and siloed world.

TRANSCRIPT

Page 1: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Deploying an Identity Provider in a Complex, Federated and Siloed World

Cloud Identity Summit - July 2013

1

Page 2: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

•  Challenges you will face: •  How to accommodate new requirements •  Problems you can encounter and why

•  Authentication •  Authorization

•  Approach to solving these challenges: •  A federated identity service

•  Identity Hub storage •  Aggregation •  Mapping •  Correlation •  Join •  Caching

•  Leveraging the federated identity service for not just cloud apps, but also legacy apps as well.

Talking Points

2

Page 3: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

The Challenges

3

Page 4: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

SAML

Authentication and Federation: The Cloud and Web Apps Imperative

OpenID Connect OAuth 2.0

4

Page 5: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

The Current Security Conundrum

Security Means: SAML, OAuth, OpenID

Identity Infrastructure

A complete federation

solution requires federating both

access and identities

5

Page 6: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

The Directory Original Model for Security

•  Any security system based on identity is composed of two parts: •  A registry of identity information •  The security means (which is supported by the identity information)

Kerberos, SASL, SSL

6

Page 7: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Current Infrastructure: Multiple Doors and Locks

AD Sun

RACF

LDAP HR

Role DB

7

Page 8: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

The Challenge of a Fragmented Distributed Identity System

Existing Identity Infrastructure

Legacy Applications

SaaS/Cloud/BYOD/ Partner Apps

8

Page 9: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

The Challenges

•  For many initiatives, such as federation and portal security, you need:

1.  One global reference identity source for authenticating users. 2.  And to support authorization, you want that one identity source to contain the

richest profile possible for each identity.

•  But you cannot afford to just create another green field directory because:

1.  It would be a huge effort to populate it 2.  The information already exists in other silos

•  You need one central access point, but don’t want to start over from scratch.

9

Page 10: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Identity Provider Challenges

10

Page 11: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Authentication Challenges – The Details

Goal: Enable Authentication and SSO Across Multiple Sources 1. The first step is identification, or finding the user entry that

needs to be authenticated. But •  Identities are spread across multiple data sources, such as multiple

AD domains/forests. •  Identities are described differently in each source, such as “uid” vs.

“sAMAccountName” vs. “LOGIN.”

2. The second step is credential checking. Each source supports its own authentication mechanism: •  Different encryption of passwords and schema elements (such as

userPassword vs. unicodePwd, etc). •  Existing internal (employee) user IDs & passwords in Active

Directory. •  External user credentials may be stored elsewhere (SunOne,

Oracle, etc).

11

Page 12: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Goal: Attribute-Based or Groups-Based Authorization

1. Profile information exists in multiple data sources

2. Data sources have their own schema elements (object classes and attributes) •  group/member (AD) •  groupOfUniqueNames/uniquemember (Sun)

3.  Inflexible group definition •  Static (hard-coded) group members •  Rely on client application logic to build members via an extra search

(based on memberURL attribute)

Authorization Challenges – The Details

12

Page 13: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

User Identification Challenges

sam

e pe

rson

, diff

eren

t ide

ntifi

ers

diffe

rent

peo

ple

sam

e id

entif

iers

13

Page 14: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Identification Challenges of SSO

LDAP Directory Active Directory employeeNumber=E562098000Z  samAccountName=Andrew_Fuller  objectClass=user  mail:  [email protected]  departmentNumber=234  

uid=AFuller  Htle=VP  Sales  givenName=Andrew  sn=Fuller  departmentNumber=234  employeeID=562_09_8000  

Name=Andrew_Fuller  ID:  [email protected]  

login=AFuller  ID=562_09_8000  

Salesforce  knows  Andrew  by  an  ID  of  [email protected]  

SharePoint  knows  Andrew  by  an  ID  of  AFuller  

14

Page 15: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Attribute-Driven Authorization Challenges

LDAP Directory Active Directory HR Database

employeeNumber=2  samAccountName=Andrew_Fuller  objectClass=user  mail:  [email protected]  departmentNumber=234  memberOf=cn=AllUsers,ou=Groups,dc=ad  

uid=AFuller  Htle=VP  Sales  givenName=Andrew  sn=Fuller  departmentNumber=234    cn=Regional    Sales  objectclass=groupOfUniqueNames  unqiueMemeber=uid=afuller,ou=people,o=sun  

EmployeeID=509-­‐34-­‐5855  ClearanceLevel=1  Region=PA  UserID=EMP_Andrew_Fuller  DeptID=Sales234    

Is this the same person? If so, what groups is he a member of? If so, how can I get a global profile when there is no single common identifier?

15

Page 16: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Solving Challenges

16

Page 17: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

A Federated Identity Service

Existing Identity Infrastructure

Legacy Applications

SaaS/Cloud/BYOD/ Partner Apps

17

Page 18: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Identity Integration

Accounting

Marketing Support

Business Development

Call Center Fulfillment

Order Mgmt.

Sales

HR

18

Page 19: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Federated Identity Service The High Level Components

The “Identity Hub” supported by Identity and context virtualization

The “storage” is a directory (for speed and scalability)

The “services” are metadata extraction, view design, mapping, correlation, join, synchronization (persistent cache with auto-refresh)

19

Page 20: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Identity and Context Virtualization Process

20

Page 21: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Identity Integration (Aggregation and Correlation)

21

Page 22: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

•  Union requires some kind of criteria, one or more attributes, to detect and correlate same-users across systems. This is the common, global identifier.

•  A match based on this attributes(s) allows us to remove duplicates.

•  The result is a “union compatible” operation, where all users are represented exactly once, and only once, in the virtualized global list.

emplogin firstname lastname

smatthews Sarah Matthews

lanalandry Lana Landry

employeeID givenName sn title

llandry Lana Landry Writer

smatthews Steve Matthews Janitor

LOGIN firstname lastname role group homephone

llandry Lana Landry Tech Writer Marketing 4152096800

smatthews Sarah Matthews CEO Admin 4152096802

firstname lastname

Sarah Matthews

Lana Landry

Steve Matthews

System A

System B

System C

Global List (Union)

Identity Correlation Example - Creating a UNION Set

22

Page 23: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Identity Views Delivered in Format and Content Expected by Applications

23

Page 24: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Solving Authentication Challenges

How does a Federated Identity Service help solve authentication challenges?

Step Challenge Can be solved by Identification Identities spread across

multiple sources Integrating users from multiple sources

Identities described differently in each source

Object and Attribute Mapping to provide a common schema

Credential Checking

Different encryption of passwords and schema elements

Providing a single form of authentication to application, and the flexibility to delegate the credential checking to the backend or customize some other validation mechanism

24

Page 25: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Solving Authorization Challenges

Type Challenge Can be solved by Attribute-Based

Profile attributes spread across multiple sources

Integrating users from multiple sources, in order to build a global profile

Groups-Based Existing groups and potential group members spread across multiple data silos

Offering Flexible Group Definitions:

- Aggregate/map existing groups - Build new group definitions with dynamic members

How does a Federated Identity Service help solve authorization challenges?

25

Page 26: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Example: Identity Correlation and Profile Creation

LDAP Directory

Active Directory

HR Database

employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: [email protected] uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA

Cor

rela

ted

Iden

tity

View

employeeNumber=2  samAccountName=Andrew_Fuller  objectClass=user  mail:  [email protected]  departmentNumber=234  

uid=AFuller  Htle=VP  Sales  givenName=Andrew  sn=Fuller  departmentNumber=234  

EmployeeID=509-­‐34-­‐5855  ClearanceLevel=1  Region=PA  UserID=EMP_Andrew_Fuller  DeptID=Sales234    

26

Page 27: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Example: Dynamic Group Creation and Profile Extension

cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: •  ClearanceLevel=1 •  title=VP Sales •  Region=PA

Cor

rela

ted

Iden

tity

View

D

ynam

ic G

roup

s Vi

ew

Com

pute

d A

ttrib

ute

(mem

berO

f) ba

sed

on a

look

up in

the

dy

nam

ic g

roup

s vi

ew

employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: [email protected] uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA memberOf=cn=Sales

27

Page 28: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Example: Dynamic Group Creation

28

Page 29: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Persistent (disk-based) Cache

Sources

View Definitions

P. CACHE

Materialized View

Sources

View Definitions

Run Time View

No Cache

Addressing Performance Challenges

Sources

View Definitions

Memory Cache

Memory Cache

29

Page 30: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Introduction to Common Use Cases

30

Page 31: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Support for Authentication and as an Attribute Server

31

Page 32: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Use Case: PAM Authentication Credentials Checking Delegated to Backend

UNIX/LINUX Clients

Authentication Request

Re-use existing users and credentials!

AD Domain 1 AD Domain 2 Sun

Credentials Checking forwarded to authoritative source

32

Page 33: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Use Case: PAM Authentication Storing PAM Specific Attribute Extension in VDS

sAMAccountName=jsmith sn=Smith givenName=John title=operations manager

uidNumber = 100 gidNumber = 108 gecos = Andrew Fuller loginshell = /bin/zsh homedirectory = /home/afuller shadowLastChange = 10877 …

sAMAccountName=jsmith sn=Smith givenName=John title=operations manager

Base Profile

Extended Attributes These extended attributes can be stored in any source: “local” or some other backend

Join of all attributes and presented as a single entry

UNIX/LINUX Clients

AD Domain 1

33

Page 34: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Use Case: Oracle Names Resolution

Oracle Clients�

Oracle DB Servers�

VDS local LDAP stores oracle context data�Schema extended at VDS�Each client configured to point to VDS to lookup DB �

34

Page 35: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Use Case: Global Address List for Email Clients

LDAP Directory

Active Directory

HR Database

employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=VP Sales ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203

Correlated Identity View

employeeNumber=9  samAccountName=Alice_Lee  objectClass=user  mail:  [email protected]  departmentNumber=234  

uid=Alee  Htle=VP  Sales  givenName=Alice  sn=Lee  telephoneNumber=415-­‐520-­‐2203  

EmployeeID=509-­‐34-­‐5855  ClearanceLevel=1  Region=PA  UserID=EMP_Alice_Lee  DeptID=Sales234    

35

Page 36: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Compliance

LDAP Directory

Active Directory

HR Database

employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=Guru Inside Sales Manager ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203 source=HR Database source=LDAP Directory source= Active Directory

Correlated Identity View

employeeNumber=9  samAccountName=Alice_Lee  objectClass=user  mail:  [email protected]  departmentNumber=234  

uid=Alee  Htle=Guru  Inside  Sales  Manager  givenName=Alice  sn=Lee  telephoneNumber=415-­‐520-­‐2203  

EmployeeID=509-­‐34-­‐5855  ClearanceLevel=1  Region=PA  UserID=EMP_Alice_Lee  DeptID=Sales234    

Reports

Which Data Sources Does Alice Have Active Accounts In?

36

Page 37: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

Use Case: FID and Provisioning

Legacy Applications (and respective stores)

AD Sun LDAP

Cloud Apps

LDAP/ SQL/ SPML

FID as reference image

SPML SCIM

37

Page 38: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization

•  Summary •  In order to accommodate new requirements you will face challenges around

authentication and authorization. •  Multiple existing different identity silos means

•  Many methods for credentials checking •  Many locations housing different aspects (attributes/groups) of an identity

•  These challenges can be solved with a Federated Identity Service based on virtualization.

•  You can leverage the federated identity service for not just cloud apps, but also legacy apps and other initiatives as well.

•  Coming Up: A Foundation for the Future •  Michel Prompt shows you how the Federated Identity Service you put in place

today is a key piece of infrastructure that prepares you for the future.

Summary

39