View
296
Download
0
Category
Tags:
Preview:
DESCRIPTION
IAN GLAZER, Senior Director, Identity, salesforce.com, at the European IRM Summit 2014.
Citation preview
Ian GlazerSenior Director, IdentitySalesforce Identity@iglazer
Do we have a round wheel yet?
Why do humans continually reinvent what they already
have?
1.functional thing2.attempt to “fix” it3.break it4.fix it5.functional++
thing
Why is it that we reinvent the wheel?
Eventually we get a round one.
Why do we do this in the world of
identity?
< … >
{ … }
We reinvent the wheel when tasks
change
SOASOAPXML
servicesSOAPXML
servicesRESTXML
servicesRESTJSON
IAM has to stay contemporary
The load our IAM wheels have to carry
has changed.
IAM in transition
Right AccessRight PeopleRight Time
Right ExperienceRight PeopleRight Time
Right ExperienceRight People &
ThingsRight Time
Right ExperienceRight People &
ThingsRight TimeRight Place
But that’s not all
firstNamelastNameemailmobileounicknametitle…
firstNamelastNameemailmobileounicknametitle…
firstNamelastNameemailmobileounicknametitle…
firstNamelastNameemailmobileounicknametitle…
Reasonably large number of identities with a reasonable
number of attributes
We are being askedto haul more and different identities
deviceIDfirmware
deviceIDfirmware
deviceIDfirmware
deviceIDfirmware
25,000,000,000?
50,000,000,000?
Unreasonably large number of identities with a few attributes
Reports to
Reports toReports to
Works with
Reports to
Reports toReports to
Owns
Works with
Owns
Reports to
Reports toReports to
Owns
Owns
Owns
Sends data to
Gets data from
Owns
Paired with
Uses
Controls
Works with
Reports to
Reports toReports to
Owns
Owns
Owns
Sends data to
Gets data from
Owns
Paired with
Uses
Controls
Owns
Uses
UsesConstrains choice of
Works with
Reports to
Reports toReports to
Owns
Owns
Owns
Sends data to
Gets data from
Owns
Paired with
Uses
Controls
Owns
Uses
UsesConstrains choice of
Sends data to
Ridden in
Ridden in
Works with
Unreasonably large number of
relationships between
unreasonably large numbers of people and things, each with attributes
1.Authentication2.Authorization3.Attributes4.User Provisioning
Authentication
Authentication Round
Multiple ProtocolsMultiple Standards
ComplexityMaturity
OpenID Connect could use a few
more miles on the road
But you should start today with it
What about representing identity
assurance?
Can we harmonize levels of assurance?
Should we?
myLOA 2 = urLOA 3.1
You’ve been proofed.You’ve been
authenticated.
So what?
Deployment matters.
Poorly deploying strong
authenticationmakes it
weak authentication.
LOA?Trust Framework?
Start here?
Authentication’s wheel still has lumps
1.Reinvention2.IAM’s Collective
Shame
Reinventingjust to
reinvent
OAuth A4C
OAuth A4C
IAM’s collective shame
Password Vaulting
The need forpassword vaulting
We’ve had fully workable
authentication standards for years
Yet we stillpassword vault
Not enoughservice provider
enablement
SP’s not acting on behalf of their
customers’ interests
Standards-based authentication
(Standards-based user provisioning
too)
Mobile-optimized authN will
(hopefully) force SPs to act
Killing passwords is IAM’s new black
Killing the need for password vaulting
More reasonableMore achievableMore effective
Authentication standards
Federated SSO
2017
ADD ROUND PICTURE!
Authorization
Authentication Round
Authorization Not Round*
1.Over-inflated2.Flat
XACML cando anything
Things that allow you to do anything
tend to make it hard to do anything
Focus on the PAPsnot the protocol
XACML must be contemporary
REST & JSONare good steps
forward
Could be usedto represent authorization
decisions
Semantics of scopes?
Binding obligations=
duties of actors
Still needs more miles on the road
Enterprise-to-Enterprise use cases, please?
How can a thing make a decision with
more autonomy?
How can we make decisions closer to
theplace and time of
use?
Actionable relationships
Can perform actions Q, W, and E
Can perform actions X, Y, and Z
Can perform actions Q, W, and E
Can perform actions X, Y, and Z
Can perform actions Q, W, and E
Can perform actions X, Y, and Z
?
?
ADD NOT ROUND WHEEL
Attributes
Authentication Round
Authorization Not Round*
Attributes Roundish
The Sad Magic of Commas.
1.Access2.Representation
Access
Optimized for the modern web?
Graph APIsUserInfo Endpoints
ADAP
LDAP?
Optimized for the modern web!
Representation
Name-Value Pairs
Name-Value Pair is the
new comma
Name-Value Pairs
Ubiquitous ✅
Standard Schema ❌
Anyone else miss inetOrgPerson?
inetOrgPerson for a new generation?
hipsterOrgPerson
dn:cn=Barbara Jensen, ou=WhatEvs, dc=company, dc=comobjectclass:topobjectclass:personobjectclass:hipsterOrgPersoncn: Barbara Jensennickname: DaisyfavBand: no one you’ve ever heard ofwhatRUHaving: Fireball with a picklebacktitle: social media gurutwitter: @daisypop89email: isforoldpeople@irony.aol.compostalCode: 11211country: USA! USA!telexNumber: is that like a fax or something?
Make SCIM schema the standard?
Standardizing schema can only
work in communities of interest
User Provisioning
Authentication Round
Authorization Not Round*
Attributes Roundish
User Provisioning
Near Roundish
SPML
SPML v2 was not round
DSML v2 was round
But neither are well suited for the modern web
Others is supporting it.
Others are supporting it.
Join us!
Needs more miles on the road
Solid use case representation
Employee IdentityUser Provisioning
Customer IdentityUser Provisioning
Customer IdentityProfile Management
SCIM can handle both
ADD ROUNDISH WHEEL
How round are the identity wheels?
Authentication Round
Authorization Not Round*
Attributes Roundish
User Provisioning
Near Roundish
Do we need things other than wheels?
How do you discover the identity services
of a service provider?
Besides RTFM?
How do you knowif they use
SAMLSCIM
proprietary attribute API
FIDO U2F?
How do we connect our orgs andour identity services?
How do we kickstart relationships without
paying p2p costs?
Hubs and axles for our roundish wheels
Remove the heavy lifting for providing
and consuming services
This is where we must go.
Our future
People and things more closely related
Identity asbusiness enabler
Right AccessRight PeopleRight Time
Right ExperienceRight PeopleRight Time
Right ExperienceRight People &
ThingsRight Time
Right ExperienceRight People &
ThingsRight TimeRight Place
We are going to shoulder a heavy
load.
Round wheelWorkable standards
Making and measuring progress
We need a set of design
considerations.
The Laws of Relationships• Acknowledgeabl
e• Actionable• Constrainable• Contextual
•Immutable •Provable•Revocable•Scalable•Transferrable
Identity Relationship Management
Working Group
Joni Brennan@jonibrennan
Allan Foster@guruallan
1. Adopt standards
If you don’t,you are inventing your own wheel
That is a short-term optimized strategy
at best.
If the current ones don’t work for you, bring out your use
cases.
Kelly Grizzle@kelly_grizzle
Nat Sakimura@_nat
Leif Johansson@leifjohansson
Maciej Machulak@mmachulak
John Bradley@ve7jtb
2. Help others to adopt
Build SDKsto help people use OpenID and SAML
Support open source implementations of
SCIM and OAuth
Start with your organization’s developers,
then help the community.
3. Demand standards
From your identity technology providers.
Demand standards
From your business service providers.
Demand standards
From your own developer teams.
Demand standards
If for no other reason than to kill off the need for
password vaulting.
Demand standards
A round wheel≠
the goal
A great spec is satisfying
A great spec is satisfying
Pamela Dingle
@pamelarosiedee
Chuck Mortimore
@cmort
Eve Maler
@xmlgrrl
David Brossard
@davidjbrossard
Susan Morrow
@avocoidentity
Brian Campbell
@__b_c
but it isn’t the end goal.
We reinvent the wheel,
we revisit and rebuild our standards
to get round, beautifully
functioning ones
to carry the loads we must shoulder,
to get us where we need to go
in this era of modern identity.
Thanks!
Recommended