Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Small Business Management

Federation Services and Identity Mapping Presentation

Cloud Security Alliance Phoenix Chapter
Meeting April 19, 2016
Topic: Cloud Identity Management
Lutz Mueller-Hipper, Identity Management Architect
Insight’s Tagline Would Go Here
Insight Presentation
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Agenda
• Agenda:
• (Single) Sign-On with Federation Services
• Identity Management in or with the Cloud
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
about:me
• Lutz Mueller-Hipper
• IDA Architect
• Identity Management, PKI, RMS
• Working at INSIGHT, Tempe, AZ
• www.insight.com
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Federation Services
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Federation Services
• What is Federation or Federated Identity?
• A federated identity in information technology is the means
of linking a person's electronic identity and attributes,
stored across multiple distinct identity management
systems.(Wikipedia/Paul Madsen)
• Main standards for FS
• SAML 2.0
• OAuth 2.0
• Azure B2B
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Federation with SAML
•
•
•
•
Example Google
Identity Provider (IdP)
has the token signing
key
Service Provider (SP)
has the public key of
the signing key
(5) IdP is adding
claims/attributes to
the response
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
OAuth
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Single Sign-On
• Can mean, you log on once to the Federation Service and from
there you get a token to access all applications connected to FS
• Can also mean, you log on to your workstation and then you
access all apps seemless
• Where is the password? Only the IdP has it (temporary)
• Add MF auth on the FS server SP config not on single Apps
• Add MF auth based on location
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Pre-requisites for sign-on
• User application profile must be created:
• Manually (not an option)
• On-the-fly creation (really?)
• CSV upload (second best option)
• Directory Sync
• SCIM
• Select strong identifiers (e.g. GUID)
• Syncing with CSV files is always the second best option
• User profile and data deprovisioning
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Cloud Identity Management
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Cloud Identity Management
- What is IdM or IAM:
- Management of identities throughout their existence
including
- Adding, updating, pausing, removing accounts
- Difference to on premise IdM:
- From nothing is changing
- To it gets simpler
- To it is more complex
- Why is that?
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Cloud IdM - Nothing is changing
• Nothing is changing
• If your organization is small enough you might even not think
that match about IdM at all
• Things you do on file share etc today, you do it very similar in
the cloud
• Good chance that your employees are already using Dropbox &
Co.
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Cloud IdM - simplier
• Replace on prem IdM solutions with cloud services
• More secure (cloud provider info sec team, multi-factor auth
became standard for low money)
• E.g. remote access simplified, e.g. Azure Web Application Proxy
Service
• Identities are created in a cloud service and trigger accountprovisioning to other cloud and on-prem services
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Cloud IdM – more complex
•
•
•
•
•
•
•
Hybrid
External users (vendors, customers)
No LDAP interface, SCIM 2.0 support
Subscription management
Data retention management
Secure processing of identities
Data privacy laws
• Mitigate complexity:
• Spend more time designing and re-thinking processes
• Use cloud service to automate custom processes
(ServiceNow, Azure PowerShell Services)
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
General
• Especially smaller services, having a cloud label, are in a
traditional hosting scenario (failover locally?, inter-region?,
scalability, time to service)
• SDK and APIs (at least having a roadmap for it)
• Check what offerings you can get for free
• Right now we are in the phase that Cloud service providers are
adding more and new features constantly, I predict a
consolidation as there is already overlapping functionality
•
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
For reading
• https://developers.google.com/googleapps/sso/saml_reference_implementation
• https://azure.microsoft.com/enus/documentation/articles/active-directory-b2b-collaborationoverview/
• https://channel9.msdn.com/Series/Azure-Active-DirectoryVideos-Demos/Azure-Active-Directory-B2B-collaboration-demo
• https://azure.microsoft.com/en-us/services/active-directoryb2c/
• https://blogs.technet.microsoft.com/ad/2015/11/17/azure-adpremium-now-supports-scim-2-0/
• https://channel9.msdn.com/Series/Architecting-MicrosoftAzure-Solutions/02 (OAuth demo at 21:54)
• https://www.pingidentity.com/en/resources/articles/oauth.html
• http://secattic.blogspot.com/2012/10/1-2-3-see-what-is-insaml-response.html
Insight Presentation
Insight Proprietary & Confidential. Do Not Copy or Distribute. © 2015 Insight Direct USA, Inc. All Rights Reserved.
Related documents
Orderly Shutdown Process
Orderly Shutdown Process
Remembering Essay
Remembering Essay
CLASSROOM OBSERVATION: Post
CLASSROOM OBSERVATION: Post
10th Honors Summer Reading Assignment – Insight/Main Idea
10th Honors Summer Reading Assignment – Insight/Main Idea
Download