Challenges in Authenticationand Identity Management

Similar documents
SAP Security in a Hybrid World. Kiran Kola

Author: Nils Meulemans, CTO. Date: June 7, Version: 2.1

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

SSO Integration Overview

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Integration Patterns for Legacy Applications

Administering Jive Mobile Apps for ios and Android

The flexible IAM platform

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

Cloud Access Manager Overview

Unified Secure Access Beyond VPN

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

Giovanni Carnovale Technical Account Manager Southeast Europe VASCO Data Security

Sentinet for BizTalk Server SENTINET

WSO2 Identity Management

Server Installation and Administration Guide

Portal for ArcGIS. Matthias Schenker, Esri Switzerland

Introduction to application management

Access Management Handbook

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

SAP Single Sign-On 2.0 Overview Presentation

Warm Up to Identity Protocol Soup

Echidna Concepts Guide

Tivoli Federated Identity Manager. Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic

Dell One Identity Cloud Access Manager 8.0. Overview

Busting the top 5 myths of cloud-based authentication

ArcGIS for Server: Security

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Liferay Security Features Overview. How Liferay Approaches Security

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

SAML-Based SSO Solution

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

CA Adapter. CA Adapter Installation Guide for Windows 8.0

Configure Unsanctioned Device Access Control

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Sentinet for Microsoft Azure SENTINET

SAML-Based SSO Solution

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Cloud Access Manager Configuration Guide

Office 365 and Azure Active Directory Identities In-depth

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Administering Jive Mobile Apps

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Standards-based Secure Signon for Cloud and Native Mobile Agents

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Azure Multi-Factor Authentication: Who do you think you are?

Configuration Guide. BlackBerry UEM. Version 12.9

SecureAuth IdP Realm Guide

Overview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.

Salesforce External Identity Implementation Guide

Azure Active Directory from Zero to Hero

Authlogics for Azure and Office 365

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Safelayer's Adaptive Authentication: Increased security through context information

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

CA SiteMinder. Federation in Your Enterprise 12.51

EMS Platform Services Installation & Configuration Guides

The Old is New Again Engineering Security in the Age of Data Access from Anywhere

Salesforce External Identity Implementation Guide

Przejmij kontrolę nad użytkownikiem, czyli unifikacja dostępu do aplikacji w zróżnicowanym środowisku

THE SECURITY LEADER S GUIDE TO SSO

Salesforce External Identity Implementation Guide

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

BlackBerry UEM Configuration Guide

1 Modular architecture

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

CONNECTED IDENTITY: BENEFITS, RISKS, AND CHALLENGES DIRECTOR - SECURITY ARCHITECTURE, WSO2

Flexible, robust, easy and thorough authentication

SafeNet Authentication Service for Your Business Introducing Strong Authentication as-a-service. Marko Bobinac PreSales Engineer CEE, Russia & CIS

Deploying Tableau at Enterprise Scale in the Cloud

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Expertise that goes beyond experience.

OpenIAM Identity and Access Manager Technical Architecture Overview

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

John Heimann Director, Security Product Management Oracle Corporation

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

5 OAuth Essentials for API Access Control

CA SSO Cloud-Enabled with SSO/Rest

Identity Provider for SAP Single Sign-On and SAP Identity Management

SxS Authentication solution. - SXS

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

O365 Solutions. Three Phase Approach. Page 1 34

5 OAuth EssEntiAls for APi AccEss control layer7.com

Cloud Essentials for Architects using OpenStack

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

API Security Management with Sentinet SENTINET

Transcription:

Sep 05 ISEC INFOSECURITY TOUR 2017 05.09.2017, Buenos Aires, Argentina Challenges in Authenticationand Identity Management CAMINANTE NO HAY CAMINO, SE HACE CAMINO AL ANDAR 2016 SecurIT

Who is MerStar? Founded 2013 in Switzerland IT Security Projects for banks, insurance companies, governments Architecture-driven approach from requirements phase to actual production launch SecurIT Business Partner 2

Who is SecurIT? Founded in 1999 in Belgium Offices in BE, NL and USA Security vendor Focus in Identity and Access Management Various IDM products Technology Partners Vasco, PhoneFactor, Gemalto, RSA SecurID, Kobil Id-me, SentryCom IBM, CyberArk Customer references 3

Authentication: Traditional Deployment Scenario Internet DMZ Intranet AD Authentication Server LDAP Server Browser Proxy Application Server Username/ Password One-Time- Password Smartcard (e.g. eid) Browser 4

Cloud Computing, Desktop SSO, Social media Identities (IdP) are no longer strictly local Private IdP Applications (SP) are no longer strictly local Cisco WebEx Private SP 5

Cloud services: Traditional Authentication requires integration with Federation Internet of SPs and IDPs DMZ Intranet AD Authentication Server LDAP Server Username/ Password Browser Proxy Application Server One-Time-Password Smartcard (e.g. eid) Cisco WebEx Browser 6

Integration challenges How do I become a SP? Which protocol? SAML2, WS-Federation, Oauth2, OpenID Connect, XAML How do I manage the technology? How do I manage my identities? Provisioning and life cycle? Legal on-boarding? 7

Recommendation (1) Think Authentication Broker! Extend the protocol stack but keep traditional functions 8

Recommendation (2) Authentication Broker becomes Federation Broker Architecture Principle Brokers the relationship between SP(s) IDP(s) Issues Federation Token Support features such as IDP discovery, Single Logout and Provisioning protocols 9

Recommendation (2) Authentication Broker becomes Federation Broker Avoid multiple access points such as https://idpforsp1.mycompany. com https://idpforsp2.mycompany. com https://idpforsp3.mycompany. com Prefer Single access point such as https://idp.mycompany.com 10

Recommendation (3) Protect the application 90% of the IT investments are in applications Logon to the application using a token which is standardized (format and content) i.e. SAML2 Have an in-house Token Specification Standardize Identity Token (same for all apps) Define a shopping list for access control attributes Federation Token Have a common Identity Framework Transform token to API Single API for user-id and security context i.e. Java /.NET based Propagate Token through all layers End-to-end security, propagate issuing token through all layers up to enterprise tier 11

Muchas gracias Visit us in the Exhibition Area Stand 12 SecurIT Gent Amsterdam New York info@securit.biz Karsten Oliver Starr karsten-oliver.starr@merstar.ch www.securit.biz / www.trustbuilder.eu http://bit.ly/1r3dkzm Marc Vanmaele marc.vanmaele@securit.biz mvanmaele 12

Identity Federation? Quick refresh... Service Provider (SP) Requestor Identity Provider (IDP) 13

Backup Slides - Other Recommendations Have an End-to-end architecture Buy, don t build Protect the legacy* systems (i.e. authorization systems) Do NOT throw well-established systems away because they are old, protect the wel-established resources such as workflows and business processes Rather renovate existing systems wherever possible and keep them Have a good product set for Reverse Proxy and Authentication Server But protect well-established systems and renovate wherever possible Design the application with security in mind (OWASP Top 10) Security in design process at all stages 14

Cloud Computing and Social media challenges Identities (IdP) are no longer strictly local Private IdP Applications (SP) are no longer strictly local Cisco WebEx Private SP 15

Backup Slides - Business Requirements Regulatory- and law enforcements Banking laws IT Diversity Legacy Mergers and Acquisitions Emerging standards Time to market Keep IT costs low 16

Backup Slides - Authentication Service requirements Support Multiple Authentication mechanisms PKI, OTP, uid/pw, OAUTH, SAML, WS-Federation, Transaction sgining For multiple client devices Mobile, Browser Across Multiple SSO protocols SAML2P, WS-Federation, OAUTH2 Across multiple transports HTTP, HTTP-REST, RPC Supporting multiple identities Google, Facebook, Swift, Supporting Business Security requirements Cross border policies, Authentication- and data rules Non-repudiation Step-up, Step-down Inactivity- Max security timeouts Replay detection... 17

Backup Slides - Identity Hub: The Implementation Where Are You From Not a standard Various proprietary implementations Often limited to SP cookie Supported by Common Domain Cookie Profiles for SAML 2.0 specification Not very practical Scalability and security issues Supported by IdP Discovery Service OASIS IdP Discovery Service specification OpenID Connect Discovery SP needs to be IDS enabled Supported by IdP Selection Service acts as a proxy terminates the Authentication Request executes IdP selection policy can leverage TrustFactor IdP Discovery & Attribute Provider initiates new Authentication Request 18

Backup Slides - Identity Hub: High-Level Architecture IdP (eid) IdP (Social Media) IdP (SaaS) Identity Providers SP SP SP IDHub Virtual SP Layer User Gateway Server Repository Orchestration Layer IdP IdP IdP Virtual IdP Layer SP (OAuth) SP (WS-Federation) SP (SAML 2.0) Cloud Applications Applications Using ADFS PoC (WAM, VPN, esso) 19

Backup Slides - Identity Hub: High-Level Architecture Local Authentication Username/Password One-Time-Password Certificates Out-of-band 3 rd Party Authentication Vasco DigiPass Gemalto Safenet Cloud Authentication eid Fedict Google+ Facebook LinkedIN Identity Providers SP SP SP IDHub Virtual SP Layer User Gateway Server Repository Orchestration Layer IdP IdP IdP Virtual IdP Layer Application Server Off-the-Shelf Local Common Applications Application Server Adobe EM Local Federated Applications SalesForce ServiceNow Office 365 WorkDay Cloud Applications Service Providers 20

Complete Picture 21

Backup Slides - IDHub Redundancy Internet DMZ Secure Intranet Intranet Repositories Repositories GUI Server Admin. User Server GUI Server Connection Setup Server Log Archive Server Gateway Protected Application Gateway External User LB/WAF Connection Setup LB/WAF Internal User Gateway Protected Application Gateway 22 Restricted Intranet

Internet DMZ Secure Intranet GUI Server Intranet Admin. User GUI Server Identity Provider ( Server) Authn Repository Identity Provider ( Server) Authn Repository ISAM WebSEAL Identity Hub ( Server) Repository External User LB/WAF ISAM WebSEAL Identity Hub ( Server) Repository Log Archive Server Protected Application 23 Protected Application Restricted Intranet

Identity Hub Architecture The Hub has an embedded Web Access Management Proxy. The proxy is used by the Hub to proxy federation requests between SPs and IdPs. Optionally however the proxy can also be used to protect and provide SSO to web applications that are not federation enabled. Note that a Identity Hub instance is dedicated to a single organisation. Hence there is no need for embedded multi-tenancy. Identity Hub The Federation Consumer interface allows the Hub to relay requests it can t handle locally to external IdPs. The Hub comes out-of-the-box with a range or pre-configured IdP (e.g. Google, Facebook, Twitter, Clef, eid). Other IdPs can be added through the Admin Portal. The choice of IdP is controlled by an orchestration workflow that can also be managed using the Admin Portal. The Federation Provider end-point allows the Hub to be used as a virtual IdP supporting protocols like SAML, OAuth, OpenID Connect and WS-Federation. It comes pre-configured for a range of well-known SPs like Salesforce, and Google Apps. Other SPs can be added using the Admin Portal. Federation Provider Web Access Management Proxy Federation Consumer The Hub has an embedded and replicated Directory Service on board. This service is used to store and manage the bridging of identities. Optionally, it can also be used for authenticating the user using any of the embedded authentication mechanisms. It is also possible to leverage an existing LDAP, AD or database server. The service supports SCIM. The LDAP end-point provides a virtual directory interface that can be used by applications to authenticate users or to retrieve attributes from the Hub s LDAP or from Federated repositories (Database, LDAP, AD) LDAP RADIUS IDHub Directory Service Authn Service The Hub also has an embedded Authentication Service that provides several ready-to-use authentication mechanisms. Among these mechanisms are Username/Password, OATH-based OTP over SMS and on mobile devices, out-of-band and PKI (e.g. eid and other smartcards). In the context of PKI it also provides CA fail-over and caching. This end-point allows applications that use RADIUS as an authentication protocol (e.g. VPN) to leverage the services of the Hub. User Portal The User Portal exposes self-service functions like account management, authentication enrolment, IdP preference, device enrolment Admin Portal The Admin Portal provides administrative functions like user, group and role management, IdP and SP onboarding and authentication mechanism activation 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback