Single Sign ON
advertisement
IBM Security Solutions
Single Sign On - Kalmar November 07 2011
Sven-Erik Vestergaard,
Nordic Security Architect
IBM Security System Division
svest@dk.ibm.com
Security GRC
Solving the Urgent Questions
Am I compliant?
What controls are needed?
Can I prove it?
Access and
Identity in a
Smarter Planet
Solving the Urgent Questions
What's identity in the cloud?
Can I restrict privileged users?
Who has access?
Keeping the good
data secure from
bad actions
Solving the Urgent Questions
Where's my sensitive data?
How can I keep data secure?
What are DBA’s doing?
Securing
applications by
design, not after
disruption
Solving the Urgent Questions
How do I develop apps securely?
How do I stop vulnerability
exploitations?
A platform for
converged endpoint
Solving the Urgent Questions
How do I manage all these devices?
How do I secure mobile devices?
Keep the bad
guys out of the
network
Solving the Urgent Questions
Who's attacking my system?
What's the latest threat intelligence?
How do I manage all the data?
Modernize
traditional
surveillance
systems
Solving the Urgent Questions
Can I automate my video
surveillance?
Single Sign ON
Unified Single
Sign-on
Biometrics
USB
Tokens
RFID
Badges
Smart
Cards
Web
Enterprise
Federated
Unified Single Sign-On enables visibility into user activity, control over access to
business assets, and automation of the sign-on process.
Enterprise SSO Solution
Overview
Single sign-on
Supports strong authentication
Kiosk sharing
Password self service
Web-based administration
Browser-based remote access
User access tracking & audit
No change to the infrastructure
13
Customer examples
Facts about city of Odense
• 17.000 Employees
• 7000 IT users
• Heterogenic IT-env: Windows/AD, Notes,
KMD, 3270, Citrix, web, Linux m.m.
• Identified systems: +600
• Centralized user administration
• Centralized AD with Organizational
structure/groups + policy
City of Odense
• Important design considerations:
– Do we start SSO before or after Windows
login
– High availability and backup ?
– What systems need a profile?
– Secret questions with resets?
– Information and training of end users?
– How do we handle special users, e.g. users
on training
City of Odense Roll-out
• First step:
– Pilot roll-out test on 200 Windows XP
– IT department and IT-contact persons
• Second step
– Roll-out to ’end users’
– Roll-out to 100 PCs. After a week an evaluation
took place
– Roll-out in chuncks of 300 – 500 PCs
• Now 6500 PCs are running ESSO
City of Odense
End user support
• On site support during Roll-out
– 2 – 3 super users + IT contact persons
• Pamphlet and a one page created
• FAQ published
• Remember not all employees are at work
on the roll-out day
Customer Details
•
Client Name: ATP (Retirement Fund administrator)
•
Country: Denmark
•
Industry
– The customer is responsible for the operation and development
of a number of retirement schemes for Danish citizens. The
customer pays pensions to more than 675,000 pensioners and
administer contributions for approx. 4.5 million members and
clients.
– Investment: The customers investment section manages assets
and is responsible for general investment management, risk
surveillance, and portfolio management.
– The customer manages a number of schemes under statutory
regulation, including several for the Danish state.
– In addition, labour market pensions and various IT-based
administration tasks are managed by the customer.
Customer
Details
Customer Details
• Primary TFIM Use Case: Federated Single Sign On (Service
Provider role)
• Secondary TFIM Use Cases: Federated Single Sign On
(Identity Provider role), Identity-based Web Services
• Current state of deployment, details of timelines in production
• A number of Single Sign On federations deployed into
production, integrating with numerous separate Identity
Providers.
Business Requirement
• Danish citizens require access to account status of the public
pension scheme, managed by the customer, as well as to a
vacation payment portal. Access is provided using the public
Danish Identity Provider - NemID ('easy log-in').
• Danish companies require access to public pension scheme
and other schemes managed by the customer, in order to
report payments and updates. Access must be provided using
the Danish Identity Provider for businesses – Virk.dk.
• The customer is required to integrate with other parties, acting
as both web service consumer and web service provider.
Integration must be performed according to the public Danish
SAML Web Service profile (OIO-WS)
Private users – federated SSO
Enterprise domain - customer
Public domain
Identity Provider
SAML assertion
Resolve UID
Map
r
se
te
u
ea
Cr
CreateUser
Map
UpdateGroups
Map
IV-Creds
Issue
n
Sig
ed
and
ML
SA
IVC
ted
re d
r yp
s
enc
SAML authentication request
SAML 2.0
Validate
Enterprise UID
Lookup Enterprise UID
DB2 – z/OS
a ss
ertio
n
SAML assertion
Browser
IV-Creds
POC
Extended
TAI++
WebSphere
Portal
Server
City of Rødovre
• 37000 citizens
• Need web SSO for citizens (uid/pw)
• Need web SSO for employees from
intranet and when working from home
• Need for Federated SSO using national
identity provider (step-up auth)
City of Gothenburg
• 934.000 citizens in metropolitan area
• 47.000 employees
• 8000 students
City of Gothenburg
Business requirements
• Web SSO for employees from intranet and
from home
• Web SSO for the public to access digital
services
City of Gothenburg
Business requirements
• Federation to Google apps cloud service
for students
• Federation to e-posthuset for students
• Today around 5000 students are using the
service
IBM
Questions?
