CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization
-
Upload
cloudidsummit -
Category
Technology
-
view
239 -
download
2
description
Transcript of CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization
![Page 1: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/1.jpg)
Deploying an Identity Provider in a Complex, Federated and Siloed World
Cloud Identity Summit - July 2013
1
![Page 2: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/2.jpg)
• Challenges you will face: • How to accommodate new requirements • Problems you can encounter and why
• Authentication • Authorization
• Approach to solving these challenges: • A federated identity service
• Identity Hub storage • Aggregation • Mapping • Correlation • Join • Caching
• Leveraging the federated identity service for not just cloud apps, but also legacy apps as well.
Talking Points
2
![Page 3: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/3.jpg)
The Challenges
3
![Page 4: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/4.jpg)
SAML
Authentication and Federation: The Cloud and Web Apps Imperative
OpenID Connect OAuth 2.0
4
![Page 5: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/5.jpg)
The Current Security Conundrum
Security Means: SAML, OAuth, OpenID
Identity Infrastructure
A complete federation
solution requires federating both
access and identities
5
![Page 6: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/6.jpg)
The Directory Original Model for Security
• Any security system based on identity is composed of two parts: • A registry of identity information • The security means (which is supported by the identity information)
Kerberos, SASL, SSL
6
![Page 7: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/7.jpg)
Current Infrastructure: Multiple Doors and Locks
AD Sun
RACF
LDAP HR
Role DB
7
![Page 8: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/8.jpg)
The Challenge of a Fragmented Distributed Identity System
Existing Identity Infrastructure
Legacy Applications
SaaS/Cloud/BYOD/ Partner Apps
8
![Page 9: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/9.jpg)
The Challenges
• For many initiatives, such as federation and portal security, you need:
1. One global reference identity source for authenticating users. 2. And to support authorization, you want that one identity source to contain the
richest profile possible for each identity.
• But you cannot afford to just create another green field directory because:
1. It would be a huge effort to populate it 2. The information already exists in other silos
• You need one central access point, but don’t want to start over from scratch.
9
![Page 10: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/10.jpg)
Identity Provider Challenges
10
![Page 11: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/11.jpg)
Authentication Challenges – The Details
Goal: Enable Authentication and SSO Across Multiple Sources 1. The first step is identification, or finding the user entry that
needs to be authenticated. But • Identities are spread across multiple data sources, such as multiple
AD domains/forests. • Identities are described differently in each source, such as “uid” vs.
“sAMAccountName” vs. “LOGIN.”
2. The second step is credential checking. Each source supports its own authentication mechanism: • Different encryption of passwords and schema elements (such as
userPassword vs. unicodePwd, etc). • Existing internal (employee) user IDs & passwords in Active
Directory. • External user credentials may be stored elsewhere (SunOne,
Oracle, etc).
11
![Page 12: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/12.jpg)
Goal: Attribute-Based or Groups-Based Authorization
1. Profile information exists in multiple data sources
2. Data sources have their own schema elements (object classes and attributes) • group/member (AD) • groupOfUniqueNames/uniquemember (Sun)
3. Inflexible group definition • Static (hard-coded) group members • Rely on client application logic to build members via an extra search
(based on memberURL attribute)
Authorization Challenges – The Details
12
![Page 13: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/13.jpg)
User Identification Challenges
sam
e pe
rson
, diff
eren
t ide
ntifi
ers
diffe
rent
peo
ple
sam
e id
entif
iers
13
![Page 14: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/14.jpg)
Identification Challenges of SSO
LDAP Directory Active Directory employeeNumber=E562098000Z samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234
uid=AFuller Htle=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 employeeID=562_09_8000
Name=Andrew_Fuller ID: [email protected]
login=AFuller ID=562_09_8000
Salesforce knows Andrew by an ID of [email protected]
SharePoint knows Andrew by an ID of AFuller
14
![Page 15: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/15.jpg)
Attribute-Driven Authorization Challenges
LDAP Directory Active Directory HR Database
employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234 memberOf=cn=AllUsers,ou=Groups,dc=ad
uid=AFuller Htle=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 cn=Regional Sales objectclass=groupOfUniqueNames unqiueMemeber=uid=afuller,ou=people,o=sun
EmployeeID=509-‐34-‐5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234
Is this the same person? If so, what groups is he a member of? If so, how can I get a global profile when there is no single common identifier?
15
![Page 16: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/16.jpg)
Solving Challenges
16
![Page 17: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/17.jpg)
A Federated Identity Service
Existing Identity Infrastructure
Legacy Applications
SaaS/Cloud/BYOD/ Partner Apps
17
![Page 18: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/18.jpg)
Identity Integration
Accounting
Marketing Support
Business Development
Call Center Fulfillment
Order Mgmt.
Sales
HR
18
![Page 19: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/19.jpg)
Federated Identity Service The High Level Components
The “Identity Hub” supported by Identity and context virtualization
The “storage” is a directory (for speed and scalability)
The “services” are metadata extraction, view design, mapping, correlation, join, synchronization (persistent cache with auto-refresh)
19
![Page 20: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/20.jpg)
Identity and Context Virtualization Process
20
![Page 21: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/21.jpg)
Identity Integration (Aggregation and Correlation)
21
![Page 22: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/22.jpg)
• Union requires some kind of criteria, one or more attributes, to detect and correlate same-users across systems. This is the common, global identifier.
• A match based on this attributes(s) allows us to remove duplicates.
• The result is a “union compatible” operation, where all users are represented exactly once, and only once, in the virtualized global list.
emplogin firstname lastname
smatthews Sarah Matthews
lanalandry Lana Landry
employeeID givenName sn title
llandry Lana Landry Writer
smatthews Steve Matthews Janitor
LOGIN firstname lastname role group homephone
llandry Lana Landry Tech Writer Marketing 4152096800
smatthews Sarah Matthews CEO Admin 4152096802
firstname lastname
Sarah Matthews
Lana Landry
Steve Matthews
System A
System B
System C
Global List (Union)
Identity Correlation Example - Creating a UNION Set
22
![Page 23: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/23.jpg)
Identity Views Delivered in Format and Content Expected by Applications
23
![Page 24: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/24.jpg)
Solving Authentication Challenges
How does a Federated Identity Service help solve authentication challenges?
Step Challenge Can be solved by Identification Identities spread across
multiple sources Integrating users from multiple sources
Identities described differently in each source
Object and Attribute Mapping to provide a common schema
Credential Checking
Different encryption of passwords and schema elements
Providing a single form of authentication to application, and the flexibility to delegate the credential checking to the backend or customize some other validation mechanism
24
![Page 25: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/25.jpg)
Solving Authorization Challenges
Type Challenge Can be solved by Attribute-Based
Profile attributes spread across multiple sources
Integrating users from multiple sources, in order to build a global profile
Groups-Based Existing groups and potential group members spread across multiple data silos
Offering Flexible Group Definitions:
- Aggregate/map existing groups - Build new group definitions with dynamic members
How does a Federated Identity Service help solve authorization challenges?
25
![Page 26: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/26.jpg)
Example: Identity Correlation and Profile Creation
LDAP Directory
Active Directory
HR Database
employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: [email protected] uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA
Cor
rela
ted
Iden
tity
View
employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234
uid=AFuller Htle=VP Sales givenName=Andrew sn=Fuller departmentNumber=234
EmployeeID=509-‐34-‐5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234
26
![Page 27: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/27.jpg)
Example: Dynamic Group Creation and Profile Extension
cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • title=VP Sales • Region=PA
Cor
rela
ted
Iden
tity
View
D
ynam
ic G
roup
s Vi
ew
Com
pute
d A
ttrib
ute
(mem
berO
f) ba
sed
on a
look
up in
the
dy
nam
ic g
roup
s vi
ew
employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: [email protected] uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA memberOf=cn=Sales
27
![Page 28: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/28.jpg)
Example: Dynamic Group Creation
28
![Page 29: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/29.jpg)
Persistent (disk-based) Cache
Sources
View Definitions
P. CACHE
Materialized View
Sources
View Definitions
Run Time View
No Cache
Addressing Performance Challenges
Sources
View Definitions
Memory Cache
Memory Cache
29
![Page 30: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/30.jpg)
Introduction to Common Use Cases
30
![Page 31: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/31.jpg)
Support for Authentication and as an Attribute Server
31
![Page 32: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/32.jpg)
Use Case: PAM Authentication Credentials Checking Delegated to Backend
UNIX/LINUX Clients
Authentication Request
Re-use existing users and credentials!
AD Domain 1 AD Domain 2 Sun
Credentials Checking forwarded to authoritative source
32
![Page 33: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/33.jpg)
Use Case: PAM Authentication Storing PAM Specific Attribute Extension in VDS
sAMAccountName=jsmith sn=Smith givenName=John title=operations manager
uidNumber = 100 gidNumber = 108 gecos = Andrew Fuller loginshell = /bin/zsh homedirectory = /home/afuller shadowLastChange = 10877 …
sAMAccountName=jsmith sn=Smith givenName=John title=operations manager
Base Profile
Extended Attributes These extended attributes can be stored in any source: “local” or some other backend
Join of all attributes and presented as a single entry
UNIX/LINUX Clients
AD Domain 1
33
![Page 34: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/34.jpg)
Use Case: Oracle Names Resolution
Oracle Clients�
Oracle DB Servers�
VDS local LDAP stores oracle context data�Schema extended at VDS�Each client configured to point to VDS to lookup DB �
34
![Page 35: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/35.jpg)
Use Case: Global Address List for Email Clients
LDAP Directory
Active Directory
HR Database
employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=VP Sales ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203
Correlated Identity View
employeeNumber=9 samAccountName=Alice_Lee objectClass=user mail: [email protected] departmentNumber=234
uid=Alee Htle=VP Sales givenName=Alice sn=Lee telephoneNumber=415-‐520-‐2203
EmployeeID=509-‐34-‐5855 ClearanceLevel=1 Region=PA UserID=EMP_Alice_Lee DeptID=Sales234
35
![Page 36: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/36.jpg)
Compliance
LDAP Directory
Active Directory
HR Database
employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=Guru Inside Sales Manager ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203 source=HR Database source=LDAP Directory source= Active Directory
Correlated Identity View
employeeNumber=9 samAccountName=Alice_Lee objectClass=user mail: [email protected] departmentNumber=234
uid=Alee Htle=Guru Inside Sales Manager givenName=Alice sn=Lee telephoneNumber=415-‐520-‐2203
EmployeeID=509-‐34-‐5855 ClearanceLevel=1 Region=PA UserID=EMP_Alice_Lee DeptID=Sales234
Reports
Which Data Sources Does Alice Have Active Accounts In?
36
![Page 37: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/37.jpg)
Use Case: FID and Provisioning
Legacy Applications (and respective stores)
AD Sun LDAP
Cloud Apps
LDAP/ SQL/ SPML
FID as reference image
SPML SCIM
37
![Page 38: CIS13: How to Build a Federated Identity Service on Identity and Context Virtualization](https://reader033.fdocuments.us/reader033/viewer/2022052522/554bc699b4c90594278b5571/html5/thumbnails/38.jpg)
• Summary • In order to accommodate new requirements you will face challenges around
authentication and authorization. • Multiple existing different identity silos means
• Many methods for credentials checking • Many locations housing different aspects (attributes/groups) of an identity
• These challenges can be solved with a Federated Identity Service based on virtualization.
• You can leverage the federated identity service for not just cloud apps, but also legacy apps and other initiatives as well.
• Coming Up: A Foundation for the Future • Michel Prompt shows you how the Federated Identity Service you put in place
today is a key piece of infrastructure that prepares you for the future.
Summary
39