Co p
-
Upload
allyn-mcgillicuddy -
Category
Documents
-
view
161 -
download
0
Transcript of Co p
Managing Enterprise Identity and Access in
2013
IT Directors
May 14, 2013 Allyn McGillicuddy and Melvin Vaughan
AGENDA• The Changing Landscape for Identity and
Access Management• Enterprise Identity – Foundational Concepts• Enterprise Identity Operations Management• Managing Identity in the Extended
Enterprise– Identity Federation– Identity as a Service
• Identity Management Compliance and Operations Considerations
IT Directors Community of Practice
Changing Landscape for Enterprise Identity and Access
Management– In the extended enterprise, business workflow
is not confined within the company’s infrastructure• SaaS vendors• Cloud-based services
– People outside the enterprise are accessing the company’s infrastructure• Customers• Business allies• Contractors and temporary workers• Service providers
– How does this affect the threat landscape?IT Directors Community of Practice
Today’s Threat Landscape
High-profile, sharing applications represent lower than expected
threat volume
– Social networking, video, and file sharing applications represent • 25% of the applications, • 20% of the bandwidth but only • 0.4% of the threat logs, primarily exploits
– This is not to say these applications are low risk
– The volume is low when compared to the volume and frequency of use, and the threats found in the other applications
Source: Palo Alto Networks, Application Usage and Threat Report, 10th Editionsummarizes network traffic assessments performed on > 3,000 networks, encompassing 1,395 applications, 12.6 petabytes of bandwidth, 5,307 unique threats and 264 million threat logs
IT Directors Community of Practice
Exploits Target High-value, Business Applications and
Assets
– Crunchy on the outside: • Exploits are bypassing the “crunchy”
perimeter security and targeting enterprises’ most valued assets – their “tender” business applications.
– Tender on the inside: • Out of 1,395 applications found, 10 were
responsible for 97% of all exploit logs observed
• 9 of them are business critical applications.
IT Directors Community of Practice
– While small in volume, unknown/custom traffic is high in risk, exemplifying the 80%-20% rule
– The highest volume of malware logs (55%) were found in custom or unknown udp
– Yet it represented only 2% of all bandwidth
Conclusion: high value assets are in need of added levels of security
Custom/unknown Applications and Malware have Low Incidence Rate,
but Pose the Greatest Risk
IT Directors Community of Practice
Access Methods are Evolving
Separate password for each application
Separate password for each IdP*
*IdP = Identity Provider
?
Shared standards are evolving for identity, authentication, and authorization.
User selectionAnalogy to ATM Networks
IT Directors Community of Practice
Enterprise Identity
• So what is enterprise identity? • Identity is a set of attributes that describes a
profile of an individual, business organization, or software entity. • The set of attributes for an individual, for
example, could include – driver's license – social security number – travel preferences – medical history – financial data– Etc.
IT Directors Community of Practice
ENTERPRISE IDENTITY
FOUNDATIONAL CONCEPTS
Identity Management Roles
Service providers
(SP)
Identity Providers
(IdP)
Individuals* with multiple
identity profiles
• Healthcare profile• Employee profile• Investor profile• Social profile• Business profile
Equal and interoperable
identity providers
Control over ownership and
disclosure
Manage privacy and preferences
*A person, a business, a software entity
IT Directors Community of Practice
Evolution of Identity Networks
Organizations can maintain their own customer/employee data while sharing identity data with partners based on their business objectives and customer preferences.
IT Directors Community of Practice
IdM Nomenclature - Identification
• Identification• Authentication• Authorization• Logon Process• Accounting
Comparing presented credentials to a set of attributes that describes a profile of an individual, business organization, or software entity
IT Directors Community of Practice
IdM Nomenclature - Authentication
• Identification• Authentication• Authorization• Logon Process• Accounting
Confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person or software program. Authentication often involves verifying the validity of at least one form of identification.
IT Directors Community of Practice
• Authentication Attributes
– What you have
– What you know
– What you are
– Where you are
– Combinations • 2-factor, 3-factor
authentication• Hybrid• Mutual authentication
• Identification• Authentication• Authorization• Logon Process• Accounting
IdM Nomenclature - Authentication
IT Directors Community of Practice
Cross-Domain Authentication
Two or more user directory domains within the same enterprise are implicitly connected by two-way, transitive trusts.
Authentication requests made from one domain to another are successfully routed in order to provide a seamless coexistence of resources across domains.
Users gain access to resources in other domains after first being authenticated in their “home” domain.
MS Active Directory Federation Services (ADFS)Two or more systems use tokens to exchange credentials. ADFS employs the MS claims-based access control and authorization model.
SAMLOASIS-based, browser-oriented, XML-based standard for exchanging authentication credentials over the Internet.
WS- TrustOASIS-based standard that employs web services to exchange security tokens across domains. This can be used for security key exchange.
WS-Trust fails to address some requirements of federation (eg. privacy)
IT Directors Community of Practice
IdM Nomenclature - Authorization
• Identification• Authentication• Authorization• Logon Process• Accounting
Process of managing access to resources and access rights or privileges; using access control rules to decide whether access requests from already authenticated requesters shall be approved (granted) or disapproved (rejected).
IT Directors Community of Practice
IdM Nomenclature – Logon/Login
• Identification• Authentication• Authorization• Logon Process• Accounting
1. Presenting the credentials required to obtain access to a computer system or other restricted area
2. The process by which individual access to a computer system or network is controlled by evaluating the presented identity and credentials
IT Directors Community of Practice
IdM Nomenclature - Accounting
• Identification• Authentication• Authorization• Logon Process• Accounting
Managing information about the relationship of users and the resources they are/are not permitted to access, including • access history• account control• access audits
Employs mechanisms to • synchronize users • access rules or constraints• manage/review/report on
access to system and/or cloud-enabled resources
IT Directors Community of Practice
Assertion Query• The “A” in SAML is Assertion
– Security Assertion Markup Language– An assertion is simply 1 or more statements– An assertion query is a request
IT Directors Community of Practice
samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="true"AssertionConsumerServiceURL="http://www.example.com/" AttributeConsumingServiceIndex="0" ProviderName="string" ID="abe567de6" Version="2.0" IssueInstant="2005-01-31T12:00:00Z" Destination="http://www.example.com/" Consent="http://www.example.com/" ><saml:Subjectxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> [email protected] </saml:NameID></saml:Subject></samlp:Authn
In this example, a SAML assertion is being requested pertaining to the supplied subject, ([email protected])
Attribute Definitions• User Attributes
– Each piece of identifying information about a user – Users have identity attributes, each of which may be stored
on one or more target systems.– The individual claiming an attribute may only grant selective
access to its information
• Attributing party – Trusts that the claim of an attribute (such as name, location,
role as an employee, or age) is both• Correct• Associated with the person or thing presenting the attribute.
• Contextual identity– Digital identity is better understood as a particular viewpoint
within a mutually-agreed relationship than as an objective property.
IT Directors Community of Practice
ENTERPRISE IDENTITY MANAGEMENT
OPERATIONS MANAGEMENT
Automatic Provisioning
Process to grant users access to data repositories or grant authorization to systems, network applications and databases based on a unique user identity.
Creation, maintenance and deactivation of user objects and user attributes, as they exist in one or more systems, directories or applications, in response to automated or interactive business processes
• Examples– Process to monitor an HR
application and automatically
create new users on other
systems and applications
when new employee records
appear in the HR database.
– Automatically deactivate user
objects for users, such as
contractors, whose scheduled
termination date has passed.
IT Directors Community of Practice
Privileged Accounts Management
• Grant administrators only the access rights required for their jobs
• Base those rights on established and controlled policy– Policy-based delegation of elevated access
privileges– Secure the process of requesting, approving and
issuing access to those accounts critical application-to-application (A2A) access application-to-database (A2D) separation of duties for privileged access
– Manage policy, rights and activities performed through privileged access
IT Directors Community of Practice
Privileged Accounts Management
48% of data breaches were caused by privileged misuse- Verizon, Data Breach Investigations Report
“Shared superuser accounts — typically system-defined in operating systems, databases, network devices and elsewhere — present significant risks when the passwords are routinely shared by multiple users”
- Gartner, MarketScope for Shared-Account/Software-Account Password Management
75% of responding DBA’s reported that “Our organizations do not have a means to prevent privileged database users from reading or tampering with human resources, financial or other business application data in the databases
- Oracle DBA SurveyIT Directors Community of Practice
Synchronized Identities Model
• Multiple identity models or systems are synchronized
• An authoritative identity source is built from multiple identity sources
• The identities are stored in a reference directory, such as LDAP
• Synchronization– Changes to
identities in the authoritative directory are propagated to the reference directory
– Access rights are then updated
IT Directors Community of Practice
Proxied Authentication• Uses a middle-tier server for authentication
Three types1. An application user, or an application, authenticates
itself with the middle-tier server. – Client identities can be maintained all the way through to the
database.
2. The client's identity and database password are passed through the middle-tier server to the database server for authentication.
3. The client, that is, a global user, is authenticated by the middle-tier server, and passes either a Distinguished name (DN)* or a Certificate through the middle tier for retrieving the client's user name.
*DN is a global name in lieu of the password of the user being proxied
CREATE USER jeff IDENTIFIED GLOBALLY AS 'CN=jeff,OU=americas,O=oracle,L=redwoodshores,ST=ca,C=us';ALTER USER jeff GRANT CONNECT THROUGH scott AUTHENTICATED USING DISTINGUISHED NAME;
ENTERPRISE IDENTITY MANAGEMENT
THE EXTENDED ENTERPRISE
The Extended Enterprise
• In the emerging “extended enterprise” business function workflows often extend beyond the boundaries of the enterprise
• The “extended enterprise’s security practices must treat internal and external users in the same manner
IT Directors Community of Practice
Identity Federation• The technologies, standards and use-cases which
serve to enable the portability of identity information across otherwise autonomous security domains
• Identity federation goal: enable users of one domain to securely and seamlessly access data or systems of another domain without the need for redundant user administration.
• Scenarios– User controlled– user-centric– enterprise controlled – B2B
IT Directors Community of PracticeIT Directors Community of Practice
Identity Federation Goals
Identity portability
achieved in a
non-proprietary,
standards-based
manner
IT Directors Community of Practice
Cross-domain, web-based – single sign-on– user account provisioning– entitlement management – user attribute exchange
Automatic use cases– user-to-user– user-to-application– application-to-application
IT Directors Community of Practice
Federation Types
• Identity-based Federation• Identity based federation - only the SSO functionality of SAML is being required to be
registered in both organizations. If Joe is registered with the IdP and wishes a resource on SP in another organization then that same identity will be registered at the SP. The identity of the Principal is carried in the <subject> of the <assertion> header.
• Attribute-based Federation• Similar to Identity-based Federation, but the type of session and the access right the
user has on the SP is based on attribute information transported in the SAML assertion. While the user name can be used for auditing purposes it is not used for access management purposes. An example is using a Role attribute, for example, "HR Member". – Attributes are carried in the <AttributeStatement> of a SAML assertion.
Attribute Based Access Control (ABAC) is used by Grid Systems, in which the relationship between users and resources is ad hoc.
IT Directors Community of Practice
SSO in a Federation
• A process that is used across multiple IT systems and organizations to authenticate access to a resource for an individual or system
• A user's single authentication ticket, or token, is trusted across multiple IT systems and/or even organizations.
• SSO relates to authentication, only, and does not include authorization.
IT Directors Community of Practice
Federation Termination
Defederationis the process of terminating the validity of a federated identity with either an IdP or an SP.
Both the IdP and the SP should notify each other of defederation. However, it appears there is not a structured or standardized method for defederation.
The distinction must also be made between terminating a federated session versus terminating a federation relationship altogether.
IT Directors Community of Practice
Identity Federation Solution Providers
Radiant Logic: Radiant One
Radiant One Federated Identity PlatformVirtual Directory Server
VDS extracts identity and context information out of various application and
data silos. It re-maps the underlying sources and presents the identity data in
customized views.
Identity Correlation and Synchronization Server (ICS)
Identifies relationships between identities represented in heterogeneous data
sources. ICS builds a common identity out of multiple systems to create a
unified view of identity data, eliminating user overlaps.
Cloud Federation Service (CFS)
Provides the RadiantOne suite with a complete identity provider (IdP), an
authentication module which verifies a security token once and then uses it for
each system it needs to access for on-premise and cloud-based applications,
enabling single sign-on for users.IT Directors Community of PracticeIT Directors Community of Practice
Identity Federation Solution Providers
Ping Identity
PingFederate
Outbound and inbound solutions for single sign-on, federated identity management,
mobile identity security, Tier 1 SSO extends employee, customer and partner identities
across domains without passwords, using standard identity protocols (SAML, WS-Fed,
OpenID.) PingFederate translates customer and partner standard tokens into local
tokens. For outbound use cases, PingFederate authenticates user credentials,
regardless of how they authenticate, and translates them into standard tokens.
PingOne Identity as a Service PingFederate can be deployed in conjunction with PingOne Cloud Access Services for
faster and more flexible employee access to SaaS applications.
IT Directors Community of PracticeIT Directors Community of Practice
Identity Federation Solution Providers
OneLoginOneLogin focuses primarily on companies that operate in the cloud and
integrates with cloud apps using SAML, WS-Federation, OpenID and web
services integration.
The company's cloud-based IAM market now includes 700 enterprise
customers in 35 countries, including AAA, Gensler, Netflix, News International,
Pandora, Steelcase and PBS.
OneLogin has continued on a path of innovation and growth,
including:• First iPad app for identity management• First Federated Cloud Search IAM product that enables secure, real-time
search across public cloud applications such as Box, Google Apps, Salesforce, Yammer and Zendesk
• Pre-integration with 2,800 cloud apps, more than any other IAM vendor• Open Source SAML Toolkits, now used by over 70 SaaS vendors and over
30 app vendors to make their apps more secureIT Directors Community of PracticeIT Directors Community of Practice
Identity Federation Solution Providers
PasswordBank Technologies Inc.: PasswordBank
Federation• Federated Single Sign-On allows a user to login once and then
access all authorized cloud and on-premise services across Mac, Linux and Windows, without the need for a password at each service.
• Enables the Enterprise to maintain full and centralized control over access to all applications of the organization. – Two-factor strong authentication, – Account provisioning and deprovisioning – Centralized audit repository
• PasswordBank IdentityBroker allows identity-related information to be shared securely between the Enterprise, Service Providers and Identity Providers (cloud and on-premise applications).
IT Directors Community of PracticeIT Directors Community of Practice
Identity as a Service
• Authentication infrastructure hosted by a third party
• SSO in the cloud• IDaaS for enterprises’
SaaS applications
• A cloud IDaaS service provider may – Securely manage cloud
identities for SaaS applications
– Maintain federated trusts– Manage account
provisioning/deprovisioning
– Host applications– Provide subscribers with
role-based access to specific applications
– Provide entire virtualized desktops through a secure portal
– Provide Identity auditingIT Directors Community of Practice
Stateless Identity
• Just-in-time identity data and services received from authoritative domains
• Similar to Windows Azure Access Control Services and carried outside the enterprise
• Once authorizations are configured, a user coming to an application via ACS arrives at the application “entrance” with not only an authentication token, but also a set of authorization claims attached to the token
IT Directors Community of Practice
Authentication Service
• Open API – Not limited to LDAP and AD
• Called by both internal and external apps
• Performs identification, authentication, and attribute delivery of all users under enterprise control
IT Directors Community of Practice
Provisioning Service
• Open API for account synchronization among internal, SaaS, and partner apps – Called by both internal and external apps– Supports deprovisioning– Enables provisioning workflows loosely
coupled with internal directory and database infrastructure
– Available connectors for many enterprise systems and apps
IT Directors Community of Practice
SAML to Token Service
IT Directors Community of Practice
A client obtains a SAML 2.0 bearer assertion and makes an HTTP request to the PingFederate OAuth AS to exchange the SAML assertion for an access token. The AS validates the assertion and returns an access token. The client uses the token in an API call to the Resource Server to obtain data.
1. Some user-initiated or client-initiated event (for example, a mobile application or a scheduled task) requests access to Software as a Service (SaaS) protected resources from an OAuth client application.
2. The client application obtains a SAML 2.0 bearer assertion from a local Identity Provider (IdP) for example, PingFederate.
3. The client makes an HTTP request to the PingFederate OAuth AS to exchange the SAML assertion for an access token. The AS validates the assertion and returns the access token.
4. The client application adds the access token to its API call to the Resource Server. The Resource Server returns the requested data to the client.
.
Identity Discovery Problem
A user interacting with a service provider wants to access to restricted content on a site within a federation:
1. The user, via web browser, connects to the target service provider; and requests to view restricted content.
2. The service provider receives this request, and needs to know information about the person.
3. In the federated world, this means that the user needs to be sent to their home organization's identity provider, which will "vouch" for that person and pass across information about them to the resource provider.
4. The service provider "discovers" which is the user's home institution5. The service provider redirects the user to their home institution's identity provider.6. The user authenticates at their identity provider (IdP), which responds to the service
provider (SP), letting them know that this user authenticated successfully, and often providing some information about that user.
7. The service provider receives this information, and then either grants or denies access based upon the information it received.
Q: How does the SP figure out which is the user’s “home” IdP?
IT Directors Community of Practice
Identity Discovery Solutions
A user interacting with a SP wants to access restricted content on a site within a federation.
Solution Options
1. Avoid Discovery (IdP-initiated SSO)Each institution can configure a page (usually their existing library portal page) to list all resources available to their users along with links to these resources. These links are constructed such that they send the user
1. to that institution's identity provider*. After the user has successfully authenticated,
2. directly onto that resource. Thus, the service provider never has to ``discover'' which institution the user is from, since the first time they see the user the user has already authenticated.
IT Directors Community of Practice
*But suppose the user starts on the site where the target content is located?
A user interacting with a SP wants to access restricted content on a site within a federation.
Solution Options
2. Client-less Discovery (SP-Initiated SSO)
The SP asks the user to manually tell them which is their home organization. This method of discovery comes in two forms:
1. The user tells the service provider directly; or2. The SP sends the user to a centrally provided
service; the user tells this service.
IT Directors Community of Practice
Identity Discovery Solutions
*OMG the user has to do this manually every time? Really?
Identity Discovery Solutions
A user interacting with a SP wants to access restricted content on a site within a federation:
Solution Options
3. Client-mediated DiscoveryThe client is configured to tell the SP what the user’s home organization is.
1. The user's client tells the service provider where the person is from; or
2. The user's client is the identity provider; or3. The user's client proxies the identity
provider.
IT Directors Community of Practice
Enterprise Cloud Identity & Access Management Providers
• Security and risk professionals see IAM as a cost center and
• Prefer not to build out or expand IAM capabilities
• Cost-effective, SaaS-based IAM solutions that complement on-premises ones are available
IT Directors Community of PracticeIT Directors Community of Practice
Client-Mediated Discovery
The client is configured to tell the SP what the user’s home organization is.
1. The user's client tells the service provider where the person is from– Enhanced client or proxy (user’s browser plugin)* – Plugin “listens” for WAYF requests from SP– Automatically answers
2. The user’s client is the Identity provider (self-issued identity);
3. The client sends this request on to the user's identity provider (it proxies it), receives the response, and in turn sends this response back to the service provider. **
IT Directors Community of Practice
*SAML 2 Specification for ECP ** The SP never needs to know who the IdP is
WAYF
• Where Are You From– You must answer that question when you log into a
web based service using WAYF login.– WAYF login is a Single Sign-On system* which permits
using one single login to access several web-based services.• Creates connections between the login systems at the
connected institutions and external web based services.• Ensures that users consent to have information about them
passed on to the web-based services.
– WAYF login does not store any personally identifiable data.
IT Directors Community of Practice
*Provided by the Danish government in collaboration with many identity and service providers and institutions
Authorization ServiceCentral authorization repository
– Authorization model information used to provide complex access controls based on data or information or policies including user attributes, user roles /groups, actions taken, access channels, time, resources requested, external data and business rules
– Policies that are stored in an IAM policy store
Frameworks– Spring Security
• Access control framework; released under an Apache 2.0 license• Used to secure numerous demanding environments including government
agencies, military applications and central banks.
– Seam Framework • Programming model with a Security API (an optional Seam feature) that
provides authentication and authorization features for securing access to domain and web page resources, components, and component methods
• Can be used to display/hide web page content based on user privileges• Includes a comprehensive authorization framework, supporting user roles,
persistent and rule-based permissions, and a pluggable permission resolver for easily implementing customized security logic.
IT Directors Community of Practice
Enterprise Cloud Identity & Access Management Providers
Intel Cloud SSO• Standards-based identity as a service (IDaaS) solution• Context-aware Strong Authentication
– invokes mobile or hardware assisted, 2-factor authentication based on the target app, network, time of day, mobile browser and other parameters.
• Connects Identity Stores– Authenticates, provision/de-provisions user access to cloud systems
from inside or outside the corporate firewall, leveraging directory services including Active Directory, LDAP, Salesforce.com, or Intel Cloud SSO identity stores.
IT Directors Community of PracticeIT Directors Community of Practice
Enterprise Cloud Identity & Access Management Providers
Okta Cloud Identity and Access Management• Access control to SaaS
applications• User account provisioning
for SaaS and in-house applications User access recertification
• User repositories supported• Multitenancy & protection of
personally identifiable information
• Auditing and reporting• Strong authentication
support.
IT Directors Community of PracticeIT Directors Community of Practice
• Good integration with strong authenticators & broad SaaS application support
• Runs on Amazon Web Services under the covers
• Many pre-integrated SaaS business applications
• Extensively supports Integrated Windows Authentication (IWA)
• Supports inbound SAML for identity provider (IdP) proxying*
• No support for disabling users automatically after a period of inactivity, or for attestation.
*May limit usefulness for large clients
Enterprise Cloud Identity & Access Management Providers
Symplified Cloud Identity and Access Management• One of the longest-standing
in the cloud IAM market• Architecturally stable via its
Identity Router customer-premises equipment infrastructure
• Can be deployed as a software or hardware appliance, or as a cloud connector
• Broad protocol and endpoint support
• Partners with Symantec’s VIP service for strong authentication IT Directors Community of PracticeIT Directors Community of Practice
• CSC is reseller and provides system integration
• Does not support implicit or just-in-time provisioning
• Dashboards and reporting are fairly immature
• No workflow designer — only an implicit workflow for access request management and approvals
• By design, no support for hierarchies of multi-tenancy, which may limit its usefulness at large clients
Enterprise Cloud Identity & Access Management Providers
Covisint Cloud Identity and Access Management• Access control to SaaS
applications• User account provisioning
for SaaS and in-house applications User access recertification
• User repositories supported• Multitenancy & protection of
personally identifiable information
• Auditing and reporting• Strong authentication
support.IT Directors Community of PracticeIT Directors Community of Practice
• Good integration with strong authenticators & broad SaaS application support
• Runs on Amazon Web Services under the covers
• Many pre-integrated SaaS business applications
• Extensively supports Integrated Windows Authentication (IWA)
• Supports inbound SAML for identity provider (IdP) proxying*
• No support for disabling users automatically after a period of inactivity, or for attestation.
*May limit usefulness for large clients
COMPLIANCE and OPERATIONAL CONSIDERATIONS
ENTERPRISE IDENTITY
Identity Compliance and Privacy
• A user signs-in and out of Identity Provider (IdP) systems or security token services (STS) via explicit messages or implicitly via a request
• The issued tokens may either represent the principal's primary identity or some pseudonym appropriate for the scope
• The IdP or STS issues messages to interested and authorized recipients.
• Principals are registered with the attribute/pseudonym services and attributes and pseudonyms are added and used.
• Authorized services can query attribute/pseudonym services using the provided identities to obtain authorized information about the identity.
• Such queries can potentially be anonymous which means that the party requesting the information has an opaque token, and is not aware of the real identity of the object of the query
IT Directors Community of Practice
Name Mapping and Linking
• In a federated environment, with identity information and other assertions passing through a network between systems, protecting the user’s privacy becomes paramount.
• With SSO, it is possible to track the user across several SPs.• Pseudonyms provide a way to obfuscate the identity of the user
across SPs. • When the IdP delivers the assertions to the SP, the use of
pseudonyms makes it possible to have a different user ID for the same user at each SP
• Persistent Pseudonym - the SP will see the same pseudonym each time the user accesses the SP.
• Transient Pseudonym - the SP is presented with a different pseudonym each time a user gains access to the SP.
IT Directors Community of Practice
Single Logoff Operations• When the user selects logoff in an application, two potential
options must be offered. 1. Does the user want to logoff from this specific application,
maintaining the current SSO session, or2. Does the user want to end their SSO session, closing all
individual application sessions?
• Solution for #2– SP communicates the logoff request to the IdP. The IdP,
based on its session store and information from the metadata, issues a logoff request to all SPs for which an active session is present.
– When the SP receives a logout request, it will close the current session and notify the application, allowing the application to perform required cleanup.
IT Directors Community of Practice
Session Timeout Operations
• With SSO, the user is using the same login for • several applications, potentially across several
systems• Managing SSO session timeouts by each
application is inefficient• With Single Log Off, applications can, through the
IdP, centrally manage a user’s idle time • Consolidating session timeouts and establishing a
consistent session timeout period is another policy that must be considered when a federation forms.
IT Directors Community of Practice
ConclusionEnterprise Identity Management has matured with the expansion of established standards and interoperability approaches. The growing number of enterprise applications accessed by internal employees in collaboration with sales partners, distribution partners, customers, and other business channels.
Enterprise IT executives with limited development, deployment, and infrastructure budgets are differentiating strategic, proprietary systems from utilities that are now widely available outside the enterprise firewalls. Many enterprise strategies include integrating identity federation into their IT vision, strategy, infrastructure, and application support models.
CIOs also recognize the growing importance of understanding the whole spectrum of identity management capabilities, including how to handle identity-based Web services. Implementing identity federations is now feasible and increasingly mandated by business partners, affiliates, and customers. With the growing number of cloud and access management solutions, strategic partnerships with solution providers and consultants will be central to a successful outcome.