secureauth is an idp - cio summits · secureauth is an idp 14 november 2012 ... federate id mapping...
TRANSCRIPT
© 2012 SecureAuth. All rights reserved.
SecureAuth is an IDP
14 November 2012
www.GoSecureAuth.com
2
WHY DOES AN ENTERPRISE NEED TO
BECOME AN IDENTITY PROVIDER?
1X ID
DEVICE
PASSWORD
FEW APPLICATIONS
2005 ENTERPRISE USERS:
2012 ENTERPRISE USERS:
nX IDS
DEVICES
PASSWORDS
MANY APPLICATIONS
VS.
BYOD
© 2012 SecureAuth. All rights reserved.
AN IDENTITY PROVIDER CAN APPLY
SAME POLICIES, PROFILE & PROCEDURES
TO CLOUD, MOBILE & WEB/NETWORK APPLICATIONS
2012 Copyright 3
WHAT WILL BE THE BENEFIT OF
BECOMING AN IDENTITY PROVIDER?
© 2012 SecureAuth. All rights reserved. 4
WHAT IS AN IdP ?
Definition:
• A system that creates, maintains, and
manages identity information.
• Provides principal authentication to
other service providers (applications)
within a federation or distributed
network.
• The IdP sends an attribute assertion
containing trusted information
about the user to the Service
Provider (SP).
Source: MIT Knowledge Base
An IdP (Identity Provider) establishes a circle of trust
between the User and the Service Provider i.e. Applications
1. User directed to IdP
2. IdP authenticates user
3. User redirected to SP with token
1
2
3
Enterprise
Identity
Provider
(IdP)
Service
Provider
(SP) User
© 2012 SecureAuth. All rights reserved. 5
• Responsibility • Issue Benefits
• IT Security • 2-Factor • Log-in • User log
• Provides an audit of access • Reduces workflow burden on staff • Reduces cost of management
• Network Security
• User access provisioning
• VPN • Wireless Devices
• Secures access to proliferating apps • Enables secure access to every application
being managed, from mobile devices, desktops, geographically dispersed devices
• Application Manager
• SSO on Cloud • SAML
• Streamlines the acceptance and authentication of all identities for application access, whether IDs are social, biometric, mobile, other industry-standard
• Facilitates the assertion of identities to any application and device on the network
• Facilitates Cloud migration by leveraging current investment in infrastructure
WHAT CAN YOU DO FOR ME?
2F/SSO for
mobile provides
• 2-Factor Auth
• Directory-
based Auth
• SSO to other
apps
• No thick client
Assert identity 2F/SSO
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
SecureAuth IdP – Native Mobile Apps
Secure IdP Value: Build vs. Buy
Item Home Grown SecureAuth
Build WebServer (IdP)
(Hardened Server, WebServer, Forms) Manual Automated
Identity Authentication (AD SSO) Manual Automated
SAML Assertion Manual Automated
SAML Attributes Manual Automated
X.509 Storage/Signed with Cert Manual Automated
SSO Portal (SaaS, Web) Manual Automated
Federate ID Mapping Manual Automated
2-Factor Integration Manual Automated
IdM tools (PWD reset, Help Desk, etc) Manual Automated
Log Authentication Manual Automated
Mobile SSO/2Factor Manual Automated
7
© 2012 SecureAuth. All rights reserved. 8
FINANCIAL HEALTHCARE GOVERNMENT TECHNOLOGY RETAIL EDUCATION ENTERTAINMENT
WHO IS USING SECUREAUTH IdP?
• 2-factor
• SaaS Portal
• Password
reset
• 2-factor Cisco
ASA
• SAML SP
Portal
• Password
reset
• 2-factor
• IdP Portal for
.Net Apps
• User mgmt.
• 2-factor X.509
• IdP –SAML to
Juniper
• User mgmt.
Help Desk, PW
Reset
• 2-factor
Cisco
• IdP –
Google,
Salesforce,
Oracle
• User mgmt.
• 2-factor Juniper
• IdP –
SaaS/SAML
portal
• PW reset • 2-factor
• IdP – IBM LDAP
- SAML
• Google PW sync
for Mobile
Western Union
Challenge: • Needed secure 2-factor for BYOD initiative that is easy to use.
• Tokens were not only lacking in the security needed, but were far too expensive and
difficult to manage for a global deployment.
Past Attempts: • RSA SecurID
• No 2-factor
• Use of own PKI
SecureAuth Solution: (10,000 Users) • 2-Factor
• External 2-Factor
• SecureAuth X.509 on Android platforms and iOS
• IdP
• SAML -> Juniper
Current Project:
• Testing company portal for Single Sign-on to SaaS applications (Accellion, salesforce,
workday) using SecureAuth as the Identity Provider
© 2012 SecureAuth. All rights reserved. 9
State of New Hampshire
Challenge:
Business Portal for State
Web Applications (.NET and Lawson)
Past Attempts:
• Home grown attempts
• Directory synching (AD, mySQL (1M) users, LDAP(Lawson))
SecureAuth Solution: (250,000+ Users)
• 2-Factor:
• ASA (VPN)
• IdP for Employees and Business portal
• .NET apps
• Lawson
• IdM
• User Self-Management (User On-boarding)
Future:
• More web integrations (.NET and other)
© 2012 SecureAuth. All rights reserved. 10
https://sson.nh.gov/
Dish Networks
Challenge:
2-Factor Remote Access and Identity/Access Portal
Past Attempts:
• Tokens for remote access
• Looked at Ping and ADFS2
SecureAuth Solution: (6.5M Users)
• 2-Factor
• Cisco ASA
• SecureAuth IdP
• Business Portal for Drivers, Employees, Suppliers
• Web Headers -> SAML SP (SecureAuth) [SAML Attributes]
• IdM
• Password Aging/Reset to Siebel partner portal
Future:
• IdP for Google
• IdP for “Dish” Hopper
© 2012 SecureAuth. All rights reserved. 11
Blue Cross, Blue Shield - MI
Challenge: • Deploy Apps, securely to contractors overseas
• Remote Access
Past Attempts: • RSA SecurID (coupled with VPN thick client – Cisco ASA)
SecureAuth Solution: (40,000 Users) • 2-Factor
• External 2-Factor (SecureAuth X.509 w/ SMS, Telephony registraion)
• International
• IdP
• SaaS / SAML
• IdM
• 2-Factor Password Reset
• 2-Factor User Self Management of IDs
• Help Desk Management of User IDs (2-Factor Revocation)
Future:
• 100+ apps with 2-Factor SecureAuth through F5 APM
© 2012 SecureAuth. All rights reserved.
1
3
http://www.bcbsm.com
© 2012 SecureAuth. All rights reserved.
Thank you!
Additional Slides
http://www.GoSecureAuth.com
1. Consume Identity From varied resources, devices
Desktop, Mobile, Web SSO, AD SSO
2. Map Identity From varied resources
Map to relevant data store
3. Authenticate 2-Factor Authentication
SMS, Tele, X.509, PIN, Yubikey
KBA, E-mail, Help Desk
4. Assert Identity X.509
Web Identity
VPN, Web, SaaS, Mobile
5. Log the event • Text, Syslog
15
HOW DOES
SECUREAUTH IdP
WORK?
SecureAuth IdP – 2-Factor Authentication
16
SecureAuth Authentication Supports:
• X.509 v3 Certificates
• SMS OTP
• Telephony OTP
• E-mail OTP
• Help Desk
• Yubikey USB Keys
• CAC/PIV Cards
• Kerberos / IWA
• Static PIN
• Custom
© 2012 SecureAuth. All rights reserved. 17
1. SecureAuth IdP – SSO (Web)
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
Assert identity 2F/SSO
K
P KBA
Enterprise Web
Applications
2-Factor
© 2012 SecureAuth. All rights reserved. 18
3. SecureAuth IdP – SSO (Cloud/SaaS)
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
Assert identity 2F/SSO
P KBA
SaaS
Apps
K
2-Factor
© 2012 SecureAuth. All rights reserved. 19
2. SecureAuth IdP – SSO (VPN/Gateway)
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
Assert identity 2F/SSO
P KBA
Gateway / VPNs 2-Factor
© 2012 SecureAuth. All rights reserved.
SecureAuth IdP - The (4) Resources
4 Key IdP integrations
1. Web
2. VPN/Gateways
3. SaaS/Cloud
4. Mobile
(1)
(2)
(3)
(4)
1. Consume Identity From varied resources, devices
Desktop, Mobile, Web SSO, AD SSO
2. Map Identity From varied resources
Map to relevant data store
3. Authenticate 2-Factor Authentication
SMS, Tele, X.509, PIN, Yubikey
KBA, E-mail, Help Desk
4. Assert Identity X.509
Web Identity
VPN, Web, SaaS, Mobile
5. Log the event • Text, Syslog
21
HOW DOES
SECUREAUTH IdP
WORK?