8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
1/30
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
2/30
PwC Confidential19-Feb-12 2
Preface (5 minutes
) Workshop Objectives Our Understanding of [CLIENT]s Online Initiatives
Our Understanding of the Business Drivers/Value Proposition of Identity Federation at[CLIENT]
Section 1 (5 minutes)
Introduction to Identity Federation Identity Federation Roles
Identity Federation The Solution
Section 2 (25minutes)Identity Federation Business Scenarios
[CLIENT] Identity Federation Business Scenarios
Section 3 (25 minutes)Preparing for Identity Federation
[CLIENT] Identity Federation Strategy
[CLIENT] Legal/Regulatory Compliance Requirements
[CLIENT] Agreements: Business Level, Service Level
[CLIENT] Technical Requirements
Agenda (60 min)
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
3/30
PwC Confidential19-Feb-12 3
Our objectives for this workshop are listed below:
Facilitate the business, privacy and technical issues around Federation for
[CLIENT].
Discuss privacy considerations both general and specific to the issues stated above.
Discuss the extension of [CLIENT]s current identity management infrastructure with
Federation.
Start to identify next steps.
Workshop Objectives
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
4/30
PwC Confidential19-Feb-12 4
Our Understanding Of [CLIENT]s Online Initiatives
[CLIENT] has launched a collaborative portal for volunteers and state
sites. The collaborative environment may expand to include other
external parties.
[CLIENT] is deploying several new online services for members this
year, including [CLIENT PROGRAM] and [CLIENT PROGRAM]
[CLIENT] is launching a new social networking site for visitors
interested in a relationship with [CLIENT] (members and non-
members). The site will enable registered users to setup personalized
websites, share photos, and upload video content.
[CLIENT] is expanding internationally through the launch of the
[CLIENT PROGRAM] . The first member of the network is [CLIENTPARTNER] . [CLIENT] intends to offer reciprocity of benefits to
individual members of [CLIENT PARTNER] beginning in January
2008.
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
5/30
PwC Confidential19-Feb-12 5
Our Understanding of [CLIENT]s Online Initiatives
(Contd.)
Are there other online initiatives at [CLIENT] that we have not
discussed?
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
6/30
PwC Confidential19-Feb-12 6
Improved Member Online Experience Federation can be deployed to enable [CLIENT] members to experience SSO when linking to
partner websites.
For example, an [CLIENT] member can experience single sign-on from [CLIENT WEBSITE]
to the website of a trusted partner e.g. [CLIENT PARTNER]
Information Security
In a federated environment, personal identifiable information of [CLIENT] members can be
kept private while exchanging a limited set of member data.
Cost Savings [CLIENT] can potentially reduce costs associated with building and maintaining custom
interfaces with 3rd parties who need access to member data.
Our Understanding of the Business Drivers/Value
Proposition of Identity Federation at [CLIENT]
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
7/30
PwC Confidential19-Feb-12 7
Are there other business drivers for Identity Federation at [CLIENT] thatwe have not discussed?
Our Understanding of the Business Drivers/Value
Proposition of Identity Federation at [CLIENT] (Contd.)
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
8/30
PwC Confidential19-Feb-12 8
Identity Federation Workshop
Section 1:
Introduction to Identity Federation
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
9/30
PwC Confidential19-Feb-12 9
Introduction to Identity Federation (Contd.)
When discussing Federation, it is important to understand the terms and
concepts commonly used when describing Federation transactions. These
include:
Person/User/Principal This is an entity that can be authenticated, make use of services,and obtain a federated identity.
Identity Provider (IdP or source domain) The IdP is the organization that authenticatesand asserts identities within an established trust.
Service Provider (SP, relying party or destination domain) The SP relies on an IdP to
authenticate and assert the identity of Principals who wish to access web based services orgoods provided by the SP.
Note:An organization can be an IdP, SP, or both, depending on the business scenario.
Circle of Trust This is a trust relationship established by a group of IdP's and SP's.There can be multiple IdP's and SP's in a circle of trust.
Federation Roles
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
10/30
PwC Confidential19-Feb-12 10
Introduction to Identity Federation (Contd.)
Federation -The Solution
IdentityFederationSolution
IdentityFederationSolution
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
11/30
PwC Confidential19-Feb-12 11
Identity Federation Workshop
Section 2:
[CLIENT] Identity Federation
Business Scenarios
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
12/30
PwC Confidential19-Feb-12 12
1. Access to Externally Hosted [CLIENT] Systems or Trusted PartnerWebsites
A. [CLIENT] Members
[CLIENT] members access 3rd party hosted sites e.g. [CLIENT PROGRAM],
[CLIENT PROGRAM] and trusted partner websites e.g. Travelocity, The Hartford
and United Healthcare.
Most of these systems require a separate username/password for [CLIENT]
members to login.
[CLIENT] - Identity Federation Business Scenarios
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
13/30
PwC Confidential19-Feb-12 13
[CLIENT] - Identity Federation Business Scenarios
(Contd.)
1. Access to Externally Hosted [CLIENT] Systems or Trusted PartnerWebsites (Contd.)
A. [CLIENT] Members (Contd.)
Benefits of Federation
Can enable single sign-on from [CLIENT].org to the trusted partner site.
Can reduce or eliminate the need to enter the same information (addresses, phone
numbers, etc) at multiple service provider (SP) web sites.
Third Party partners do not have to revalidate that the customer is an [CLIENT]
member
Simplifies password management for [CLIENT] members while they access
externally hosted applications related to member services.
Enables a richer online experience for [CLIENT] members (while accessing
externally hosted or trusted partner applications) and increases the value of the[CLIENT] relationship for trusted partners.
Simplified interaction between [CLIENT] members and trusted partners could lead
to increased awareness of member benefits and increased online enrollment to
trusted partner offerings by members.
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
14/30
PwC Confidential19-Feb-12 14
1. Access to Externally Hosted [CLIENT] Systems or Trusted PartnerWebsites (Contd.)
B. Employees
[CLIENT] hosts several business, finance and HR systems with 3rd party companies.
Most of these systems require a separate username/password for [CLIENT]
employees to login. Federation can enable web SSO from [CLIENT] to the external
system.
Potential federation integration candidates include [CLIENT PARTNER], [CLIENT
PARTNER], [CLIENT PARTNER], [CLIENT PARTNER], and [CLIENT PARTNER].
Benefits of Federation
Simplifies password management for [CLIENT] employees while they access
several business, finance and HR applications
Enables [CLIENT] employees to have a rich online experience while accessing
applications hosted with 3rd party companies.
[CLIENT] - Identity Federation Business Scenarios
(Contd.)
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
15/30
PwC Confidential19-Feb-12 15
2. Trusted partners customer to [CLIENT] website Federation can enable [CLIENT] to act as a service provider and accept Federated
users from trusted partners.
Trusted partner is responsible for authenticating the end user.
[CLIENT] can accept the trusted assertion and allow the person access to[CLIENT] hosted web content and services.
Benefits of Federation
- Provide new avenues for [CLIENT] to recruit members or drive traffic to
[CLIENT]s website.
- Enable the trusted partner's customer to be identified by [CLIENT], therebydelivering a personalized experience.
[CLIENT] - Identity Federation Business Scenarios
(Contd.)
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
16/30
PwC Confidential19-Feb-12 16
3. [CLIENT] Global Network Support Federation can enable [CLIENT] members to obtain personalized services from
international organizations participating in the [CLIENT] Global Network (or vice-
versa).
Ensure that only validated users obtain access to online Global Network benefits.
Benefits of Federation
- Potentially help to address the legal and regulatory obligations [CLIENT] may
encounter when engaging in the sharing or transfer of personal or private data
about members or Global Network participating users.
- Federation can enable the experience of engaging with a Global Network partner
to be simpler and more personal.
Note: It is recommended that [CLIENT] conduct a detailed analysis of US, EU, and other
international privacy and compliance laws prior to engaging in shared services with Global
Network members and organizations.
[CLIENT] - Identity Federation Business Scenarios
(Contd.)
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
17/30
PwC Confidential19-Feb-12 17
4. Business Unit Federation Certain [CLIENT] business units may be required to operate independently.
Federation can be used internally to enable users from one business unit to access
web applications hosted by another business unit.
An example of this scenario could be employees of [CLIENT] Financial Inc.accessing web-based applications and systems hosted by [CLIENT], or vice-versa.
Benefits of Federation
- Federation enables the systems to remain separate while still providing users
with a single sign-on experience.
[CLIENT] - Identity Federation Business Scenarios
(Contd.)
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
18/30
PwC Confidential19-Feb-12 18
Identity Federation Workshop
Section 3:
Preparing forIdentity
Federation
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
19/30
PwC Confidential19-Feb-12 19
Preparing for Identity Federation
Identity Federation will enable [CLIENT] to extend the capabilities of its IdentityManagement infrastructure to provide integration with trusted third parties such as
service providers. However there are business issues inherent in Identity Federation.
Business issues in the following areas should be discussed before implementing
Identity Federation:
[CLIENT] Identity Federation Strategy
Legal/Regulatory Compliance Requirements
Business-Level Agreements
Service-Level Agreements
Technical Requirements
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
20/30
PwC Confidential19-Feb-12 20
Preparing for Identity Federation (Contd.)
[CLIENT] Identity Federation Strategy
Gather information about existing Federation framework that the [CLIENT] priority third
parties may already have in place.
Determine the identity data elements to be transmitted amongst Federation partners.
This will help to determine which regulatory requirements need to be addressed
Pilot one of the business scenarios (mentioned earlier) involving a priority third party (e.g.
[CLIENT PARTNER] or [CLIENT PARTNER], ) as a Federation partner.
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
21/30
PwC Confidential19-Feb-12 21
Preparing for Identity Federation (Contd.)
Legal/Regulatory Compliance Requirements
[CLIENT] should analyze applicable local, state, national, and international privacy and data protectionregulations, directives, and laws, and develop appropriate strategies and operational plans to addresscompliance responsibilities.
Privacy & Data Protection Review local and international laws and requirements, e.g. EU Data Protection Directive.
International Laws Are Different than U.S. and may be a barrier to overcome, requiring addedtechnical and operational components.
Restrictions and operational requirements around trans-border flows of personal information Broader scope of information goes beyond just customers
In-country representation, filing requirements, and potential approval processes
Ability to demonstrate adequate technical, physical, and administrative safeguards
Review, enhance, and implement appropriate policies, processes, and technical safeguards.
Compliance Policies and procedurescustomer and employee policies, and internal policies and procedures
Governance and accountabilitylocal and international roles and responsibilities Due diligencecontract amendments and security assessments with trusted partners (Circle of
Trust)
Communication, training, and awareness Ongoing monitoring, auditing, and reportinginternal and trusted partner (Circle of Trust)
reviews
Discipline and incentives
Incident response and crisis managementbreach notification requirements
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
22/30
PwC Confidential19-Feb-12 22
Preparing for Identity Federation (Contd.)
Business-Level AgreementsInherent in the Federation model is the concept of a Circle of Trust. This is both a businessand technical requirement.
Business Relationships & Terms of Engagement
Examine contractual agreements with business partners to determine if they contain thenecessary terms, conditions, etc, to allow for such a business relationship.
Review membership agreements to ensure Federation of member data is adequately
addressed. Create contractual agreements addressing the technical requirements of Federation e.g.
the authentication process of a user by the IdP.
Financial Commitments
Establish contractual agreements defining financial responsibilities of Federation partners.
Risk Management Refresh Third-party Security Program (TSP) to ensure it addresses Identity Federation
security models and relevant security controls
Examine how [CLIENT] can limit the risk incurred to its trusted partners in the event of asecurity breach, identity theft, error etc. originating from [CLIENT].
Establish contractual agreements between [CLIENT] and its partners that would determinewho liability is assigned to in the event of a security breach, identity theft, error etc.
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
23/30
PwC Confidential19-Feb-12 23
Preparing for Identity Federation (Contd.)
Service-Level AgreementsCustomerService
Review contractual agreements with trusted partners on the service level.
Clearly define terms regarding who is responsible for managing customer/user
issues.
Business Continuity Planning Establish processes to deal with disaster recovery for both [CLIENT] and its trusted
partners.
Incident Management
Establish contractual agreements with business partners regarding how
events/incidents are managed when a security breach, identity theft or error etc.occurs.
Establish a process for communicating and responding to incidents during
Federation between [CLIENT] and its partners
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
24/30
PwC Confidential19-Feb-12 24
Preparing for Identity Federation (Contd.)
Technical Requirements[CLIENT] and its trusted partners should agree on the technical specifications to be used fortheir federation.
Federation Standards, Models and Protocols
- [CLIENT] must determine which standard it will support (SAML 2.0, WS-Federation,
Liberty).
-[CLIENT] should decide the Federation model(s) it wishes to operate under. [CLIENT]must decide if it will be an Identity Provider, a Service Provider, or both.
- [CLIENT] should work with its trusted partners to determine the Federation models,
protocols and standards the Circle of Trust will operate within.
- Develop a Federation integration guide for new partners that will ease the process of how
technically Federation will work within the Circle of Trust.
- [CLIENT] and its trusted partners should establish a steering committee to oversee
adoption and roll-out of Federation.
Federation Product/Vendor
Integrate Federation product with existing WAM infrastructure to leverage its Identity
Management capabilities.
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
25/30
PwC Confidential19-Feb-12 25
Preparing for Identity Federation (Contd.)
Technical Requirements (Contd.)
User Administration
[CLIENT] and its trusted partners should agree on how user data is administered.
A process that supports the lifecycle of the user's identity credentials, from creation,
modification to deletion should be discussed.
Will need to adopt common user enrollment and entitlement process.
Access Policy
[CLIENT] and its trusted partners should establish policies governing service access
within their Circle of Trust.
Circle of Trust members other than the IdP, give up their control around authentication
but still control authorization.
Session Policy
[CLIENT] and its trusted partners should determine rules governing a users browser
sessions while accessing services provided by them.
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
26/30
PwC Confidential19-Feb-12 26
Preparing for Identity Federation (Contd.)
Technical Requirements (Contd.)
Data Attributes
[CLIENT] and its trusted partners should determine the specific data attributes that will
be shared to enable Federation within their Circle of Trust.
Technology Skills of[CLIENT]s (and 3rd Party)IT Organization Review the skill sets of IT employees of [CLIENT]s and its trusted partners to
determine if it compliments the processes and technologies required for Identity
Federation.
Provide training and documentation for future application development for [CLIENT] and
3rd parties to incorporate federated identities.
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
27/30
PwC Confidential19-Feb-12 27
Preparing for Identity Federation (Contd.)
Recap:
Processes surrounding the management of user information (Strategy, Business-Level,
Service-Level, Legal/Regulatory Compliance, Technical Requirements etc.) must be
defined prior to implementing an Identity Federation solution.
Having the properPeople and Technology in place allows Processes surrounding user
data to be properly handled.
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
28/30
PwC Confidential19-Feb-12 28
Identity Federation Workshop
Next Steps
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
29/30
PwC Confidential19-Feb-12 29
Next Steps
Phase I Create a detailed Identity Federation Strategy and address the following
- Identity Federation Strategy
- Legal/Regulatory Compliance Requirements
- Agreements: Business Level, Service Level
- Technical Requirements
Phase II
Design and implement a technical pilot based on the Identity Federation Strategy that is
created.
Develop Federation integration guide for potential partners.
Phase III Update/finalize business, service level agreements and other requirements with
Federation partners
Start to implement and deploy Federation to selected partners
8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07
30/30
PwC Confidential19-Feb-12 30
Identity Federation WorkshopLegal DisclaimerThe information contained in this presentation is for general guidance only. The applicationand impact of laws can vary widely based on the specific facts involved. Given the changing
nature of technology landscape, there may be omissions or inaccuracies in informationcontained in this presentation. Accordingly, the information in this presentation is providedwith the understanding that PricewaterhouseCoopers LLP is not engaged in renderingprofessional advice and services. As such, it should not be used as a substitute forconsultation with professional, legal or other competent advisers.
While every effort has been made to ensure the accuracy of the contents of this presentation,PricewaterhouseCoopers LLP will accept no responsibility for any errors or omissions, or forany loss or damage, consequential or otherwise, suffered by a result of any materialpublished here. All information in this presentation is provided "as is", with no guarantee ofcompleteness, accuracy, timeliness or of the results obtained from the use of this information,
and without warranty of any kind, express or implied, including, but not limited to warrantiesof performance, merchantability and fitness for a particular purpose. In no event willPricewaterhouseCoopers, its related partnerships or corporations, or the partners, agents oremployees thereof be liable to you or anyone else for any decision made or action taken in
reliance on the information in this presentation or for any consequential, special or similardamages, even if advised of the possibility of such damages.
Top Related