Why Federated Access Needs a Federated Identity

Wade Ellery Western Region Director of Sales

Denise Lores Senior Architect

The Four Pillars of Identity Services

¡  Enhanced user experience ¡  Improved management

of security risks ¡  Efficient development/

deployment of applications ¡ Reusable integration

¡ HIPAA, SOX compliance

¡ Common access logs ¡  Improved

accountability ¡ Common reporting

¡ Reduced administrative tasks

¡ Reduced help desk calls ¡  Improved process

efficiency ¡ Central user information

¡ Reduced administrative tasks

¡ Reduced help desk calls ¡  Improved security ¡  Accountability ¡ Cost savings

User Self-Service & Password Management

Virtual Directory Web Access Management/SSO Centralized Audit

Delegated Administration

Synchronization/ Replication

Federated Identity Management/SSO

Logging and Monitoring

Automated Approvals and Workflows

Meta Directory

Authentication & Authorization Access Certification

Enterprise Role Definition Directory Storage Standard APIs Reporting

Audit, Role & Compliance

Access Management

Identity Management

Identity Data Services

RadiantOne: Your Foundation to a Complete Identity Service

HR Databases Applications Databases LDAP Directories Cloud Apps

IDM

Supporting Multiple Repositories is Costly: Traditional IDM Attempted to Mitigate

Existing Identity

Infrastructure

Legacy Applications

IDM

Existing Identity

Infrastructure

Legacy Applications

New Applications and Customers Increase complexity, support, and risk

Existing Identity

Infrastructure

SaaS/Cloud/BYOD/ Partner Apps

Existing Identity

Infrastructure

SaaS/Cloud/BYOD/ Partner Apps

RadiantOne The Identity Hub

IDM

Legacy Applications

Federated  Iden*ty  Service  

Federated  Iden*ty  Service  

Existing Identity

Infrastructure

SaaS/Cloud/BYOD/ Partner Apps

Federated Identity Service Able to Sunset Identity Stores

IDM

Legacy Applications

More Identities, Better Scope—the Secret to Boosting Your Ping Federation IdP Deployment

Identity as a service through Virtualization The Key to Solving the Identity Integration Challenge

•  Acting as an abstraction layer RadiantOne creates attribute rich global user profiles spanning multiple identity silos.

•  Aggregation, Correlation, Transformation, and Normalization of the user identity provides the ability to serve that identity to applications in the format they expect.

Agg

rega

tion

Cor

rela

tion

Inte

grat

ion

Virtualization

Population C

Population B

Population A

Groups Roles

LDAP

SQL

Web Services

/SOA

App A

App B

App C

App D

App E

App F

Contexts

Ser

vice

s

SCIM REST

RadiantOne Methodology Leveraging Existing Contexts to Build User Profiles

RadiantOne Methodology Joining across Data Silos Links Identities to Context

•  RadiantOne is made of two main parts: •  An integration layer based on virtualization •  A storage layer: Persistent Cache

•  LDAP (up to v6.2) •  HDAP (based on big data technologies, v7.0)

RadiantOne Integration Layer and Cache/Storage Layer

Integration Layer

Integration Layer +

Storage (Persistent Cache)

HDAP

Storage (Persistent Cache)

EmployeeID          Clearance    Region      UserID                                                        DeptID    509-­‐34-­‐5855        1                                      PA                    EMP_Andrew_Fuller    Sales234  

Join With Correlation Rules

employeeNumber=2  samAccountName=Andrew_Fuller  objectClass=user  mail:  andrew_fuller@setree1.com  departmentNumber=234  

Corporate  AcPve  Directory  

uid=AFuller  Ptle=VP  Sales  givenName=Andrew  sn=Fuller  departmentNumber234  

European  Portal    Directory  

US  Click  Database  

No  Single  ATribute  in  Common  =  No  Join  

employeeNumber=2  samAccountName=Andrew_Fuller  objectClass=user  mail:  andrew_fuller@setree1.com  uid=Afuller  Name=Andrew  Fuller  Ptle=VP  Sales  ClearanceLevel=1  Region=PA  Dept=234    

Correlated  IdenPty  View  

CorrelaPon  Rules  

Federated  Iden*ty  Service  

Unified Profile View and Portal Agnostic

•  Multiple sources of identity with different schemas, protocols, format, and structure.

•  Application(s) expects���a single normalized source

Click SaaS

Portal Active Directory

LDAP

Federated  Iden*ty  Service  

Auto-Generated Virtual Groups members (dynamic determined)

userID=12952 cn=john_smith department=Sales userID=12954 cn=leah_scott department=HR userID=12943 cn=todd_jones department=Marketing

employeeID=16473 sAMAccountName=ssmith department=Marketing mail=sally_smith@acme.com employeeID=16453 sAMAccountName=lgreen department=Sales mail=lori_green@acme.com

Active Directory US Domain Active Directory Europe Domain

Virtual Group Entries

ou=groups

cn= Sales cn=HR cn= Marketing

cn=Sales objectclass=group member=john_smith member= lgreen member=jsamon

cn=HR objectclass=group member=leah_scott member= sthalon

cn=Marketing objectclass=group member=todd_jones member= ssmith

Virtual Group Names and members automatically determined based on all possible values of department

Federated  Iden*ty  Service  

EmployeeID          Clearance    Region      UserID                                                        DeptID    509-­‐34-­‐5855        1                                      PA                    EMP_Andrew_Fuller    Sales234  

HR  Database  

Oracle DB User = LCallahan Co = Sutton Ryan MemberOf = Sales

RadiantOne as Single Identity Source

Access Management

Portal

ODSEE

Enterprise App A

(MemberOf = Sales)

Enterprise App B

(MemberOf = Finc)

Claims Enabled App C

(Security = High)

Claims SaaS App D

(Security = Low)

Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low

saMAccountName = JSmythe Name = John_Smythe MemberOf = IT, Finc Security = High

saMAccountName = JSeed Name = Jill_Seed MemberOf = Sales

SaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High

John’s AD Profile User = JSmythe MemberOf = IT, Finc

SAP ERP Profiles John_Smythe = High Laura_Callahan = Low

AD

AD Profile saMAccountName = JSmythe MemberOf=Sales

IDM Profile User = JSmythe GUID = 23185798306=4 User = LCallahan GUID = 39583201202=3

Customer App Profiles User = LCallahan Co = Sutton Ryan MemberOf = Sales

RadiantOne as Single Identity Source for IDaaS and Portal

Portal

IDaaS

NorAm AD Enterprise

App A (MemberOf =

Sales)

Enterprise App B

(MemberOf = Finc)

Claims Enabled App C

(Security = High)

Claims SaaS App D

(Security = Low)

Name= Laura_Callahan Co = Sutton Ryan MemberOf = Sales Security = Low

saMAccountName = JSeed Name = John_Seed MemberOf = IT, Finc Security = High

saMAccountName = Jsmythe Name = Jill_Smythe MemberOf = Sales

IDaaS Profiles Name= Laura_Callahan Co = Sutton Ryan Security = Low MemberOf = Sales Name = John_Seed MemberOf = IT, Finc Security = High

John’s AD Profile saMAccountName = JSeed MemberOf = IT, Finc

SAP ERP Profiles John_Seed = High Laura_Callahan = Low

Sync

with VDS

EMEA AD

Jill AD Profile saMAccountName = JSmythe MemberOf=Sales

Confidential and proprietary materials for authorized Radiant Logic personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Why RadiantOne

•  Portals, Content Management, Collaboration

•  Federated Access - SaaS/Cloud Apps/Claims

•  Web SSO – Access Management

•  Partner/Vendor/Customer IAM

•  Fine Grained Authorization (ABAC, XACML)

•  Mergers, Acquisitions, Divestitures, Reorgs

•  Directory Re-architecture, Replacement, Decommission

•  Active Directory Consolidation and Partitioning