The document discusses implementing a federated identity solution for a company to securely provide access to its B2B applications to 100,000 users including employees, business partners, and contractors. It covers the business needs and challenges, concepts of federated identity and single sign-on (SSO), the proposed technical architecture using standards like SAML, and strategies around user provisioning, access management and auditing for partners of different trust levels.
Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes
1. Séminaire Fédération d’identité : des concepts Théoriques
aux études de cas d’implémentations concrètes.
Nagib Aouini, Head of IAM Division
Genève, 27.11.2014
Organisé par
2. AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions /
Réponses – 15 min
3. CURRENT CUSTOMER NEEDS
■ Allow a secure access to a B2B applications based on
SharePoint 2013 to all employees, business partners and
contractors (maximum 100’000 users).
■ Simplify the registration and on-boarding process to business
partners and employee without adding huge administration tasks
to Business and IT admins (access right management).
■ Provide the best user-experience for end-users in terms of
access, registration and collaboration.
■ Identify user and audit all access to sensitive documents using a
unique identifier (which is strongly linked to the phyiscal person).
■ Deliver the best performance for the B2B application and support
peak demand during specific events.
4. BUSINESS DRIVERS
Business FacilitationBusiness Facilitation
Improve security & risk
management
Improve security & risk
management
Strong authentication to protect sensitive assets
Enforce access control policy
Timely revocation of inactive accounts
Imposing policies and improve audit capability
Regulatory complianceRegulatory compliance
Loi fédérale du 19 juin 1992 (LPD)
Company Audit policy and compliance report
Reduce operational costsReduce operational costs
Align technology in both data-centers (use of F5)
Reducing management costs and security
Cutting costs of developments by using standard protocols
(SAML2, OAUTH, WS-Fed …)
Improve user experience (with SSO and federated
SSO)
Integrating partners (top sponsors)
Integrate new business application in time-to-market
(SaaS apps, on-premises using SAML SSO).
5. BUSINESS CHALLENGES
Project Business Team :
How to manage this mass amount of
users in term of registration and access
rights ? We are only 5 people !
Project Business Team :
How to manage this mass amount of
users in term of registration and access
rights ? We are only 5 people !
IT Security Officer
I will not let 100’000 users
accessing my network without
identifiying them in a secure way !
Today our LAN is not opened to
Internet Worldwide.
IT Security Officer
I will not let 100’000 users
accessing my network without
identifiying them in a secure way !
Today our LAN is not opened to
Internet Worldwide.
IT System administrator
How many system administrator we need to
manage those amount of servers (required for
SharePoint 2013). Do we need to manage a lot of
firewall rules for SAML ?
IT System administrator
How many system administrator we need to
manage those amount of servers (required for
SharePoint 2013). Do we need to manage a lot of
firewall rules for SAML ?Help Desk and Support
I don’t want to receive call or ticket for
people working outside our company.
I’m supposed to handle request only
for employee !
Help Desk and Support
I don’t want to receive call or ticket for
people working outside our company.
I’m supposed to handle request only
for employee !
Head of IT
Are you sure that SAML is the right
choice ? Does it will faster application
integration in the future.
Does it enables SSO to SaaS platform
? It cost a lot, No ?
Head of IT
Are you sure that SAML is the right
choice ? Does it will faster application
integration in the future.
Does it enables SSO to SaaS platform
? It cost a lot, No ?
6. AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions /
Réponses – 15 min
7. Company Logo
HOW FEDERATED IDENTITY AND SSO CAN SOLVE THOSES CHALLENGES ?
Federated Identity & SSOFederated Identity & SSOFederated Identity & SSOFederated Identity & SSO
Benefits
User experienceUser experience SimplifySimplify
AccessAccess
SecureSecure
AccessAccess
FacilitateFacilitate
IntegrationIntegration
simplifier la
navigation de
l'utilisateur
simplifier la
navigation de
l'utilisateur
Un service unique
d’authentification
Un service unique
d’authentification
Plus de mot passe
mais des jetons qui
transitent
Plus de mot passe
mais des jetons qui
transitent
Utilisation du standard
SAML qui traverse les
réseaux
Utilisation du standard
SAML qui traverse les
réseaux
8. Verifying that a user, device, or service
such as an application provided on a
network server is the entity that it
claims to be.
Determining which actions an
authenticated entity is authorized to
perform on the network
WHAT IS FEDERATED IDENTITY MANAGEMENT?
Identity Provider (IdP) – Entity
performing authentication
Service Provider (SP) – Entity allowing
authorized resource access
Service Provider (SP) – Entity allowing
authorized resource access
IDPIDP Service ProviderService Provider
Identity management deals with identifying individuals in
a system and controlling access to the resources in that system
9. AuthorisationAuthorisation
Functionalities
and data
Functionalities
and data
AuthenticationAuthentication
App 2App 2
AuthorisationAuthorisation
Functionalitie
s and data
Functionalitie
s and data
App 2App 2
AuthorisationAuthorisation
Functionalitie
s and data
Functionalitie
s and data
App 1App 1
AuthorisationAuthorisation
Functionalities
and data
Functionalities
and data
AuthenticationAuthentication
App 1App 1
Classic
IDENTIFICATION AND AUTHENTICATION
SAML-Based
9
Active
Directory
AuthenticationAuthentication
Active
Directory
IdPIdP
SPSP
CLAIMS
SAMLv2
11. TRUST ENTRE IDP ET SP
■ Cryptographie asymétrique (paire de clés)
Clé publique (connue de l’émetteur) du récepteur utilisée pour l’encryption
− L’émetteur doit être capable de vérifier l’authenticité de la clé publique!
Clé privée (secret du récepteur) utilisée pour la décryption
La paire de clés (privée et publique) sont générées au même moment
Aussi connu sous le nom de “ cryptographie à clé publique”
L’échange de message est similaire entre un IDP et un SP qui se font confiance
Extract
Signature
Encryption
Algorithm
Encryption
Algorithm
Decryption
Algorithm
Decryption
Algorithm
SP Public KeySP Public Key SP Private KeySP Private KeyIDP SP
12. SAML TOKEN
SAML token carry pieces of information about the user
(can contain more information than a Windows Kerberos Token)
NameName
AgeAge
LocationLocation
Token
15. FEDERATION MODELS – PEER-TO-PEER
SP
SP x
IDP 3IDP 3
IDP 2IDP 2
IDP 1IDP 1
COMPANY LAN
IDP
Trust link
SP y
16. IDENTITY FEDERATION WITH A “HUB” SAML ARCHITECTURE
16
HUBHUB
Data-Center
SP 1
App Z
SP 2
App X
SP 2
App X
SP 3
App Y
SP 3
App Y
IDP : HQIDP : HQ
IDP : WIDP : W
IDP : ZIDP : Z
IDP : YIDP : Y
IDP : XIDP : X
SP 1
App A
SP 1
App A
SP 1
App C
SP 1
App C
SP 1
App B
SP 1
App B
Other
applications:
• SaaS (cloud),
• Partners …
17. PARTNER CATEGORIZATION
- Not mandatory
- Make business easier
- «Low» level of trust
- Essential for business
- Several services used
- «Medium» level of trust
- Essential for strategy
- Advanced SLA
- Sensitive applications
- «High» level of trust
18. ACCOUNT AND ACCESS MANAGEMENT
■ Account provisioning
- Transient (no need to map account to an existing)
- Just-in-time (JIT) provisioning (need a mapping ID)
- Directory synchronization (via CRM or regular export /
import)
■ Access management
- Generic partner account
- Establish roles among the
partner’s users
- Each partner’s user has its
own account partner-gen-user
part-t1-user
part-t2-user
part-t4-user
part-t3-user
19. WHY DO WE NEED A UNIQUE ID
■ Ability to uniquely identify a user (or application, machine,
service,…) in the IT environment for e.g. audit purpose
■ No need to manage matching tables per application between ID
and physical user
■ It is a mandatory prerequisite for internal SSO and external
identity federation
■ The ID needs to be kept and archived even if the employee left
the company. It must never be re-assigned to any other employee
to avoid access rights recovery risk.
21. LEGAL AND CONTRACTUAL CONSTRAINTS
■ Identity authenticity
- Depends on the partner trust level
- Defines constraints on which service is accessed
■ Confidentiality vs. auditability
Audit
Track user activity
Confidentiality
Hide user identity
CONSTRAINTS
vs.
NEED
22. FEDERATED SSO EXAMPLE
Multi-organization
collaboration common
Accounts generally
maintained by one
organization
Grant access for
externally authenticated
users
Business
Agreement
Authenticate
User
Access
Resources
Customer Business
Partner
We don’t need to maintain or create external account for those users as Customer
trust the partner !
We don’t need to maintain or create external account for those users as Customer
trust the partner !
23. FEDERATED IDENTITY MANAGEMENT : EXAMPLE
23.
Central
Directory
Synchronization
Application
Authentication
Services
User
SAML
tokens
Session
Access
Applications Exchange
Base RH
SAP
Databases
Federated
IAM
Federated
partners
Trust
CRM or
contacts
24. AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions /
Réponses – 15 min
26. Secure CDNSecure CDN
DC3DC3 DC4DC4 DC 1 & 2DC 1 & 2
B2B appIAM & Security B2B appIAM & Security
ADFS
AD
Ext
.
2FA
ADFS
AD
Ext
.
2FA
IAM & Security
ADFS
AD Int.
2FA
Use case 2:
employee
from Internet
Use case 1:
employee
from LAN
Use case 3:
Federated
partner from
LAN
Use case 5:
Federated
partner from
Internet
Use case 4:
Not-federated
partner from
Internet
F5 Big-IP F5 Big-IP F5 Big-IP
IdP SAML
TestTest ProdProd
Internet
27. DEFENSE IN DEPTH APPROACH
Security mechanism
•HTML/HTTP inspection
•Input/Validation checks
•Secured Custom code
•Sanitization
Security mechanism
•HTML/HTTP inspection
•Input/Validation checks
•Secured Custom code
•Sanitization
Security mechanism
•OS Hardening with BPA /
Security Templates
•IIS Hardening
•HIDS
Security mechanism
•OS Hardening with BPA /
Security Templates
•IIS Hardening
•HIDS
Security mechanism
•Strong Authentication
•RBAC model
•Security Policy
•Encryption at rest/transit
•Audit
•Access control
Security mechanism
•Strong Authentication
•RBAC model
•Security Policy
•Encryption at rest/transit
•Audit
•Access control
Security mechanism
•Secured equipment rack
•Physical controlled
access
•Secure facilities
•RFI/EMI shielding
•Geographical site locaton
Security mechanism
•Secured equipment rack
•Physical controlled
access
•Secure facilities
•RFI/EMI shielding
•Geographical site locaton
Security mechanism
•Network device access control
lists
•IPSec Encryption
•NIDS
•Firewall
Security mechanism
•Network device access control
lists
•IPSec Encryption
•NIDS
•Firewall
• Secure CDN
• F5-ASM • 2FA
• Web Password
• F5-APM
• SIEM - Splunk
• CheckPoint
• IPS – ISS
• VPN IPSec
• Best Practice
Analyzer
• WSUS
• Symantec / McAfee
• DataCenter1 –
ISO27002
• DataCenter2 –
ISO20000/ITIL
Source : Microsoft defense in depth approach
28. App 1: prod
NETWORK DEFENSE: NETWORK SEGMENTATION
28
App 2: test
Front End
Middle
End
App 2: prod
Back End
29. TRACK USER ACTIVITY : UNIQUE ID
29
Employees
Contacts
Active
Directory and
others …
The unique ID will be independent of
the first name and last name of the
user
The unique ID will be generated
according to specific algorithm
Internal and external users will use
their email address to login on the
B2B applications, but the logs will
track them using their unique ID
35. AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions /
Réponses – 15 min
36. BENEFITS OF FEDERATED SSO
Access to the platform available worldwide with best technology
providing high performance, strong security and high quality user-
experience .
Support for standard authentication methods (SAML2) and
simplification of on-boarding process for trusted partners.
Reduce the overall management cost of registration and
troubleshooting user access since it is completely an automated
process (based on CRM synch).
Ability to control access to sensitive asset using 2FA authentication
coupled with SAML2 SSO (Step-Up authentication possible).
Track and audit user activity using a secure unique identifier linked to a
single person while respecting privacy.
.
37. RECOMMANDATIONS #1
37
■ Document the identity and access management (IAM) plan.
Understand what the business want in terms of requirement,
How it will be operated (insourced or outsourced ?),
Who is responsible for which pieces and how they function.
■ Produce fast results – achieve some quick, low cost results
■ Address high risk areas early – security issues are often the primary
business concerns (start with SSO and strong authentication)
Allow easier security auditing
■ Increase integration between directory and security and application
services with SAML Identity Provider.
■ Improve capabilities that promote the ease and efficiency of finding
organisational data
■ Precise management of identity entitlements and modification or
termination of system access rights through provisioning and de-
provisioning mechanisms
38. RECOMMANDATIONS #2
38
■ Assess existing systems for accreditation and adherence to industry
standards to smooth the SAML migration
■ Use a standard set of security protocols (SAML, OAUTH)
■ Rationalise, synchronise and where appropriate reduce numbers of
directory services and identity information repositories
■ Reduce identity duplication and combine capabilities
To simplify overall infrastructure
Choice of a unique identifier for internal and external users
Reduce management/administration efforts
Enable a greater degree of single sign-on capabilities across the business
systems
Allow easier security auditing
■ Manage identity entitlements of system access rights through
provisioning and de-provisioning mechanisms
39. ELCA has a proven expertise to be your IAM partner
WHY CHOOSE OUR SOLUTION
39
■ Proven IAM expertise
■ Ability to deliver on time
■ Quality of deliverables
■ Business focus first
■ Knowledge of customer
needs
■ Team working with customer
representative
■ Innovation and cutting edge
solution
■ Security focus in mind
■ Efficiency
■ Neutral integrator
■ Customization
■ You local IAM partner
40. employee
Federating partners
with SAML
contractors
stakeholder
Approver User ID
Admin
Autoritative
Source(s)
HR
External
Metadirectory
Access
Mgt
Dashboard
Reports
AD +
Exchange
Enterprise
Platform
Others
apps
Synch
Self-Service
Auditor Application Auditor
SAML
claims
IAM
connectors
Log collection
for Access
Intelligence
ELCA ARCHITECTURE
41. ELCA IAM SUCCESS STORY
For a large humanitarian worlwide organization (9’000 users, 20’000 partners)
42. ELCA IAM SUCCESS STORY
For a large humanitarian worlwide organization (9’000 users, 20’000 partners)
43. For an insurance company (2’000 users, 20’000 broker)
ELCA IAM SUCCESS STORY
| 16.01.15 | 43Presentation Title
44. For an international sports organization 500 users, 100’000 partners worlwide)
ELCA IAM SUCCESS STORY
45. Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City
Nagib Aouini
Head of division
Identity & Access
nagib.aouini@elca.ch
Thank you for your attention
For further information
please contact:
Notas do Editor
Par forcément en taille, mais en importance business