The document discusses implementing a federated identity solution for a company to securely provide access to its B2B applications to 100,000 users including employees, business partners, and contractors. It covers the business needs and challenges, concepts of federated identity and single sign-on (SSO), the proposed technical architecture using standards like SAML, and strategies around user provisioning, access management and auditing for partners of different trust levels.

1. Séminaire Fédération d’identité : des concepts Théoriques
aux études de cas d’implémentations concrètes.
Nagib Aouini, Head of IAM Division
Genève, 27.11.2014
Organisé par

2. AGENDA
 Contexte / Besoins / Challenges clients – 5 min
 Vision Fédération (concepts, benefices, besoins) – 15 min
 Architecture sécurité ELCA – 15 min
 Stratégie Projet – 5 min
 Lessons Learned / Services Sécurité ELCA / Questions /
Réponses – 15 min

3. CURRENT CUSTOMER NEEDS
■ Allow a secure access to a B2B applications based on
SharePoint 2013 to all employees, business partners and
contractors (maximum 100’000 users).
■ Simplify the registration and on-boarding process to business
partners and employee without adding huge administration tasks
to Business and IT admins (access right management).
■ Provide the best user-experience for end-users in terms of
access, registration and collaboration.
■ Identify user and audit all access to sensitive documents using a
unique identifier (which is strongly linked to the phyiscal person).
■ Deliver the best performance for the B2B application and support
peak demand during specific events.

4. BUSINESS DRIVERS
Business FacilitationBusiness Facilitation
Improve security & risk
management
Improve security & risk
management
 Strong authentication to protect sensitive assets
 Enforce access control policy
 Timely revocation of inactive accounts
 Imposing policies and improve audit capability
Regulatory complianceRegulatory compliance
 Loi fédérale du 19 juin 1992 (LPD)
 Company Audit policy and compliance report
Reduce operational costsReduce operational costs
 Align technology in both data-centers (use of F5)
 Reducing management costs and security
 Cutting costs of developments by using standard protocols
(SAML2, OAUTH, WS-Fed …)
 Improve user experience (with SSO and federated
SSO)
 Integrating partners (top sponsors)
 Integrate new business application in time-to-market
(SaaS apps, on-premises using SAML SSO).

5. BUSINESS CHALLENGES
Project Business Team :
How to manage this mass amount of
users in term of registration and access
rights ? We are only 5 people !
Project Business Team :
How to manage this mass amount of
users in term of registration and access
rights ? We are only 5 people !
IT Security Officer
I will not let 100’000 users
accessing my network without
identifiying them in a secure way !
Today our LAN is not opened to
Internet Worldwide.
IT Security Officer
I will not let 100’000 users
accessing my network without
identifiying them in a secure way !
Today our LAN is not opened to
Internet Worldwide.
IT System administrator
How many system administrator we need to
manage those amount of servers (required for
SharePoint 2013). Do we need to manage a lot of
firewall rules for SAML ?
IT System administrator
How many system administrator we need to
manage those amount of servers (required for
SharePoint 2013). Do we need to manage a lot of
firewall rules for SAML ?Help Desk and Support
I don’t want to receive call or ticket for
people working outside our company.
I’m supposed to handle request only
for employee !
Help Desk and Support
I don’t want to receive call or ticket for
people working outside our company.
I’m supposed to handle request only
for employee !
Head of IT
Are you sure that SAML is the right
choice ? Does it will faster application
integration in the future.
Does it enables SSO to SaaS platform
? It cost a lot, No ?
Head of IT
Are you sure that SAML is the right
choice ? Does it will faster application
integration in the future.
Does it enables SSO to SaaS platform
? It cost a lot, No ?

6. AGENDA
 Contexte / Besoins / Challenges clients – 5 min
 Vision Fédération (concepts, benefices, besoins) – 15 min
 Architecture sécurité ELCA – 15 min
 Stratégie Projet – 5 min
 Lessons Learned / Services Sécurité ELCA / Questions /
Réponses – 15 min

7. Company Logo
HOW FEDERATED IDENTITY AND SSO CAN SOLVE THOSES CHALLENGES ?
Federated Identity & SSOFederated Identity & SSOFederated Identity & SSOFederated Identity & SSO
Benefits
User experienceUser experience SimplifySimplify
AccessAccess
SecureSecure
AccessAccess
FacilitateFacilitate
IntegrationIntegration
simplifier la
navigation de
l'utilisateur
simplifier la
navigation de
l'utilisateur
Un service unique
d’authentification
Un service unique
d’authentification
Plus de mot passe
mais des jetons qui
transitent
Plus de mot passe
mais des jetons qui
transitent
Utilisation du standard
SAML qui traverse les
réseaux
Utilisation du standard
SAML qui traverse les
réseaux

8. Verifying that a user, device, or service
such as an application provided on a
network server is the entity that it
claims to be.
Determining which actions an
authenticated entity is authorized to
perform on the network
WHAT IS FEDERATED IDENTITY MANAGEMENT?
Identity Provider (IdP) – Entity
performing authentication
Service Provider (SP) – Entity allowing
authorized resource access
Service Provider (SP) – Entity allowing
authorized resource access
IDPIDP Service ProviderService Provider
Identity management deals with identifying individuals in
a system and controlling access to the resources in that system

9. AuthorisationAuthorisation
Functionalities
and data
Functionalities
and data
AuthenticationAuthentication
App 2App 2
AuthorisationAuthorisation
Functionalitie
s and data
Functionalitie
s and data
App 2App 2
AuthorisationAuthorisation
Functionalitie
s and data
Functionalitie
s and data
App 1App 1
AuthorisationAuthorisation
Functionalities
and data
Functionalities
and data
AuthenticationAuthentication
App 1App 1
Classic
IDENTIFICATION AND AUTHENTICATION
SAML-Based
9
Active
Directory
AuthenticationAuthentication
Active
Directory
IdPIdP
SPSP
CLAIMS
SAMLv2

10. © ELCA - dd.mm.yyyy VISA
Annuaire
SSO
Ressources
numériques
SP
IdP
Fournisseur de service (SP)
Fournisseur d’identité (IdP)
Service de découverte des IdP
IDENTITY FEDERATION OVERVIEW

11. TRUST ENTRE IDP ET SP
■ Cryptographie asymétrique (paire de clés)
 Clé publique (connue de l’émetteur) du récepteur utilisée pour l’encryption
− L’émetteur doit être capable de vérifier l’authenticité de la clé publique!
 Clé privée (secret du récepteur) utilisée pour la décryption
 La paire de clés (privée et publique) sont générées au même moment
 Aussi connu sous le nom de “ cryptographie à clé publique”
 L’échange de message est similaire entre un IDP et un SP qui se font confiance
Extract
Signature
Encryption
Algorithm
Encryption
Algorithm
Decryption
Algorithm
Decryption
Algorithm
SP Public KeySP Public Key SP Private KeySP Private KeyIDP SP

12. SAML TOKEN
SAML token carry pieces of information about the user
(can contain more information than a Windows Kerberos Token)
NameName
AgeAge
LocationLocation
Token

13. Client Application A
Identity
Provider
(ADFS)
1
2
Token
External
Application B<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:AttributeStatement>
<saml:Attribute AttributeName=“loginID"
AttributeNamespace="http://...">
<saml:AttributeValue>A3478372</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="name"
AttributeNamespace="http://... ">
<saml:AttributeValue>Bob</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName=“employeeType"
AttributeNamespace="http://... ">
<saml:AttributeValue>internal</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" />
</saml:Assertion>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:AttributeStatement>
<saml:Attribute AttributeName=“loginID"
AttributeNamespace="http://...">
<saml:AttributeValue>A3478372</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="name"
AttributeNamespace="http://... ">
<saml:AttributeValue>Bob</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName=“employeeType"
AttributeNamespace="http://... ">
<saml:AttributeValue>internal</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" />
</saml:Assertion>
FEDERATED SSO FLOW

14. Client Application
Social
Identity
Provider
GET
/openid/auth
GET /default.aspx
GET /default.aspx
SSO WITH OPENID PROVIDER AND SOCIAL NETWORK
GET /app1
SSP IdP
Redirect 302 - GET /saml2/SAMLRequest
11
22
33
44
55
OpenId Token
POST /saml/66
77
Service Provider

15. FEDERATION MODELS – PEER-TO-PEER
SP
SP x
IDP 3IDP 3
IDP 2IDP 2
IDP 1IDP 1
COMPANY LAN
IDP
Trust link
SP y

16. IDENTITY FEDERATION WITH A “HUB” SAML ARCHITECTURE
16
HUBHUB
Data-Center
SP 1
App Z
SP 2
App X
SP 2
App X
SP 3
App Y
SP 3
App Y
IDP : HQIDP : HQ
IDP : WIDP : W
IDP : ZIDP : Z
IDP : YIDP : Y
IDP : XIDP : X
SP 1
App A
SP 1
App A
SP 1
App C
SP 1
App C
SP 1
App B
SP 1
App B
Other
applications:
• SaaS (cloud),
• Partners …

17. PARTNER CATEGORIZATION
- Not mandatory
- Make business easier
- «Low» level of trust
- Essential for business
- Several services used
- «Medium» level of trust
- Essential for strategy
- Advanced SLA
- Sensitive applications
- «High» level of trust

18. ACCOUNT AND ACCESS MANAGEMENT
■ Account provisioning
- Transient (no need to map account to an existing)
- Just-in-time (JIT) provisioning (need a mapping ID)
- Directory synchronization (via CRM or regular export /
import)
■ Access management
- Generic partner account
- Establish roles among the
partner’s users
- Each partner’s user has its
own account partner-gen-user
part-t1-user
part-t2-user
part-t4-user
part-t3-user

19. WHY DO WE NEED A UNIQUE ID
■ Ability to uniquely identify a user (or application, machine,
service,…) in the IT environment for e.g. audit purpose
■ No need to manage matching tables per application between ID
and physical user
■ It is a mandatory prerequisite for internal SSO and external
identity federation
■ The ID needs to be kept and archived even if the employee left
the company. It must never be re-assigned to any other employee
to avoid access rights recovery risk.

20.  Partners identified
 Categorization
 Reliability
 Auditability
 Confidentiality
 Federation technology
FEDERATED IDENTITY CHECKLIST
 Unique Identifier
 User data reliability
 Rules and regulations documented
 Audit
 Service providers
 Federation token consumer
 SLA - Availability
 Identity providers
 Federation token issuer
 Strong authentication
 IAM processes

21. LEGAL AND CONTRACTUAL CONSTRAINTS
■ Identity authenticity
- Depends on the partner trust level
- Defines constraints on which service is accessed
■ Confidentiality vs. auditability
Audit
Track user activity
Confidentiality
Hide user identity
CONSTRAINTS
vs.
NEED

22. FEDERATED SSO EXAMPLE
 Multi-organization
collaboration common
 Accounts generally
maintained by one
organization
 Grant access for
externally authenticated
users
Business
Agreement
Authenticate
User
Access
Resources
Customer Business
Partner
We don’t need to maintain or create external account for those users as Customer
trust the partner !
We don’t need to maintain or create external account for those users as Customer
trust the partner !

23. FEDERATED IDENTITY MANAGEMENT : EXAMPLE
23.
Central
Directory
Synchronization
Application
Authentication
Services
User
SAML
tokens
Session
Access
Applications Exchange
Base RH
SAP
Databases
Federated
IAM
Federated
partners
Trust
CRM or
contacts

24. AGENDA
 Contexte / Besoins / Challenges clients – 5 min
 Vision Fédération (concepts, benefices, besoins) – 15 min
 Architecture sécurité ELCA – 15 min
 Stratégie Projet – 5 min
 Lessons Learned / Services Sécurité ELCA / Questions /
Réponses – 15 min

25. 25
ELCA APPROACH : DEFENSE IN DEPTH APPROACH

26. Secure CDNSecure CDN
DC3DC3 DC4DC4 DC 1 & 2DC 1 & 2
B2B appIAM & Security B2B appIAM & Security
ADFS
AD
Ext
.
2FA
ADFS
AD
Ext
.
2FA
IAM & Security
ADFS
AD Int.
2FA
Use case 2:
employee
from Internet
Use case 1:
employee
from LAN
Use case 3:
Federated
partner from
LAN
Use case 5:
Federated
partner from
Internet
Use case 4:
Not-federated
partner from
Internet
F5 Big-IP F5 Big-IP F5 Big-IP
IdP SAML
TestTest ProdProd
Internet

27. DEFENSE IN DEPTH APPROACH
Security mechanism
•HTML/HTTP inspection
•Input/Validation checks
•Secured Custom code
•Sanitization
Security mechanism
•HTML/HTTP inspection
•Input/Validation checks
•Secured Custom code
•Sanitization
Security mechanism
•OS Hardening with BPA /
Security Templates
•IIS Hardening
•HIDS
Security mechanism
•OS Hardening with BPA /
Security Templates
•IIS Hardening
•HIDS
Security mechanism
•Strong Authentication
•RBAC model
•Security Policy
•Encryption at rest/transit
•Audit
•Access control
Security mechanism
•Strong Authentication
•RBAC model
•Security Policy
•Encryption at rest/transit
•Audit
•Access control
Security mechanism
•Secured equipment rack
•Physical controlled
access
•Secure facilities
•RFI/EMI shielding
•Geographical site locaton
Security mechanism
•Secured equipment rack
•Physical controlled
access
•Secure facilities
•RFI/EMI shielding
•Geographical site locaton
Security mechanism
•Network device access control
lists
•IPSec Encryption
•NIDS
•Firewall
Security mechanism
•Network device access control
lists
•IPSec Encryption
•NIDS
•Firewall
• Secure CDN
• F5-ASM • 2FA
• Web Password
• F5-APM
• SIEM - Splunk
• CheckPoint
• IPS – ISS
• VPN IPSec
• Best Practice
Analyzer
• WSUS
• Symantec / McAfee
• DataCenter1 –
ISO27002
• DataCenter2 –
ISO20000/ITIL
Source : Microsoft defense in depth approach

28. App 1: prod
NETWORK DEFENSE: NETWORK SEGMENTATION
28
App 2: test
Front End
Middle
End
App 2: prod
Back End

29. TRACK USER ACTIVITY : UNIQUE ID
29
Employees
Contacts
Active
Directory and
others …
 The unique ID will be independent of
the first name and last name of the
user
 The unique ID will be generated
according to specific algorithm
 Internal and external users will use
their email address to login on the
B2B applications, but the logs will
track them using their unique ID

30. Site:B
Read
Write
Approve
Create users
Site:A
Read
Write
Download
Create users
Site:C
Read
Update
Delete
SIMPLIFY ACCESS RIGHT MGT : ATTRIBUTE BASED ACCESS CONTROL
01/16/15 30
Internet
B2B
application
Name: Mary C
Org: X
Fct: Audit
Loc: CH
Name: Paul B
Org: Y
Fct: Marketing
Loc: BR
Name: Marc A
Org: Z
Fct: Accommodation
Loc: UK

31. AGENDA
 Contexte / Besoins / Challenges clients – 5 min
 Vision Fédération (concepts, benefices, besoins) – 15 min
 Architecture sécurité ELCA – 15 min
 Stratégie Projet – 5 min
 Lessons Learned / Services Sécurité ELCA / Questions /
Réponses – 15 min

32. OUR IAM METHODOLOGY
32

33. ORGANISATION CHART
 Decide on major options
 Ensure alignment with corporate and
business strategies
 Communicate
Steering committee
 Sponsor
 Head of Technology
 Security Officer
Steering committee
 Sponsor
 Head of Technology
 Security Officer
Project team
 ELCA consultants and technical experts
 ELCA project manager
 E-Xpert Solutions F5 experts
Project team
 ELCA consultants and technical experts
 ELCA project manager
 E-Xpert Solutions F5 experts
Project sponsor board
 B2B Project representatives
 IT representatives
 Security representatives
Project sponsor board
 B2B Project representatives
 IT representatives
 Security representatives
 Gather and analyse information
 Propose solutions, evaluate options
 Produce deliverables
 Manage the mission
Responsibilities
Responsibilities
 Provide information
 Challenge deliverables and
proposed solutions
 Validate deliverables and
proposed solutions
Responsibilities
N.Aouini
Others
providers

34. PROJECT PLAN
M1M1 M2M2 M3M3 M4M4 M5M5 .. M11.. M11M6M6 M12M12
21
Légende:
Kick-off meeting
Steering committee
Workshops
S3
Weekly status
S4S2 S2
S1
S3
4
Plan
PHASE 2 : DEPLOY
& RUN
PHASE 1 : IMPLEMENTPHASE 0 : ANALYZE
PHASE 3 :
ROLL-OUT
S1
3
34
Security Architecture
Concept
WS#1 : Identity Federation
WS#2 : Strong authentication
WS#3 : IAM Processes
WS#4 : AuthZ Models
F5-APM setup
finished

35. AGENDA
 Contexte / Besoins / Challenges clients – 5 min
 Vision Fédération (concepts, benefices, besoins) – 15 min
 Architecture sécurité ELCA – 15 min
 Stratégie Projet – 5 min
 Lessons Learned / Services Sécurité ELCA / Questions /
Réponses – 15 min

36. BENEFITS OF FEDERATED SSO
 Access to the platform available worldwide with best technology
providing high performance, strong security and high quality user-
experience .
 Support for standard authentication methods (SAML2) and
simplification of on-boarding process for trusted partners.
 Reduce the overall management cost of registration and
troubleshooting user access since it is completely an automated
process (based on CRM synch).
 Ability to control access to sensitive asset using 2FA authentication
coupled with SAML2 SSO (Step-Up authentication possible).
 Track and audit user activity using a secure unique identifier linked to a
single person while respecting privacy.
.

37. RECOMMANDATIONS #1
37
■ Document the identity and access management (IAM) plan.
 Understand what the business want in terms of requirement,
 How it will be operated (insourced or outsourced ?),
 Who is responsible for which pieces and how they function.
■ Produce fast results – achieve some quick, low cost results
■ Address high risk areas early – security issues are often the primary
business concerns (start with SSO and strong authentication)
 Allow easier security auditing
■ Increase integration between directory and security and application
services with SAML Identity Provider.
■ Improve capabilities that promote the ease and efficiency of finding
organisational data
■ Precise management of identity entitlements and modification or
termination of system access rights through provisioning and de-
provisioning mechanisms

38. RECOMMANDATIONS #2
38
■ Assess existing systems for accreditation and adherence to industry
standards to smooth the SAML migration
■ Use a standard set of security protocols (SAML, OAUTH)
■ Rationalise, synchronise and where appropriate reduce numbers of
directory services and identity information repositories
■ Reduce identity duplication and combine capabilities
 To simplify overall infrastructure
 Choice of a unique identifier for internal and external users
 Reduce management/administration efforts
 Enable a greater degree of single sign-on capabilities across the business
systems
 Allow easier security auditing
■ Manage identity entitlements of system access rights through
provisioning and de-provisioning mechanisms

39. ELCA has a proven expertise to be your IAM partner
WHY CHOOSE OUR SOLUTION
39
■ Proven IAM expertise
■ Ability to deliver on time
■ Quality of deliverables
■ Business focus first
■ Knowledge of customer
needs
■ Team working with customer
representative
■ Innovation and cutting edge
solution
■ Security focus in mind
■ Efficiency
■ Neutral integrator
■ Customization
■ You local IAM partner

40. employee
Federating partners
with SAML
contractors
stakeholder
Approver User ID
Admin
Autoritative
Source(s)
HR
External
Metadirectory
Access
Mgt
Dashboard
Reports
AD +
Exchange
Enterprise
Platform
Others
apps
Synch
Self-Service
Auditor Application Auditor
SAML
claims
IAM
connectors
Log collection
for Access
Intelligence
ELCA ARCHITECTURE

41. ELCA IAM SUCCESS STORY
For a large humanitarian worlwide organization (9’000 users, 20’000 partners)

42. ELCA IAM SUCCESS STORY
For a large humanitarian worlwide organization (9’000 users, 20’000 partners)

43. For an insurance company (2’000 users, 20’000 broker)
ELCA IAM SUCCESS STORY
| 16.01.15 | 43Presentation Title

44. For an international sports organization 500 users, 100’000 partners worlwide)
ELCA IAM SUCCESS STORY

45. Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City
Nagib Aouini
Head of division
Identity & Access
nagib.aouini@elca.ch
Thank you for your attention
For further information
please contact: