iam/irm considerations for saas provider selection
DESCRIPTION
DAVID TAYLOR, IAM Consultant, Smart421 and CLIFF DOBBS, IAM Architect, ARM, at the European IRM Summit 2014.TRANSCRIPT
![Page 1: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/1.jpg)
IAM/IRM considerations for SaaS provider selection
David Taylor (Smart421)Cliff Dobbs (ARM)
![Page 2: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/2.jpg)
Who for: Project managers & Business Analysts Architects Mainly companies using SaaS providers
What: Connecting your company’s IAM infrastructure to that of
a SaaS provider
Why:
What & Why
![Page 3: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/3.jpg)
Questions for “them – the SaaS provider”:1. Does their service support an open SSO federation protocol?2. How easy is it to automate the provisioning and de-
provisioning of users?3. Does their technical environment fit with your constraints?4. Can the integration be tested before go-live?5. What about mobile access?
And for “us”:6. Do you understand your own requirements?7. What can we do to make federation easier?8. Can IDaaS vendors help with this?
![Page 4: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/4.jpg)
Questions for the SaaS providers
![Page 5: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/5.jpg)
Does their service support an open federation protocol?
![Page 6: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/6.jpg)
Does their service support an open federation protocol?
You: AP / IdP SaaS Vendor: RP / SP
1: Visit Resource (no session)2: Authenticate user
3: Generate Fed. Assertion
4: Validate Assertion
5: Create Session & allow access
![Page 7: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/7.jpg)
Does their service support an open federation protocol?
You: AP / IdP SaaS Vendor: RP / SP
3: Generate Fed. Assertion
4: Validate Assertion
5: Create Session & allow access
Protocol
Profile
Assurance
![Page 8: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/8.jpg)
‘Proper’ Identity Federation protocols Shibboleth SAML 1.x WS-Fed SAML 2.0 OpenID OpenID Connect
Pseudo Identity Federation Protocols OAuth OAuth 2.0 OATH
Does their service support an open federation protocol?Which Federation Protocols?
![Page 9: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/9.jpg)
‘Proper’ Identity Federation protocols Shibboleth SAML 1.x WS-Fed SAML 2.0 OpenID OpenID Connect
Pseudo Identity Federation Protocols OAuth OAuth 2.0 (but OK for authorization scenarios) OATH
Does their service support an open federation protocol?Which Federation Protocols?
![Page 10: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/10.jpg)
Does their service support an open federation protocol?Which Federation Protocols?
SAML 2.0 Protocols
![Page 11: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/11.jpg)
What technical constraints do you have?
What user journey requirements do you have?
What security policy requirements do you have?
What audit requirements around provisioning?
Do you understand your own requirements?
![Page 12: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/12.jpg)
Does their technical environment fit with your constraints?
IdP SP
SSO ACS
Ms Mobile
My.Com MyCloudCRM
IdP
Artefact
![Page 13: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/13.jpg)
Does their technical environment fit with your constraints?
IdP SP
SSO ACS
Ms Mobile
My.Com MyCloudCRM
IdP SSO2FA
Artefact
![Page 14: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/14.jpg)
Does their technical environment fit with your constraints?
IdP SP
Cusdtomer / Partner
IdP
SSO ACSMy.Com MyCloudCRM
IdP SSO
2FA?
![Page 15: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/15.jpg)
Does their technical environment fit with your constraints?
IdP SPIdP Proxy
Cusdtomer / Partner
SSO ACSMy.Com MyCloudCRM
IdP
IdP
Ms Mobile
IdPSP
2FA
2FA?
![Page 16: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/16.jpg)
Does their technical environment fit with your constraints?
IdP SPIdP Proxy
SSO ACSMy.Com MyCloudCRM
IdP
IdPSP
2FAX
![Page 17: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/17.jpg)
Identity Lifecycle Management
None / Implicit / Dynamic Flat file exchange (usually proprietary) LDIF exchange - > Directory Synchronisation SAML 2.0 explicit support SCIM
Frequency, Latency… how fast does SaaS provider need to react to changes?
Transactional integrity / Audit …. I thought we turned off Johnny’s access
How easy is it to automate the provisioning and de-provisioning of users?
SCIM Resource Model, with thanks to http://www.simplecloud.info
![Page 18: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/18.jpg)
Can the integration be tested before go-live?
![Page 19: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/19.jpg)
Questions for the IAM experts
![Page 20: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/20.jpg)
What should we be asking the SaaS providers to do?Play nicely together …
… like the ARM Connected Community does
![Page 21: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/21.jpg)
Can IDaaS vendors help with this?
![Page 22: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/22.jpg)
What can we do to make federation easier?
![Page 23: IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION](https://reader037.vdocuments.site/reader037/viewer/2022103001/5584edc0d8b42a30708b49f5/html5/thumbnails/23.jpg)
SaaS vendor supports a good ID Federation protocol – fit to constraints
Solution can be tried out in a non-live situation
Provisioning and de-provisioning is painless – audit / assurance of events
Mobile application security mechanisms are appropriate
Summary – What does good look like?