Matt Tatro, Denise Lores, Wade Ellery Radiant Logic How to create a federated identity service that will build a bridge from the old world of groups to the new world of ABAC, improving your authorizations and Web Access Management.

1. Creating a Federated Identity
Service for ABAC and
Web Access Management
Wade Ellery
Western Region Director of Sales
Denise Lores
Senior Architect

2. The Four Pillars of Identity Services
¡ Enhanced user experience
¡ Improved management
of security risks
¡ Efficient development/
deployment of applications
¡ Reusable integration
¡ HIPAA, SOX
compliance
¡ Common access logs
¡ Improved
accountability
¡ Common reporting
¡ Reduced
administrative tasks
¡ Reduced help desk calls
¡ Improved process
efficiency
¡ Central user information
¡ Reduced administrative
tasks
¡ Reduced help desk calls
¡ Improved security
¡ Accountability
¡ Cost savings
User Self-Service &
Password Management
Virtual Directory
Web Access
Management/SSO
Centralized Audit
Delegated Administration
Synchronization/
Replication
Federated Identity
Management/SSO
Logging and
Monitoring
Automated Approvals
and Workflows
Meta Directory
Authentication &
Authorization
Access Certification
Enterprise
Role Definition
Directory Storage Standard APIs Reporting
Audit, Role
& Compliance
Access
Management
Identity
Management
Identity
Data Services

3. RadiantOne: Your Foundation to a
Complete Identity Service
HR
DatabasesApplications DatabasesLDAP Directories Cloud Apps

4. IDM
Supporting Multiple Repositories is Costly:
Traditional IDM Attempted to Mitigate
Existing
Identity
Infrastructure
Legacy Applications

5. IDM
Existing
Identity
Infrastructure
Legacy Applications
New Applications and Customers
Increase complexity, support, and risk
Existing
Identity
Infrastructure
SaaS/Cloud/BYOD/
Partner Apps

6. RadiantOne
Existing
Identity
Infrastructure
SaaS/Cloud/BYOD/
Partner Apps
RadiantOne
The Identity Hub
IDM
Legacy Applications

7. Federated
Iden-ty
Service
Existing
Identity
Infrastructure
SaaS/Cloud/BYOD/
Partner Apps
Federated Identity Service
Able to Sunset Identity Stores
IDM
Legacy Applications

8. Identity as a service through Virtualization
The Key to Solving the Identity Integration Challenge
• Acting as an abstraction layer RadiantOne creates attribute rich global user profiles
spanning multiple identity silos.
• Aggregation, Correlation, Transformation, and Normalization of the user identity
provides the ability to serve that identity to applications in the format they expect.
Aggregation
Correlation
Integration
Virtualization
Population
C
Population
B
Population
A
Groups Roles
LDAP
SQL
Web
Services
/SOA
App A
App B
App C
App D
App E
App F
Contexts
Services
SCIM
REST

9. More Identities, Better Scope—the Secret to
Boosting Your Ping federation IdP Deployment

10. Administrator
Standard User
Manager
Sales
Marketing
Product
Management
People ID/
identifiers
Product 1
Product 2
Product 3
Web Content
Lead Generation
Direct Sales
Indirect Sales
• If you have those attributes somewhere already, instead of having
static assignment, the groups memberships can be data-driven.
Where do the Attributes Come From?
Existing Data
Sources!
GroupsRoles Departments Divisions Location

11. RadiantOne Methodology
Leveraging Existing Contexts to Build User Profiles

12. RadiantOne Methodology
Joining across Data Silos Links Identities to Context

13. • RadiantOne is made of two main parts:
• An integration layer based on virtualization
• A storage layer: Persistent Cache
• LDAP (up to v6.2)
• HDAP (based on big data technologies, v7.0)
RadiantOne
Integration Layer and Cache/Storage Layer
Integration Layer
Integration Layer
+
Storage
(Persistent Cache)
HDAP
Storage
(Persistent Cache)

14. HR Database
LDAP Directory
Active Directory
Normalizing Attributes Across Sources to Support
Policy Authoring and Policy Decision Point
employeeNumber=2
samAcountName=Andrew_Fuller
objectClass=user
mail: andrew_fuller@setree1.com
uid=AFuller
ntitle=VP Sales
ClearanceLevel=1
Region=PA
memberOf=Sales
nDepartment=Sales
Correlated Identity Virtual View
employeeNumber=2
samAccountName=Andrew_Fuller
objectClass=user
mail:
andrew_fuller@setree1.com
departmentNumber=234
?tle=Sales,
VP
uid=AFuller
?tle=Vice
Pres.
Sales
givenName=Andrew
sn=Fuller
departmentNumber=234
EmployeeID=509-­‐34-­‐5855
ClearanceLevel=1
Region=PA
UserID=EMP_Andrew_Fuller
DeptID=Sales234
cn=Sales
objectClass=group
member=Andrew_Fuller
**Based on identities that have:
• ClearanceLevel=1
• nTitle=VP Sales
• Region=PA
Dynamic Groups Virtual View
ComputedAttribute
Normalized Attribute Values
Federated Identity
Attribute Server
Normalized Attributes
Attribute: nDepartment
Values:
Accounting
Administration
Business Development
Distribution
Marketing
Production
Research
Sales
Shipping
Attribute: nTitle
Values:
CEO
CIO
CISO
VP Sales
VP Marketing
…

15. Oracle DB
User = LCallahan
Co = Sutton Ryan
MemberOf = Sales
RadiantOne as Single Identity Source
Access
Management
Portal
ODSEE
Enterprise
App A
(MemberOf =
Sales)
Enterprise
App B
(MemberOf =
Finc)
Claims
Enabled
App C
(Security = High)
Claims SaaS
App D
(Security = Low)
Name= Laura_Callahan
Co = Sutton Ryan
MemberOf = Sales
Security = Low
saMAccountName = JSmythe
Name = John_Smythe
MemberOf = IT, Finc
Security = High
saMAccountName = JSeed
Name = Jill_Seed
MemberOf = Sales
SaaS Profiles
Name= Laura_Callahan
Co = Sutton Ryan
Security = Low
MemberOf = Sales
Name = John_Seed
MemberOf = IT, Finc
Security = High
John’s AD Profile
User = JSmythe
MemberOf = IT, Finc
SAP ERP Profiles
John_Smythe = High
Laura_Callahan = Low
AD
AD Profile
saMAccountName
= JSmythe
MemberOf=Sales
IDM Profile
User = JSmythe
GUID = 23185798306=4
User = LCallahan
GUID = 39583201202=3

16. Customer App Profiles
User = LCallahan
Co = Sutton Ryan
MemberOf = Sales
RadiantOne as Single Identity Source for
IDaaS and Portal
Portal
IDaaS
NorAm AD
Enterprise
App A
(MemberOf =
Sales)
Enterprise
App B
(MemberOf =
Finc)
Claims
Enabled
App C
(Security = High)
Claims SaaS
App D
(Security = Low)
Name= Laura_Callahan
Co = Sutton Ryan
MemberOf = Sales
Security = Low
saMAccountName = JSeed
Name = John_Seed
MemberOf = IT, Finc
Security = High
saMAccountName =
Jsmythe
Name = Jill_Smythe
MemberOf = Sales
IDaaS Profiles
Name= Laura_Callahan
Co = Sutton Ryan
Security = Low
MemberOf = Sales
Name = John_Seed
MemberOf = IT, Finc
Security = High
John’s AD Profile
saMAccountName =
JSeed
MemberOf = IT, Finc
SAP ERP Profiles
John_Seed = High
Laura_Callahan = Low
Sync
with
VDS
EMEA AD
Jill AD Profile
saMAccountName
= JSmythe
MemberOf=Sales

17. Confidential and proprietary materials for authorized Radiant Logic personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Why RadiantOne
• Portals, Content Management, Collaboration
• Federated Access - SaaS/Cloud Apps/Claims
• Web SSO – Access Management
• Partner/Vendor/Customer IAM
• Fine Grained Authorization (ABAC, XACML)
• Mergers, Acquisitions, Divestitures, Reorgs
• Directory Re-architecture, Replacement, Decommission
• Active Directory Consolidation and Partitioning