Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1© Copyright 2012 EMC Corporation. All rights reserved.
Do You Know Who Your Users Are?
2© Copyright 2012 EMC Corporation. All rights reserved.
Agenda
Current challenges with Identity Federation and Web Access Management
Why a federated identity layer is needed
How RSA and Radiant Logic have collaborated to provide a comprehensive solution that simplifies the process of Authentication, Single Sign-On and Authorization in complex environments
Speakers:
– Tim Bedard, RSA Sr. Manager, Product Management IAM
– Dieter Schuller, Radiant Logic VP of Business Development
3© Copyright 2012 EMC Corporation. All rights reserved.
World of Access is Expanding: Identity and Context is the New Perimeter
• Source: March 22, 2012, Forrester report
“Navigate The Future Of Identity And Access Management”
Partner apps
SaaS apps
Employees
Contractors
Partners
Enterprise computers
Members
Customers
Apps in public clouds
App sourcing and hosting
App access channels User populations
On-premises enterprise apps
Apps in private clouds
Enterprise-issued devices
Personal devices
Public computers
4© Copyright 2012 EMC Corporation. All rights reserved.
Current State: The User Experience
[email protected] tomj
Application 1 Application 2 Application 3
5© Copyright 2012 EMC Corporation. All rights reserved.
No Single Sign-On
ID: [email protected] / Pwd: 1234 Application 1
1. Authenticate to App 1
2. User granted access
Application 2
Application 3
3. User clicks link for App 3
?
6© Copyright 2012 EMC Corporation. All rights reserved.
What is Needed? A Single Identity Source
Application 1
Application 2
Application 3
Tom Jones
1470233
tomj
Name +
Company ID
Email +
Company Name
7© Copyright 2012 EMC Corporation. All rights reserved.
Federation/WAM without Federated Identity
Authentication, web access management, federation and fine grained entitlements are complex, expensive and less effective
Salesforce
External-based Cloud Apps
Internal-based Enterprise Apps
Identity Sources
Sharepoint
Google Apps
WebEx
Forest/Domain A
Databases
Directories
Forest/Domain B
AD
AD
8© Copyright 2012 EMC Corporation. All rights reserved.
Required Capability: Complete List of Users and Unified Profile for Each User
Billing
Product 2 System
FulfillmentService Desk
Serviceability
DBProduct 1 System.
Events
Provisioning
Plant DB
9© Copyright 2012 EMC Corporation. All rights reserved.
Required Capability: Identity Virtualization
• Abstraction layer between consuming applications and the underlying identity silos
• Virtualization isolates applications from the complexity of back-ends
Aggre
gation
Co
rre
latio
n
Inte
gra
tion
Virtualization
Population
C
Population
B
Population
A
Groups Roles
LDAP
SQL
Web
Services
/SOA
App A
App B
App C
App D
App E
App F
Contexts
Serv
ices
10© Copyright 2012 EMC Corporation. All rights reserved.
Required Capability:Scaling and Performance
Must scale to millions of users
Must support joining across disparate systems to create a complete profile
Must provide the speed, reliability and functionality of a directory regardless of the limitations of the back-end systems
Requires caching into a materialized view that is updated in near real-time based on changes in the authoritative systems
11© Copyright 2012 EMC Corporation. All rights reserved.
RSA Adaptive Directory
RSA Adaptive Directory Overview
Profiles Context Identities
Persistent Cache
Virtualization Layer Data Sources
Directories
Applications
Databases
Web Services
Applications
MemoryCache
12© Copyright 2012 EMC Corporation. All rights reserved.
RSA Adaptive Directory:Building the Global List
Then a union set can be published, with all users represented once in the set.
Identity Registry3
=
Data Silo A Data Silo B Data Silo C
Common Identities
Existing local identities (often overlapping)
1
Identity Correlation
Second, the intersection must be detected by correlating identities.
2
13© Copyright 2012 EMC Corporation. All rights reserved.
LDAP Directory
userID= jsmithcn=john_smithgivenName=johntitle=managersn=smith
Active DirectoryEmployeeID= 12952SamAcountName=jsmithNTDOMAIN= westEmail= [email protected]=john smith
Database
555-1354Seattle
Smithjsmith
PhoneOfficeLNAMElogin
AdaptiveDirectory
Virtual Identity
cn=john_smith,dv=ldap,o=vdsjsmith
Local IdentifierCorrelation Key (Global Identifier)
UID=jsmithLocalIdentifier=cn=john_smith,dv=ldap,o=vdsLocalIdentifier=cn=john smith,dv=activedirectory,o=vdsLocalIdentifier=login=jsmith,dv=database,[email protected]=SeattleObjectclass=inetOrgPerson
cn=john smith,dv=activedirectory,o=vds
login=jsmith,dv=database,o=vds
jsmith
jsmith
Virtual Identity (Unified Profile)
RSA Adaptive Directory:Building the Unified Profile
14© Copyright 2012 EMC Corporation. All rights reserved.
Schema Translation Example
• Translate Protocol
• Transform Schema
• Restructure DIT
• Normalize data
• Create Dynamic Groups
• Etc.
Virtualizing the Data
15© Copyright 2012 EMC Corporation. All rights reserved.
Example 1 Before:
Authentication w/o RSA Adaptive Directory
AD
JSmith
BJones
SBrady
…
LDAP
WAM/FederationLayer
Internal Directory
10,000 UsersExternal Directory
1 Million Users
RThomas
EParker
JSmith
TEdwards
GThames
…
16© Copyright 2012 EMC Corporation. All rights reserved.
Example 1 After:
Authentication with RSA Adaptive Directory
AD
JSmith
BJones
SBrady
…
LDAP
RThomas
EParker
JSmith
TEdwards
GThames
…
WAM/FederationLayer
Internal Directory
10,000 UsersExternal Directory
1 Million Users
Adaptive
Directory
JSmith AD, LDAP
BJones AD
SBrady AD
Rthomas LDAP
Eparker LDAP
Jsmith LDAP
Tedwards LDAP
Gthames LDAP
…
17© Copyright 2012 EMC Corporation. All rights reserved.
Example 2 Before:
SSO without RSA Adaptive Directory
AD
TJones 12345
LDAP
TomJ 12345
WAM/FederationLayer
18© Copyright 2012 EMC Corporation. All rights reserved.
Example 2 After:
SSO with RSA Adaptive Directory
AD LDAP
WAM/FederationLayer
Adaptive
Directory
TJones 12345 TomJ 12345
12345 TJones, TomJ
19© Copyright 2012 EMC Corporation. All rights reserved.
Example 3 Before:
Authorization without RSA Adaptive Directory
AD
JSmith 12345 CEO
LDAP
JSmith 99999 Contractor
WAM/FederationLayer
20© Copyright 2012 EMC Corporation. All rights reserved.
Example 3 Before:
Authorization with RSA Adaptive Directory
AD LDAP
WAM/FederationLayer
Adaptive
Directory
JSmith 12345 CEO AD
JSmith 99999 Contractor LDAP
JSmith 12345 CEO JSmith 99999 Contractor
21© Copyright 2012 EMC Corporation. All rights reserved.
RSA Access Manager + RSA Adaptive Directory
Interoperability
User with authentication
Access Manager Agent
Access Manager Server
Access Manager Agent
Resources with Access Manager Agent
Access Manager Admin
Console
Website with Access Manager Agent
LDAP Directory Active Directory Database
Adaptive Directory
22© Copyright 2012 EMC Corporation. All rights reserved.
Positive Business Outcomes
Access to applications is more secure, reducing risk and cost of potential breach– With more information about each user, you are better able to secure
your resources and offer better service to your constituents
Authentication and authorization is easier and cheaper to manage– Single source of truth for integrating & managing disparate
populations and their entitlements across data silos
Business cases not previously possible are enabled– With a complete list of users and a complete profile for each user you
can better serve your constituents and enable cross-sell, up-sell, and improve services.
Business solutions are delivered faster with less custom hard-coding of applications to identity data stores
The capacity of the identity management IT team increases
Questions?More info: http://www.emc.com/IAM