Matt Tatro, Denise Lores, Wade Ellery
Radiant Logic
How to create a federated identity service that will build a bridge from the old world of groups to the new world of ABAC, improving your authorizations and Web Access Management.
7. Federated
Iden-ty
Service
Existing
Identity
Infrastructure
SaaS/Cloud/BYOD/
Partner Apps
Federated Identity Service
Able to Sunset Identity Stores
IDM
Legacy Applications
8. Identity as a service through Virtualization
The Key to Solving the Identity Integration Challenge
• Acting as an abstraction layer RadiantOne creates attribute rich global user profiles
spanning multiple identity silos.
• Aggregation, Correlation, Transformation, and Normalization of the user identity
provides the ability to serve that identity to applications in the format they expect.
Aggregation
Correlation
Integration
Virtualization
Population
C
Population
B
Population
A
Groups Roles
LDAP
SQL
Web
Services
/SOA
App A
App B
App C
App D
App E
App F
Contexts
Services
SCIM
REST
10. Administrator
Standard User
Manager
Sales
Marketing
Product
Management
People ID/
identifiers
Product 1
Product 2
Product 3
Web Content
Lead Generation
Direct Sales
Indirect Sales
• If you have those attributes somewhere already, instead of having
static assignment, the groups memberships can be data-driven.
Where do the Attributes Come From?
Existing Data
Sources!
GroupsRoles Departments Divisions Location
13. • RadiantOne is made of two main parts:
• An integration layer based on virtualization
• A storage layer: Persistent Cache
• LDAP (up to v6.2)
• HDAP (based on big data technologies, v7.0)
RadiantOne
Integration Layer and Cache/Storage Layer
Integration Layer
Integration Layer
+
Storage
(Persistent Cache)
HDAP
Storage
(Persistent Cache)
14. HR Database
LDAP Directory
Active Directory
Normalizing Attributes Across Sources to Support
Policy Authoring and Policy Decision Point
employeeNumber=2
samAcountName=Andrew_Fuller
objectClass=user
mail: andrew_fuller@setree1.com
uid=AFuller
ntitle=VP Sales
ClearanceLevel=1
Region=PA
memberOf=Sales
nDepartment=Sales
Correlated Identity Virtual View
employeeNumber=2
samAccountName=Andrew_Fuller
objectClass=user
mail:
andrew_fuller@setree1.com
departmentNumber=234
?tle=Sales,
VP
uid=AFuller
?tle=Vice
Pres.
Sales
givenName=Andrew
sn=Fuller
departmentNumber=234
EmployeeID=509-‐34-‐5855
ClearanceLevel=1
Region=PA
UserID=EMP_Andrew_Fuller
DeptID=Sales234
cn=Sales
objectClass=group
member=Andrew_Fuller
**Based on identities that have:
• ClearanceLevel=1
• nTitle=VP Sales
• Region=PA
Dynamic Groups Virtual View
ComputedAttribute
Normalized Attribute Values
Federated Identity
Attribute Server
Normalized Attributes
Attribute: nDepartment
Values:
Accounting
Administration
Business Development
Distribution
Marketing
Production
Research
Sales
Shipping
Attribute: nTitle
Values:
CEO
CIO
CISO
VP Sales
VP Marketing
…
15. Oracle DB
User = LCallahan
Co = Sutton Ryan
MemberOf = Sales
RadiantOne as Single Identity Source
Access
Management
Portal
ODSEE
Enterprise
App A
(MemberOf =
Sales)
Enterprise
App B
(MemberOf =
Finc)
Claims
Enabled
App C
(Security = High)
Claims SaaS
App D
(Security = Low)
Name= Laura_Callahan
Co = Sutton Ryan
MemberOf = Sales
Security = Low
saMAccountName = JSmythe
Name = John_Smythe
MemberOf = IT, Finc
Security = High
saMAccountName = JSeed
Name = Jill_Seed
MemberOf = Sales
SaaS Profiles
Name= Laura_Callahan
Co = Sutton Ryan
Security = Low
MemberOf = Sales
Name = John_Seed
MemberOf = IT, Finc
Security = High
John’s AD Profile
User = JSmythe
MemberOf = IT, Finc
SAP ERP Profiles
John_Smythe = High
Laura_Callahan = Low
AD
AD Profile
saMAccountName
= JSmythe
MemberOf=Sales
IDM Profile
User = JSmythe
GUID = 23185798306=4
User = LCallahan
GUID = 39583201202=3
16. Customer App Profiles
User = LCallahan
Co = Sutton Ryan
MemberOf = Sales
RadiantOne as Single Identity Source for
IDaaS and Portal
Portal
IDaaS
NorAm AD
Enterprise
App A
(MemberOf =
Sales)
Enterprise
App B
(MemberOf =
Finc)
Claims
Enabled
App C
(Security = High)
Claims SaaS
App D
(Security = Low)
Name= Laura_Callahan
Co = Sutton Ryan
MemberOf = Sales
Security = Low
saMAccountName = JSeed
Name = John_Seed
MemberOf = IT, Finc
Security = High
saMAccountName =
Jsmythe
Name = Jill_Smythe
MemberOf = Sales
IDaaS Profiles
Name= Laura_Callahan
Co = Sutton Ryan
Security = Low
MemberOf = Sales
Name = John_Seed
MemberOf = IT, Finc
Security = High
John’s AD Profile
saMAccountName =
JSeed
MemberOf = IT, Finc
SAP ERP Profiles
John_Seed = High
Laura_Callahan = Low
Sync
with
VDS
EMEA AD
Jill AD Profile
saMAccountName
= JSmythe
MemberOf=Sales
17. Confidential and proprietary materials for authorized Radiant Logic personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Why RadiantOne
• Portals, Content Management, Collaboration
• Federated Access - SaaS/Cloud Apps/Claims
• Web SSO – Access Management
• Partner/Vendor/Customer IAM
• Fine Grained Authorization (ABAC, XACML)
• Mergers, Acquisitions, Divestitures, Reorgs
• Directory Re-architecture, Replacement, Decommission
• Active Directory Consolidation and Partitioning