Deploying an Identity Provider in a Complex,
Federated and Siloed World
PING Conference - July 2013
1
• Challenges you will face:
• How to accommodate new requirements
• Problems you can encounter and why• Authentication
• Authorization
• Approach to solving these challenges:
• A federated identity service• Identity Hub storage
• Aggregation
• Mapping
• Correlation
• Join
• Caching
• Leveraging the federated identity service for not just cloud apps, but also
legacy apps as well.
Talking Points
2
The Challenges
3
SAML
Authentication and Federation:
The Cloud and Web Apps Imperative
OpenID
ConnectOAuth 2.0
4
The Current Security Conundrum
Security Means:
SAML, OAuth,
OpenID
Identity
Infrastructure
A complete
federation
solution requires
federating both
access and
identities
5
The Directory
Original Model for Security
• Any security system based on identity is composed of two parts:
• A registry of identity information
• The security means (which is supported by the identity information)
Kerberos, SASL, SSL
6
Current Infrastructure:
Multiple Doors and Locks
AD Sun
RACF
LDAPHR
Role DB
7
The Challenge of a Fragmented Distributed Identity
System
Existing Identity Infrastructure
Legacy Applications
SaaS/Cloud/BYOD/
Partner Apps
8
The Challenges
• For many initiatives, such as federation and portal security, you need:
1. One global reference identity source for authenticating users.
2. And to support authorization, you want that one identity source to contain the
richest profile possible for each identity.
• But you cannot afford to just create another green field directory because:
1. It would be a huge effort to populate it
2. The information already exists in other silos
• You need one central access point, but don’t want to start over from
scratch.
9
Identity Provider Challenges
10
Authentication Challenges – The Details
Goal: Enable Authentication and SSO Across Multiple Sources
1. The first step is identification, or finding the user entry that needs to be authenticated. But
• Identities are spread across multiple data sources, such as multiple AD domains/forests.
• Identities are described differently in each source, such as “uid” vs. “sAMAccountName” vs. “LOGIN.”
2. The second step is credential checking. Each source supports its own authentication mechanism:
• Different encryption of passwords and schema elements (such as userPassword vs. unicodePwd, etc).
• Existing internal (employee) user IDs & passwords in Active Directory.
• External user credentials may be stored elsewhere (SunOne, Oracle, etc).
11
Goal: Attribute-Based or Groups-Based Authorization
1. Profile information exists in multiple data sources
2. Data sources have their own schema elements (object classes and attributes)
• group/member (AD)
• groupOfUniqueNames/uniquemember (Sun)
3. Inflexible group definition
• Static (hard-coded) group members
• Rely on client application logic to build members via an extra search (based on memberURL attribute)
Authorization Challenges – The Details
12
User Identification Challenges
sa
me
pe
rso
n, d
iffe
rent id
en
tifiers
diffe
rent p
eo
ple
sa
me
ide
ntifiers
13
Identification Challenges of SSO
LDAP DirectoryActive Directory
employeeNumber=E562098000ZsamAccountName=Andrew_FullerobjectClass=usermail: [email protected]=234
uid=AFullertitle=VP SalesgivenName=Andrewsn=FullerdepartmentNumber=234employeeID=562_09_8000
Name=Andrew_FullerID: [email protected]
login=AFullerID=562_09_8000
Salesforce knows Andrew by an ID of [email protected]
SharePoint knows Andrew by an ID of AFuller
14
Attribute-Driven Authorization Challenges
LDAP DirectoryActive Directory HR Database
employeeNumber=2samAccountName=Andrew_FullerobjectClass=usermail: [email protected]=234memberOf=cn=AllUsers,ou=Groups,dc=ad
uid=AFullertitle=VP SalesgivenName=Andrewsn=FullerdepartmentNumber=234
cn=Regional Salesobjectclass=groupOfUniqueNamesunqiueMemeber=uid=afuller,ou=people,o=sun
EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Andrew_FullerDeptID=Sales234
Is this the same person?
If so, what groups is he a member of?
If so, how can I get a global profile when there is no single common identifier?
15
Solving Challenges
16
A Federated Identity Service
Existing Identity Infrastructure
Legacy Applications
SaaS/Cloud/BYOD/
Partner Apps
17
Identity Integration
Accounting
Marketing Support
Business
Development
Call Center Fulfillment
Order Mgmt.
Sales
HR
18
Federated Identity ServiceThe High Level Components
The “Identity Hub” supported by
Identity and context virtualization
The “storage” is a directory (for
speed and scalability)
The “services” are metadata extraction,
view design, mapping, correlation, join,
synchronization (persistent cache with
auto-refresh)
19
Identity and Context Virtualization Process
20
Identity Integration (Aggregation and Correlation)
21
• Union requires some kind
of criteria, one or more
attributes, to detect and
correlate same-users
across systems. This is
the common, global
identifier.
• A match based on this
attributes(s) allows us to
remove duplicates.
• The result is a “union
compatible” operation,
where all users are
represented exactly once,
and only once, in the
virtualized global list.
emplogin firstname lastname
smatthews Sarah Matthews
lanalandry Lana Landry
employeeID givenName sn title
llandry Lana Landry Writer
smatthews Steve Matthews Janitor
LOGIN firstname lastname role group homephone
llandry Lana Landry Tech Writer Marketing 4152096800
smatthews Sarah Matthews CEO Admin 4152096802
firstname lastname
Sarah Matthews
Lana Landry
Steve Matthews
System A
System B
System C
Global List (Union)
Identity Correlation Example- Creating a UNION Set
22
Identity Views Delivered in Format and Content
Expected by Applications
23
Solving Authentication Challenges
How does a Federated Identity Service help solve authentication challenges?
Step Challenge Can be solved by
Identification Identities spread across
multiple sources
Integrating users from multiple
sources
Identities described
differently in each source
Object and Attribute Mapping to
provide a common schema
Credential
Checking
Different encryption of
passwords and schema
elements
Providing a single form of
authentication to application,
and the flexibility to delegate
the credential checking to the
backend or customize some
other validation mechanism
24
Solving Authorization Challenges
Type Challenge Can be solved by
Attribute-
Based
Profile attributes spread
across multiple sources
Integrating users from multiple
sources, in order to build a
global profile
Groups-Based Existing groups and
potential group members
spread across multiple
data silos
Offering Flexible Group Definitions:
- Aggregate/map existing groups- Build new group definitions with dynamic members
How does a Federated Identity Service help solve authorization challenges?
25
Example: Identity Correlation and Profile Creation
LDAP Directory
Active Directory
HR Database
employeeNumber=2
samAcountName=Andrew_Fuller
objectClass=user
mail: [email protected]
uid=AFuller
title=VP Sales
ClearanceLevel=1
Region=PA
Corr
ela
ted Identity
Vie
w
employeeNumber=2samAccountName=Andrew_FullerobjectClass=usermail: [email protected]=234
uid=AFullertitle=VP SalesgivenName=Andrewsn=FullerdepartmentNumber=234
EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Andrew_FullerDeptID=Sales234
26
Example: Dynamic Group Creation and Profile
Extension
cn=Sales
objectClass=group
member=Andrew_Fuller
**Based on identities that have:
• ClearanceLevel=1
• title=VP Sales
• Region=PA
Co
rre
late
d Id
en
tity
Vie
wD
yn
am
ic G
roup
s V
iew
Co
mp
ute
d A
ttrib
ute
(m
em
be
rOf)
base
d o
n a
lo
oku
p in
th
e
dynam
ic g
roups v
iew
employeeNumber=2
samAcountName=Andrew_Fuller
objectClass=user
mail: [email protected]
uid=AFuller
title=VP Sales
ClearanceLevel=1
Region=PA
memberOf=cn=Sales
27
Example: Dynamic Group Creation
28
Persistent (disk-based) Cache
Sources
View Definitions
P. CACHE
Materialized
View
Sources
View Definitions
Run Time View
No Cache
Addressing Performance Challenges
Sources
View Definitions
Memory Cache
Memory Cache
29
Introduction to Common Use Cases
30
Support for Authentication and as an Attribute
Server
31
Use Case: PAM AuthenticationCredentials Checking Delegated to Backend
UNIX/LINUX Clients
Authentication Request
Re-use existing users
and credentials!
AD Domain 1 AD Domain 2 Sun
Credentials Checking forwarded to
authoritative source
32
Use Case: PAM AuthenticationStoring PAM Specific Attribute Extension in VDS
sAMAccountName=jsmith
sn=Smith
givenName=John
title=operations manager
uidNumber = 100
gidNumber = 108
gecos = Andrew Fuller
loginshell = /bin/zsh
homedirectory = /home/afuller
shadowLastChange = 10877
…
sAMAccountName=jsmith
sn=Smith
givenName=John
title=operations manager
Base Profile
Extended AttributesThese extended attributes
can be stored in any source:
“local” or some other backend
Join of all attributes and
presented as a single entry
UNIX/LINUX Clients
AD Domain 1
33
Use Case: Oracle Names Resolution
Oracle Clients
Oracle DB Servers
VDS local LDAP stores oracle context data
Schema extended at VDS
Each client configured to point to VDS to lookup DB
34
Use Case: Global Address List for Email Clients
LDAP Directory
Active Directory
HR Database
employeeNumber=9
samAcountName=Alice_Lee
objectClass=user
mail: alee@mycompanycom
cn=Alice Lee
title=VP Sales
ClearanceLevel=1
Region=PA
departmentNumber=234
telephoneNumber=415-520-2203
Correlated Identity View
employeeNumber=9samAccountName=Alice_LeeobjectClass=usermail: [email protected]=234
uid=Aleetitle=VP SalesgivenName=Alicesn=LeetelephoneNumber=415-520-2203
EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Alice_LeeDeptID=Sales234
35
Compliance
LDAP Directory
Active Directory
HR Database
employeeNumber=9
samAcountName=Alice_Lee
objectClass=user
mail: alee@mycompanycom
cn=Alice Lee
title=Guru Inside Sales Manager
ClearanceLevel=1
Region=PA
departmentNumber=234
telephoneNumber=415-520-2203
source=HR Database
source=LDAP Directory
source= Active Directory
Correlated Identity View
employeeNumber=9samAccountName=Alice_LeeobjectClass=usermail: [email protected]=234
uid=Aleetitle=Guru Inside Sales ManagergivenName=Alicesn=LeetelephoneNumber=415-520-2203
EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Alice_LeeDeptID=Sales234
Reports
Which Data Sources Does Alice Have Active Accounts In?
36
Use Case: FID and Provisioning
Legacy Applications(and respective stores)
AD Sun LDAP
Cloud Apps
LDAP/
SQL/
SPML
FIDas reference image
SPML
SCIM
37
• Summary
• In order to accommodate new requirements you will face challenges around
authentication and authorization.• Multiple existing different identity silos means
• Many methods for credentials checking
• Many locations housing different aspects (attributes/groups) of an identity
• These challenges can be solved with a Federated Identity Service based on
virtualization.
• You can leverage the federated identity service for not just cloud apps, but also
legacy apps and other initiatives as well.
• Coming Up: A Foundation for the Future
• Michel Prompt shows you how the Federated Identity Service you put in place
today is a key piece of infrastructure that prepares you for the future.
Summary
39