SlideShare a Scribd company logo

CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World

CloudIDSummit
CloudIDSummit

The document discusses the challenges of deploying an identity provider in an environment with siloed and federated identity systems. It identifies challenges around authentication, which involves identifying users across multiple sources with different identifiers and credential formats. Authorization challenges include attributes and groups being distributed across different data sources. The document proposes addressing these challenges through a federated identity service that acts as a single identity source through identity aggregation, correlation, mapping attributes and groups across sources, and presenting virtualized identity views. This approach can enable single sign-on across applications while leveraging existing identity systems.

1 of 38
Downloaded 13 times
Deploying an Identity Provider in a Complex, Federated and Siloed World PING Conference - July 2013 1
• Challenges you will face: • How to accommodate new requirements • Problems you can encounter and why • Authentication • Authorization • Approach to solving these challenges: • A federated identity service • Identity Hub storage • Aggregation • Mapping • Correlation • Join • Caching • Leveraging the federated identity service for not just cloud apps, but also legacy apps as well. Talking Points 2
The Challenges 3
SAML Authentication and Federation: The Cloud and Web Apps Imperative OpenID Connect OAuth 2.0 4
The Current Security Conundrum Security Means: SAML, OAuth, OpenID Identity Infrastructure A complete federation solution requires federating both access and identities 5
The Directory Original Model for Security • Any security system based on identity is composed of two parts: • A registry of identity information • The security means (which is supported by the identity information) Kerberos, SASL, SSL 6
Current Infrastructure: Multiple Doors and Locks AD Sun RACF LDAPHR Role DB 7
The Challenge of a Fragmented Distributed Identity System Existing Identity Infrastructure Legacy Applications SaaS/Cloud/BYOD/ Partner Apps 8
The Challenges • For many initiatives, such as federation and portal security, you need: 1. One global reference identity source for authenticating users. 2. And to support authorization, you want that one identity source to contain the richest profile possible for each identity. • But you cannot afford to just create another green field directory because: 1. It would be a huge effort to populate it 2. The information already exists in other silos • You need one central access point, but don’t want to start over from scratch. 9
Identity Provider Challenges 10
Authentication Challenges – The Details Goal: Enable Authentication and SSO Across Multiple Sources 1. The first step is identification, or finding the user entry that needs to be authenticated. But • Identities are spread across multiple data sources, such as multiple AD domains/forests. • Identities are described differently in each source, such as “uid” vs. “sAMAccountName” vs. “LOGIN.” 2. The second step is credential checking. Each source supports its own authentication mechanism: • Different encryption of passwords and schema elements (such as userPassword vs. unicodePwd, etc). • Existing internal (employee) user IDs & passwords in Active Directory. • External user credentials may be stored elsewhere (SunOne, Oracle, etc). 11
Goal: Attribute-Based or Groups-Based Authorization 1. Profile information exists in multiple data sources 2. Data sources have their own schema elements (object classes and attributes) • group/member (AD) • groupOfUniqueNames/uniquemember (Sun) 3. Inflexible group definition • Static (hard-coded) group members • Rely on client application logic to build members via an extra search (based on memberURL attribute) Authorization Challenges – The Details 12
User Identification Challenges sameperson,differentidentifiers differentpeoplesameidentifiers 13
Identification Challenges of SSO LDAP Directory Active Directory employeeNumber=E562098000Z samAccountName=Andrew_Fuller objectClass=user mail: andrew_fuller@radiant.com departmentNumber=234 uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 employeeID=562_09_8000 Name=Andrew_Fuller ID: andrew_fuller@setree1.com login=AFuller ID=562_09_8000 Salesforce knows Andrew by an ID of andrew_fuller@radiant.com SharePoint knows Andrew by an ID of AFuller 14
Attribute-Driven Authorization Challenges LDAP DirectoryActive Directory HR Database employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com departmentNumber=234 memberOf=cn=AllUsers,ou=Groups,dc=ad uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 cn=Regional Sales objectclass=groupOfUniqueNames unqiueMemeber=uid=afuller,ou=people,o=sun EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234 Is this the same person? If so, what groups is he a member of? If so, how can I get a global profile when there is no single common identifier? 15
Solving Challenges 16
A Federated Identity Service Existing Identity Infrastructure Legacy Applications SaaS/Cloud/BYOD/ Partner Apps 17
Identity Integration Accounting Marketing Support Business Development Call Center Fulfillment Order Mgmt. Sales HR 18
Federated Identity Service The High Level Components The “Identity Hub” supported by Identity and context virtualization The “storage” is a directory (for speed and scalability) The “services” are metadata extraction, view design, mapping, correlation, join, synchronization (persistent cache with auto-refresh) 19
Identity and Context Virtualization Process 20
Identity Integration (Aggregation and Correlation) 21
• Union requires some kind of criteria, one or more attributes, to detect and correlate same-users across systems. This is the common, global identifier. • A match based on this attributes(s) allows us to remove duplicates. • The result is a “union compatible” operation, where all users are represented exactly once, and only once, in the virtualized global list. emplogin firstname lastname smatthews Sarah Matthews lanalandry Lana Landry employeeID givenName sn title llandry Lana Landry Writer smatthews Steve Matthews Janitor LOGIN firstname lastname role group homephone llandry Lana Landry Tech Writer Marketing 4152096800 smatthews Sarah Matthews CEO Admin 4152096802 firstname lastname Sarah Matthews Lana Landry Steve Matthews System A System B System C Global List (Union) Identity Correlation Example - Creating a UNION Set 22
Identity Views Delivered in Format and Content Expected by Applications 23
Solving Authentication Challenges How does a Federated Identity Service help solve authentication challenges? Step Challenge Can be solved by Identification Identities spread across multiple sources Integrating users from multiple sources Identities described differently in each source Object and Attribute Mapping to provide a common schema Credential Checking Different encryption of passwords and schema elements Providing a single form of authentication to application, and the flexibility to delegate the credential checking to the backend or customize some other validation mechanism 24
Solving Authorization Challenges Type Challenge Can be solved by Attribute- Based Profile attributes spread across multiple sources Integrating users from multiple sources, in order to build a global profile Groups-Based Existing groups and potential group members spread across multiple data silos Offering Flexible Group Definitions: - Aggregate/map existing groups - Build new group definitions with dynamic members How does a Federated Identity Service help solve authorization challenges? 25
Example: Identity Correlation and Profile Creation LDAP Directory Active Directory HR Database employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA CorrelatedIdentityView employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com departmentNumber=234 uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234 26
Example: Dynamic Group Creation and Profile Extension cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • title=VP Sales • Region=PA CorrelatedIdentityViewDynamicGroupsView ComputedAttribute(memberOf) basedonalookupinthe dynamicgroupsview employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA memberOf=cn=Sales 27
Example: Dynamic Group Creation 28
Persistent (disk-based) Cache Sources View Definitions P. CACHE Materialized View Sources View Definitions Run Time View No Cache Addressing Performance Challenges Sources View Definitions Memory Cache Memory Cache 29
Introduction to Common Use Cases 30
Support for Authentication and as an Attribute Server 31
Use Case: PAM Authentication Credentials Checking Delegated to Backend UNIX/LINUX Clients Authentication Request Re-use existing users and credentials! AD Domain 1 AD Domain 2 Sun Credentials Checking forwarded to authoritative source 32
Use Case: PAM Authentication Storing PAM Specific Attribute Extension in VDS sAMAccountName=jsmith sn=Smith givenName=John title=operations manager uidNumber = 100 gidNumber = 108 gecos = Andrew Fuller loginshell = /bin/zsh homedirectory = /home/afuller shadowLastChange = 10877 … sAMAccountName=jsmith sn=Smith givenName=John title=operations manager Base Profile Extended Attributes These extended attributes can be stored in any source: “local” or some other backend Join of all attributes and presented as a single entry UNIX/LINUX Clients AD Domain 1 33
Use Case: Oracle Names Resolution Oracle Clients Oracle DB Servers VDS local LDAP stores oracle context data Schema extended at VDS Each client configured to point to VDS to lookup DB 34
Use Case: Global Address List for Email Clients LDAP Directory Active Directory HR Database employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=VP Sales ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203 Correlated Identity View employeeNumber=9 samAccountName=Alice_Lee objectClass=user mail: alee@mycompany.com departmentNumber=234 uid=Alee title=VP Sales givenName=Alice sn=Lee telephoneNumber=415-520-2203 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Alice_Lee DeptID=Sales234 35
Compliance LDAP Directory Active Directory HR Database employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=Guru Inside Sales Manager ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203 source=HR Database source=LDAP Directory source= Active Directory Correlated Identity View employeeNumber=9 samAccountName=Alice_Lee objectClass=user mail: alee@mycompany.com departmentNumber=234 uid=Alee title=Guru Inside Sales Manager givenName=Alice sn=Lee telephoneNumber=415-520-2203 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Alice_Lee DeptID=Sales234 Reports Which Data Sources Does Alice Have Active Accounts In? 36
Use Case: FID and Provisioning Legacy Applications (and respective stores) AD Sun LDAP Cloud Apps LDAP/ SQL/ SPML FID as reference image SPML SCIM 37
• Summary • In order to accommodate new requirements you will face challenges around authentication and authorization. • Multiple existing different identity silos means • Many methods for credentials checking • Many locations housing different aspects (attributes/groups) of an identity • These challenges can be solved with a Federated Identity Service based on virtualization. • You can leverage the federated identity service for not just cloud apps, but also legacy apps and other initiatives as well. • Coming Up: A Foundation for the Future • Michel Prompt shows you how the Federated Identity Service you put in place today is a key piece of infrastructure that prepares you for the future. Summary 39
Ad

Recommended

CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CloudIDSummit
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...
AntonioMaio2
 
816isdfo
816isdfo816isdfo
816isdfo
Anil Pandey
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio Maio
AntonioMaio2
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
AntonioMaio2
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based Authentication
Jonathan Schultz
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory Proposal
MJ Ferdous
 
Document management system using liferay 7
Document management system using liferay 7Document management system using liferay 7
Document management system using liferay 7
Dhanraj Dadhich
 
Open am and_radiantone
Open am and_radiantoneOpen am and_radiantone
Open am and_radiantone
Jose R
 
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing TagSPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
Knowledge Management Associates, LLC
 
SharePoint 2010 Managed Metadata Service
SharePoint 2010 Managed Metadata ServiceSharePoint 2010 Managed Metadata Service
SharePoint 2010 Managed Metadata Service
Craig Pilkenton
 
SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...
SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...
SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...
Jonathan Ralton
 
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Knowledge Management Associates, LLC
 
Easy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanEasy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 Usman
Usman Zafar Malik
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for Extranets
Avtex
 
End-to-End Identity Management
End-to-End Identity ManagementEnd-to-End Identity Management
End-to-End Identity Management
WSO2
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2
 
Identity Management
Identity ManagementIdentity Management
Identity Management
rver21
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
 
Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...
Chakkaradeep Chandran
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
Mohamed Atef
 
SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...
SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...
SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...
Jonathan Ralton
 
PROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENTPROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENT
hardik soni
 
LTS Secure Identity Management
LTS Secure Identity ManagementLTS Secure Identity Management
LTS Secure Identity Management
rver21
 
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson UniversityCampus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium
 
LTS Secure Identity Management
LTS Secure Identity ManagementLTS Secure Identity Management
LTS Secure Identity Management
rver21
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
guestd9aa5
 
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
Scott Hoag
 
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
Scott Hoag
 
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
Scott Hoag
 
Ad

More Related Content

What's hot (19)

Open am and_radiantone
Open am and_radiantoneOpen am and_radiantone
Open am and_radiantone
Jose R
 
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing TagSPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
Knowledge Management Associates, LLC
 
SharePoint 2010 Managed Metadata Service
SharePoint 2010 Managed Metadata ServiceSharePoint 2010 Managed Metadata Service
SharePoint 2010 Managed Metadata Service
Craig Pilkenton
 
SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...
SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...
SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...
Jonathan Ralton
 
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Knowledge Management Associates, LLC
 
Easy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanEasy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 Usman
Usman Zafar Malik
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for Extranets
Avtex
 
End-to-End Identity Management
End-to-End Identity ManagementEnd-to-End Identity Management
End-to-End Identity Management
WSO2
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2
 
Identity Management
Identity ManagementIdentity Management
Identity Management
rver21
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
 
Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...
Chakkaradeep Chandran
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
Mohamed Atef
 
SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...
SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...
SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...
Jonathan Ralton
 
PROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENTPROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENT
hardik soni
 
LTS Secure Identity Management
LTS Secure Identity ManagementLTS Secure Identity Management
LTS Secure Identity Management
rver21
 
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson UniversityCampus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium
 
LTS Secure Identity Management
LTS Secure Identity ManagementLTS Secure Identity Management
LTS Secure Identity Management
rver21
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
guestd9aa5
 
Open am and_radiantone
Open am and_radiantoneOpen am and_radiantone
Open am and_radiantone
Jose R
 
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing TagSPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
SPSTCDC - Managed Metadata and Taxonomies in SharePoint 2010 - Playing Tag
Knowledge Management Associates, LLC
 
SharePoint 2010 Managed Metadata Service
SharePoint 2010 Managed Metadata ServiceSharePoint 2010 Managed Metadata Service
SharePoint 2010 Managed Metadata Service
Craig Pilkenton
 
SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...
SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...
SPSCT15 - Must Love Term Sets: The New and Improved Managed Metadata Service ...
Jonathan Ralton
 
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Playing Tag: Managed Metadata and Taxonomies in SharePoint 2010
Knowledge Management Associates, LLC
 
Easy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 UsmanEasy Learning Presentation Moss 2007 Usman
Easy Learning Presentation Moss 2007 Usman
Usman Zafar Malik
 
Leveraging SharePoint for Extranets
Leveraging SharePoint for ExtranetsLeveraging SharePoint for Extranets
Leveraging SharePoint for Extranets
Avtex
 
End-to-End Identity Management
End-to-End Identity ManagementEnd-to-End Identity Management
End-to-End Identity Management
WSO2
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2
 
Identity Management
Identity ManagementIdentity Management
Identity Management
rver21
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
Chris Phillips
 
Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...
Chakkaradeep Chandran
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm Workshop
Mohamed Atef
 
SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...
SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...
SPSBOS15 - Must Love Term Sets: The New and Improved Managed Metadata Service...
Jonathan Ralton
 
PROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENTPROACTEYE IDENTITY MANAGEMENT
PROACTEYE IDENTITY MANAGEMENT
hardik soni
 
LTS Secure Identity Management
LTS Secure Identity ManagementLTS Secure Identity Management
LTS Secure Identity Management
rver21
 
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson UniversityCampus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium
 
LTS Secure Identity Management
LTS Secure Identity ManagementLTS Secure Identity Management
LTS Secure Identity Management
rver21
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
guestd9aa5
 

Similar to CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World (20)

SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
Scott Hoag
 
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
Scott Hoag
 
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
Scott Hoag
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huang
Ken Huang
 
CIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSOCIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSO
CloudIDSummit
 
Chapter_11_LDAP_and_Kerberos-converted.pptx
Chapter_11_LDAP_and_Kerberos-converted.pptxChapter_11_LDAP_and_Kerberos-converted.pptx
Chapter_11_LDAP_and_Kerberos-converted.pptx
ahmedsayed947221
 
Directions Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxDirections Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docx
mariona83
 
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
Scott Hoag
 
Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)
JSantanderQ
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
Steve Martinelli
 
IDM Resume _ Kiran
IDM Resume _ KiranIDM Resume _ Kiran
IDM Resume _ Kiran
Kiran Kumar
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
Kumton Suttiraksiri
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
Sandeep Patil
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern Identity
Mark Diodati
 
IDM Introduction
IDM IntroductionIDM Introduction
IDM Introduction
Aidy Tificate
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
LDAPCon
 
Acc Updated Resume
Acc Updated ResumeAcc Updated Resume
Acc Updated Resume
MadhavaReddy Pandhiri
 
3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar
Todd Clayton
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
uberbaum
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsSC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
FredBrandonAuthorMCP
 
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
Scott Hoag
 
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
SPSVB - Office 365 and Cloud Identity - What Does It Mean for Me?
Scott Hoag
 
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?SYDSP - Office 365 and Cloud Identity - What does it mean for me?
SYDSP - Office 365 and Cloud Identity - What does it mean for me?
Scott Hoag
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huang
Ken Huang
 
CIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSOCIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSO
CloudIDSummit
 
Chapter_11_LDAP_and_Kerberos-converted.pptx
Chapter_11_LDAP_and_Kerberos-converted.pptxChapter_11_LDAP_and_Kerberos-converted.pptx
Chapter_11_LDAP_and_Kerberos-converted.pptx
ahmedsayed947221
 
Directions Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxDirections Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docx
mariona83
 
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
JAXSPUG January 2016 - Microsoft Cloud Identities in Azure and Office 365
Scott Hoag
 
Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)
JSantanderQ
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
Steve Martinelli
 
IDM Resume _ Kiran
IDM Resume _ KiranIDM Resume _ Kiran
IDM Resume _ Kiran
Kiran Kumar
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB201904_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
Kumton Suttiraksiri
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
Sandeep Patil
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern Identity
Mark Diodati
 
IDM Introduction
IDM IntroductionIDM Introduction
IDM Introduction
Aidy Tificate
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
LDAPCon
 
Acc Updated Resume
Acc Updated ResumeAcc Updated Resume
Acc Updated Resume
MadhavaReddy Pandhiri
 
3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar
Todd Clayton
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
uberbaum
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsSC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
FredBrandonAuthorMCP
 
Ad

More from CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
Ad

Recently uploaded (20)

Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 

CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World

  • 1. Deploying an Identity Provider in a Complex, Federated and Siloed World PING Conference - July 2013 1
  • 2. • Challenges you will face: • How to accommodate new requirements • Problems you can encounter and why • Authentication • Authorization • Approach to solving these challenges: • A federated identity service • Identity Hub storage • Aggregation • Mapping • Correlation • Join • Caching • Leveraging the federated identity service for not just cloud apps, but also legacy apps as well. Talking Points 2
  • 4. SAML Authentication and Federation: The Cloud and Web Apps Imperative OpenID Connect OAuth 2.0 4
  • 5. The Current Security Conundrum Security Means: SAML, OAuth, OpenID Identity Infrastructure A complete federation solution requires federating both access and identities 5
  • 6. The Directory Original Model for Security • Any security system based on identity is composed of two parts: • A registry of identity information • The security means (which is supported by the identity information) Kerberos, SASL, SSL 6
  • 7. Current Infrastructure: Multiple Doors and Locks AD Sun RACF LDAPHR Role DB 7
  • 8. The Challenge of a Fragmented Distributed Identity System Existing Identity Infrastructure Legacy Applications SaaS/Cloud/BYOD/ Partner Apps 8
  • 9. The Challenges • For many initiatives, such as federation and portal security, you need: 1. One global reference identity source for authenticating users. 2. And to support authorization, you want that one identity source to contain the richest profile possible for each identity. • But you cannot afford to just create another green field directory because: 1. It would be a huge effort to populate it 2. The information already exists in other silos • You need one central access point, but don’t want to start over from scratch. 9
  • 11. Authentication Challenges – The Details Goal: Enable Authentication and SSO Across Multiple Sources 1. The first step is identification, or finding the user entry that needs to be authenticated. But • Identities are spread across multiple data sources, such as multiple AD domains/forests. • Identities are described differently in each source, such as “uid” vs. “sAMAccountName” vs. “LOGIN.” 2. The second step is credential checking. Each source supports its own authentication mechanism: • Different encryption of passwords and schema elements (such as userPassword vs. unicodePwd, etc). • Existing internal (employee) user IDs & passwords in Active Directory. • External user credentials may be stored elsewhere (SunOne, Oracle, etc). 11
  • 12. Goal: Attribute-Based or Groups-Based Authorization 1. Profile information exists in multiple data sources 2. Data sources have their own schema elements (object classes and attributes) • group/member (AD) • groupOfUniqueNames/uniquemember (Sun) 3. Inflexible group definition • Static (hard-coded) group members • Rely on client application logic to build members via an extra search (based on memberURL attribute) Authorization Challenges – The Details 12
  • 14. Identification Challenges of SSO LDAP Directory Active Directory employeeNumber=E562098000Z samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234 uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 employeeID=562_09_8000 Name=Andrew_Fuller ID: [email protected] login=AFuller ID=562_09_8000 Salesforce knows Andrew by an ID of [email protected] SharePoint knows Andrew by an ID of AFuller 14
  • 15. Attribute-Driven Authorization Challenges LDAP DirectoryActive Directory HR Database employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234 memberOf=cn=AllUsers,ou=Groups,dc=ad uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 cn=Regional Sales objectclass=groupOfUniqueNames unqiueMemeber=uid=afuller,ou=people,o=sun EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234 Is this the same person? If so, what groups is he a member of? If so, how can I get a global profile when there is no single common identifier? 15
  • 17. A Federated Identity Service Existing Identity Infrastructure Legacy Applications SaaS/Cloud/BYOD/ Partner Apps 17
  • 19. Federated Identity Service The High Level Components The “Identity Hub” supported by Identity and context virtualization The “storage” is a directory (for speed and scalability) The “services” are metadata extraction, view design, mapping, correlation, join, synchronization (persistent cache with auto-refresh) 19
  • 20. Identity and Context Virtualization Process 20
  • 21. Identity Integration (Aggregation and Correlation) 21
  • 22. • Union requires some kind of criteria, one or more attributes, to detect and correlate same-users across systems. This is the common, global identifier. • A match based on this attributes(s) allows us to remove duplicates. • The result is a “union compatible” operation, where all users are represented exactly once, and only once, in the virtualized global list. emplogin firstname lastname smatthews Sarah Matthews lanalandry Lana Landry employeeID givenName sn title llandry Lana Landry Writer smatthews Steve Matthews Janitor LOGIN firstname lastname role group homephone llandry Lana Landry Tech Writer Marketing 4152096800 smatthews Sarah Matthews CEO Admin 4152096802 firstname lastname Sarah Matthews Lana Landry Steve Matthews System A System B System C Global List (Union) Identity Correlation Example - Creating a UNION Set 22
  • 23. Identity Views Delivered in Format and Content Expected by Applications 23
  • 24. Solving Authentication Challenges How does a Federated Identity Service help solve authentication challenges? Step Challenge Can be solved by Identification Identities spread across multiple sources Integrating users from multiple sources Identities described differently in each source Object and Attribute Mapping to provide a common schema Credential Checking Different encryption of passwords and schema elements Providing a single form of authentication to application, and the flexibility to delegate the credential checking to the backend or customize some other validation mechanism 24
  • 25. Solving Authorization Challenges Type Challenge Can be solved by Attribute- Based Profile attributes spread across multiple sources Integrating users from multiple sources, in order to build a global profile Groups-Based Existing groups and potential group members spread across multiple data silos Offering Flexible Group Definitions: - Aggregate/map existing groups - Build new group definitions with dynamic members How does a Federated Identity Service help solve authorization challenges? 25
  • 26. Example: Identity Correlation and Profile Creation LDAP Directory Active Directory HR Database employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: [email protected] uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA CorrelatedIdentityView employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: [email protected] departmentNumber=234 uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234 26
  • 27. Example: Dynamic Group Creation and Profile Extension cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • title=VP Sales • Region=PA CorrelatedIdentityViewDynamicGroupsView ComputedAttribute(memberOf) basedonalookupinthe dynamicgroupsview employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: [email protected] uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA memberOf=cn=Sales 27
  • 28. Example: Dynamic Group Creation 28
  • 29. Persistent (disk-based) Cache Sources View Definitions P. CACHE Materialized View Sources View Definitions Run Time View No Cache Addressing Performance Challenges Sources View Definitions Memory Cache Memory Cache 29
  • 30. Introduction to Common Use Cases 30
  • 31. Support for Authentication and as an Attribute Server 31
  • 32. Use Case: PAM Authentication Credentials Checking Delegated to Backend UNIX/LINUX Clients Authentication Request Re-use existing users and credentials! AD Domain 1 AD Domain 2 Sun Credentials Checking forwarded to authoritative source 32
  • 33. Use Case: PAM Authentication Storing PAM Specific Attribute Extension in VDS sAMAccountName=jsmith sn=Smith givenName=John title=operations manager uidNumber = 100 gidNumber = 108 gecos = Andrew Fuller loginshell = /bin/zsh homedirectory = /home/afuller shadowLastChange = 10877 … sAMAccountName=jsmith sn=Smith givenName=John title=operations manager Base Profile Extended Attributes These extended attributes can be stored in any source: “local” or some other backend Join of all attributes and presented as a single entry UNIX/LINUX Clients AD Domain 1 33
  • 34. Use Case: Oracle Names Resolution Oracle Clients Oracle DB Servers VDS local LDAP stores oracle context data Schema extended at VDS Each client configured to point to VDS to lookup DB 34
  • 35. Use Case: Global Address List for Email Clients LDAP Directory Active Directory HR Database employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=VP Sales ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203 Correlated Identity View employeeNumber=9 samAccountName=Alice_Lee objectClass=user mail: [email protected] departmentNumber=234 uid=Alee title=VP Sales givenName=Alice sn=Lee telephoneNumber=415-520-2203 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Alice_Lee DeptID=Sales234 35
  • 36. Compliance LDAP Directory Active Directory HR Database employeeNumber=9 samAcountName=Alice_Lee objectClass=user mail: alee@mycompanycom cn=Alice Lee title=Guru Inside Sales Manager ClearanceLevel=1 Region=PA departmentNumber=234 telephoneNumber=415-520-2203 source=HR Database source=LDAP Directory source= Active Directory Correlated Identity View employeeNumber=9 samAccountName=Alice_Lee objectClass=user mail: [email protected] departmentNumber=234 uid=Alee title=Guru Inside Sales Manager givenName=Alice sn=Lee telephoneNumber=415-520-2203 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Alice_Lee DeptID=Sales234 Reports Which Data Sources Does Alice Have Active Accounts In? 36
  • 37. Use Case: FID and Provisioning Legacy Applications (and respective stores) AD Sun LDAP Cloud Apps LDAP/ SQL/ SPML FID as reference image SPML SCIM 37
  • 38. • Summary • In order to accommodate new requirements you will face challenges around authentication and authorization. • Multiple existing different identity silos means • Many methods for credentials checking • Many locations housing different aspects (attributes/groups) of an identity • These challenges can be solved with a Federated Identity Service based on virtualization. • You can leverage the federated identity service for not just cloud apps, but also legacy apps and other initiatives as well. • Coming Up: A Foundation for the Future • Michel Prompt shows you how the Federated Identity Service you put in place today is a key piece of infrastructure that prepares you for the future. Summary 39