Utah Architecture Review Single Sign-On
-
Upload
david-fletcher -
Category
Economy & Finance
-
view
2.801 -
download
3
description
Transcript of Utah Architecture Review Single Sign-On
TA Review – Authentication and Single Sign-On
Utah Department of Technology ServicesMarch 2008
Introduction
The Utah Master Directory (UMD) and related SiteMinder architecture was designed in 2001. There is a need to validate current practices against best practice industry solutions with an objective of wider adoption of the Single Sign-On (SSO) and related directory and access control infrastructure.
Types of Single Sign-on
Identity Access Mgmt Ecosystem
Current Architecture
• UMD Directory
• SiteMinder
• Credential Collector
• AppProfile System
• AppAdmin
• JAAS Providers to Application Servers
User Adoption
Overall integration with existing applications inventory is less than 30%.
Application specific directory and authorization is used by 65.4% of all production applications.
Direct LDAP to agency directory information is utilized by 23.1% of production applications.
Successful Features of UMD
• Integration with NDS to Synchronize LAN Passwords
• Availability of UMD/SiteMinder Infrastructure
• Identity Management
• Simplified Maintenance of User Access Privileges
• UMD Support Services
Obstacles that keep agencies from using UMD Services
– Difficulty Using the UMD with New Applications: 22.7%
– Difficulty Using the UMD with Existing Applications: 22.7%
– Direct LDAP Access: 18.2%– Reliability and Scalability Concerns: 18.2%– Inadequate Documentation: 13.6%– Cost Concerns: 13.6%– Availability of UMD Web Services: 13.6%– Application Profile Management: 9.1%– SSO Security Concerns: 9.1%– Concerns with the Use of “Cookies”: 4.5%
Help Desk Call Data for Password Resets and UMD Related Inquiries
1st Q ‘07 2nd Q ‘07 3rd Q ‘07 4th Q ‘07 Jan ‘08 Feb ‘08
Network/LAN PW Reset
485 587 693 740 251 245
Mainframe PW Reset
385 380 421 382 147 101
UMD PW Reset
484 618 594 624 264 242
Total 1354 1585 1708 1746 662 588
Total Tickets 17,812 18,240 19,342 19,089 7,604 6,813
% PW Resets 7.6% 8.7% 8.8% 9.1% 8.7% 8.6%
Industry Average is abt 30% - IT Security Journal
Best Practices
• Application Coverage• Ease and Flexibility of
Deployment• Authentication
Capabilities• Shared Work
Environments• Overall Security
Objectives
• User Access Management
• Single Sign-Off• Enterprise Reliability
and Scalability• Legacy Application
Integration
Industry Reports
Forrester Gartner
Extending Enterprise ID Across the Web
Federal E-Authentication
The E-Authentication Solution created the US E-Authentication Identity Federation which allows Federation members to recognize and trust log-in IDs that are issued by other trusted Federation members. The trusted members that issue these log-in IDs may be other government agencies, academic institutions, or commercial entities, such as banks or other financial services institutions. There is opportunity for Utah to participate in this initiative by establishing the UMD as a trusted entity.
Recommendations
• Position UMD Services as more than just a directory or SSO solution but as a comprehensive IAM solution.
• Establish the UMD as a trusted identity source so State users can use UMD identity to access Federal applications and services as a trusted partner.
• Add third party reporting software, such as eIQ, LogRhythm, etc., to facilitate audit tracking of who has access to directory enabled resources, and when they had access.
• Improve the user interface for AppAdmin and AppProfile so they are easier to use by the development and application business management communities.
Provide capability for direct LDAP access by agencies within security model constraints.
Appoint a study group to review UI authentication and look at possible integration of their 36,857 directory subscribers with the UMD directory as a specialized container.