SSO Strategy Implementation Considerations
-
Upload
john-bauer -
Category
Technology
-
view
6.700 -
download
2
Transcript of SSO Strategy Implementation Considerations
![Page 1: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/1.jpg)
SSO Strategy Implementation Considerations
July 8, 2010
![Page 2: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/2.jpg)
Agenda• Why listen to this @jfbauer guy on SSO?• Agree on Terminology• Current Landscape• SSO Utopia• Application – Framework View• Future State• Roadmap
![Page 3: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/3.jpg)
Why listen to this @jfbauer guy on SSO?
SSO Related Speaking Engagements• Nov. 2008 CA World, Identity and Access Management• Sept. 2008 Oracle OpenWorld, Identity and Access Management• Aug. 2008, CA IAM Conference, Houston, TX• July 2008, Medical Mutual IAM Conference, Cleveland, OH• Nov. 2007, Gartner Identity and Access Management Conference, Los Angeles, CA• Nov. 2007, Oracle OpenWorld, Online Real-time Fraud Detection• Aug. 2007, Oracle NEO Enterprise Architecture Quarterly• June 2006, NACHA Authentication conference, Reston, VA
![Page 4: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/4.jpg)
Agree on Terminology
Single Sign-On?LDAP vs. Active Directory?
Authentication vs. Authorization?
Build vs. Buy?
Vendor Solutions?
TAM vs. SiteMinder vs. OAM?
Security = Inverse of Convenience?
Directory of Record?
How/When to “Integrate?”
Roadmap?
Entitlements?
IAM?
![Page 5: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/5.jpg)
Agree on Terminology• First step, establish definitions for terminology so
we can all speak the same language
![Page 6: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/6.jpg)
Agree on Terminology• Single Sign-On = Ability for a single individual
to use one single set of credentials (ex. user name + password) to access multiple applications they use with applications
• Authentication = Simply an individual providing credentials to prove who they are– I’m really Bob, not Mary
![Page 7: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/7.jpg)
Agree on Terminology• Authorization = Simply verifying if an
authenticated individual has been granted access to an application– I’m Bob and I can access Application X
• Audit = Recording in a log file what just occurred– Bob successfully accessed Application X login page
on 7//7/2010 at 9:01am EST
![Page 8: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/8.jpg)
Agree on Terminology• Entitlements = Now that an individual has
been authenticated and is authorized to access an application what can and can’t they do/see within that application– I’m Bob, I can access Application X and within
Application X I can view planning data and reports but I can’t change anything
![Page 9: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/9.jpg)
Agree on Terminology• LDAP = “Lightweight Directory Access Protocol
is an application protocol for querying and modifying data using directory services running over TCP/IP”*
• Directory = “is a set of objects with attributes organized in a logical and hierarchical manner.”*
*Source = http://en.wikipedia.org/wiki/LDAP
![Page 10: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/10.jpg)
Agree on Terminology• Active Directory = “is a technology created by
Microsoft that provides a variety of network services, including: … LDAP”*
• Kerberos = “a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner”** or one way to authenticate stuff
*Source = http://en.wikipedia.org/wiki/Active_Directory**Source = http://en.wikipedia.org/wiki/Kerberos_(protocol)
![Page 11: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/11.jpg)
Agree on Terminology• IAM = “Identity and Access Management” or
the IT/Security industry discipline that encompasses all this stuff (analogous to PMO for projects or ITIL for systems management, etc.)
![Page 12: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/12.jpg)
Current Landscape• Second step, agree on how this are currently done
so we all are working from the same baseline understanding
![Page 13: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/13.jpg)
Current Landscape• Everyone solves the 3 A’s within their own
solution domain– 3 A’s = “Authentication, Authorization and
Auditing”– Each project has to invest
time/energy/$$$/resources to solve the same AAA problems over, and over, and over
– Post project, per application AAA workflows provide on going support costs
![Page 14: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/14.jpg)
Current Landscape• Um, err, business case here???
– International Data Group reports that an average user in a 10,000-employee company has 14 separate passwords.
– Forrester, “Password problems and resets generally constitute between 25% and 40% of total help desk incidents”*
*Source = Twenty-three Best Practices For the Customer Service Center, Chip Gliedman, Forrester, 10/11/2005
![Page 15: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/15.jpg)
Current Landscape• Long story short … if an organization
continues to grow without an SSO strategy + solution, the costs associated with managing user application access (AAA) will proportionally increase
![Page 16: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/16.jpg)
SSO Utopia
• Common service for external SSO• Common service for internal SSO• Self Service credential reset• Standard SSO integration path for all project
solutions/applications• TOC for IAM reduced across the enterprise• Raises for everyone in IT
![Page 17: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/17.jpg)
Application – Framework View• More realistically:
![Page 18: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/18.jpg)
Approach Pros ConsIn-House Developed Solution
•Control over entire feature set•Lack of vendor dependencies•Deep internal SME over solution
•Will take longer •Will require a larger team to execute.•Longer delay to benefiting from ROI•Lack of inherent competency in this space.•Resource attrition takes away irreplaceable knowledge thus reducing initial approach value
Purchase Vendor Framework
•Already mature product options in the marketplace•Top tier vendors investing in this space (CA, Oracle, IBM, etc.)•Faster realization of outlined benefits•Leverage vendor expertise to augment internal resources as needed
•Will incur licensing and support cost from selected vendor.•Will involve normal vendor product lifecycle management challenges (version upgrades, product road maps, custom feature sets)
Future State
![Page 19: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/19.jpg)
Roadmap1. Agree on definitions2. Agree on SSO utopia future state3. Agree on strategic Auth and Az stores
– Example: LDAP for all external users?– Example: AD for internal/employees?
4. Agree on initial SSO integration approach– New project designs w/SSO after X date– or retrofit N existing applications– or “Major project Y and then …”– or some other criteria???
![Page 20: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/20.jpg)
Roadmap• Evaluate/RFI/RFP vendor landscape
– Short list• Example: CA, Oracle and IBM• Consider Gartner “magic quadrant” and existing vendor
relationships• Vendor POC including “integration service”
modeling– Legacy/Project integration criteria– FTE/staffing to support
• Production deployment• Integrations!
![Page 21: SSO Strategy Implementation Considerations](https://reader035.fdocuments.in/reader035/viewer/2022062503/58ecb11a1a28abed5f8b45f1/html5/thumbnails/21.jpg)
?
Graphics blatantly stolen with approval from @jurgenappelo