Upload
others
View
22
Download
0
Embed Size (px)
Citation preview
02/11/2015
1
This is a slide for graphics (It has a white background)
•
02/11/2015
2
•
•
•
02/11/2015
3
PCs and serversMicrosoft AD
GAfE, AzureAD, on-premAD.
ChromeOS, PC, iOS.
Various web apps. Distributed.
Last 10 years
Now & Future
Password 1 Password 2 Password 3 Password 4
Type of App Identity Issues/Problems
Federated – a way of connecting
different completely independent
security realms/networks with each
other such that the users in each realm
can access resources in each of the
these realms
02/11/2015
4
•
•
•
•
Harry aka “The Baker” Williamson
William Harry’s dad
•
–
•
–
02/11/2015
5
•
•
•
•
02/11/2015
6
PROVISIONING
Simple, automated user provisioning.
Driven from existing data source: MIS
Onward provisioning of all your connected services.
AUTHENTICATION
Sign into your network from anywhere.
SSO from integrated devices.
Support many web SSO standards – makes app integration simpler.
AUTHORISATION
Simplify permissions with RBAC – Role based access control.
Network admin provides consent for data release to apps.
SELF SERVICE
Forgotten passwords
Self service password recovery via email or SMS.
App catalog – shop window of online resources for teachers.
PASSWORD MANAGEMENT
Self-service – reducing the burden.
Delegated password reset rights where appropriate.
COMPLIANCE
Enforce a user attribute release policy – only share minimal data with apps.
Audit key management tasks, e.g. password reset.
Reviewing hosting location of online services.
DEPROVISIONING
Automated via the starters-leavers process in MIS system.
Cascade of user delete to all connected apps.
Provisioning Authentication
Authorisation
Self-Service
Password Management
ComplianceDe-provisioning
IdentityLifecycle
Relationship starts…
Relationship ends…
Provisioning The process of preparing a service for new users, prior to them accessing it
• In-advance provisioning– When the app must know about users before access
– Needs a data feed to be kept in sync with Identity Provider
– E.g: Office 365 Outlook (we must create mailbox ahead of time)
• Just in time provisioning – When the app creates account on-the-fly
– App knows the user is authorised by Identity Provider
– App might receive a few data attributes about the user
– E.g.: Simple reading app (just needs to bookmark)
02/11/2015
7
Service Provider
Identity Provider
HARRY,Password XYZ
HARRY,Password XYZ
TRUST
HARRY, R+W
HARRY, R+W
HARRY = SMT
1. Encrypted Authenticator Package
KDC
2. Package decrypted & identity claim checked
3. TGT Sent to client
5. Ticket for file server sent to client
4. TGT Sent to KDC with request for Ticket
6. Client access to file server via Ticket
02/11/2015
8
•
•
•
•
•
•
•
•
•https://sts.cloudready.ms/adfs/ls/?SAMLRequest=jZFRT4MwFIX%2FCun7KC3OjWaQ4PbgkqlkoA%2B%2BmAKdNCkt9hZ1%2F14GmkwfFl%2Fv%0APfc7p6cr4K3qWNq7Ru%2FFWy%2FAeZ%2Bt0sDGRYx6q5nhIIFp3gpgrmJ5erdj1A9Y%0AZ40zlVHISwGEddLotdHQt8Lmwr7LSjzudzFqnOuAYQyNLP1Kmb62gtdHvwWc%0AD6PSKOEaH8DgE5ni7CEvkLcZokjNT9AzhIM%2FBF4fACvAyNtuYvRSRSIiZXlN%0AwrlY0CriSxKGhNLDFeXhYjkfZAC92GpwXLsY0YCEM0JnQVQESxaEjCyekZd9%0AP%2BxG6lrq18stlJMI2G1RZLMp%2FJOwMAYfBChZnbpko7E9a%2Fcylv9UipJ%2FFbjC%0AZy6TZcfuB%2Bx2kxklq6OXKmU%2B1sOpEzEiCCfTye%2FfT74A%0A&RelayState=cookie%3A29002348&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=M0xoWQfcN3Yp94T2HiqIdJzEkxYqGc6hhopqi8xOI%2B2BtPSLufFDdQIF7z6Xjm6XdLq1MH9Av5xz2QWYs84ZYhlG3fHtZCjjaoI2wZqplRszHla%2BjtZoW20NGDepDsCRT0AKNkhe%2B4Yj3LshrM6EX5O3obx2Mypy8EcsoURkTF3kf1dwKqsGA3ka7ehbRmUQGJUXD0u4iFBog7YgkL4Q9FYMTanZeRo2X4%2FkAeNxT8ormKWJfYnAzg0F4Ku60zDd5N7jYu4XeyOsXDthEFI5H4WYucAprREl2hgSUI21J782kKzrslalIaJ5BKPIO50NPCIb5Sf6Zw4maLpZrFEfrw%3D%3
•
02/11/2015
9
•
•
•
• https://sts.cloudready.ms/adfs/oauth2/authorize?response_type=code&client_id=3fb2a37f-4ced-409c-937c-dddd776f4dfd&redirect_uri=https://www.davetestapp.com&resource=https://www.davetestapp.com
•
•
•
•
•
•
•
–
–
–
WEB1DB1
1. Client needs access. Authenticates
2. WEB1 checks with main identity provider
3. Client needs access
4. DB1 checks with main identity provider
02/11/2015
10
02/11/2015
11
MIS
RM Unify
AD Sync
User accounts
Sig
n in
Authentication
02/11/2015
12
•
•
•
•
02/11/2015
13