TA Review – Authentication and Single Sign-On

Utah Department of Technology ServicesMarch 2008

Introduction

The Utah Master Directory (UMD) and related SiteMinder architecture was designed in 2001. There is a need to validate current practices against best practice industry solutions with an objective of wider adoption of the Single Sign-On (SSO) and related directory and access control infrastructure.

Types of Single Sign-on

Identity Access Mgmt Ecosystem

Current Architecture

• UMD Directory

• SiteMinder

• Credential Collector

• AppProfile System

• AppAdmin

• JAAS Providers to Application Servers

User Adoption

Overall integration with existing applications inventory is less than 30%.

Application specific directory and authorization is used by 65.4% of all production applications.

Direct LDAP to agency directory information is utilized by 23.1% of production applications.

Successful Features of UMD

• Integration with NDS to Synchronize LAN Passwords

• Availability of UMD/SiteMinder Infrastructure

• Identity Management

• Simplified Maintenance of User Access Privileges

• UMD Support Services

Obstacles that keep agencies from using UMD Services

– Difficulty Using the UMD with New Applications: 22.7%

– Difficulty Using the UMD with Existing Applications: 22.7%

– Direct LDAP Access: 18.2%– Reliability and Scalability Concerns: 18.2%– Inadequate Documentation: 13.6%– Cost Concerns: 13.6%– Availability of UMD Web Services: 13.6%– Application Profile Management: 9.1%– SSO Security Concerns: 9.1%– Concerns with the Use of “Cookies”: 4.5%

Help Desk Call Data for Password Resets and UMD Related Inquiries

1st Q ‘07 2nd Q ‘07 3rd Q ‘07 4th Q ‘07 Jan ‘08 Feb ‘08

Network/LAN PW Reset

485 587 693 740 251 245

Mainframe PW Reset

385 380 421 382 147 101

UMD PW Reset

484 618 594 624 264 242

Total 1354 1585 1708 1746 662 588

Total Tickets 17,812 18,240 19,342 19,089 7,604 6,813

% PW Resets 7.6% 8.7% 8.8% 9.1% 8.7% 8.6%

Industry Average is abt 30% - IT Security Journal

Best Practices

• Application Coverage• Ease and Flexibility of

Deployment• Authentication

Capabilities• Shared Work

Environments• Overall Security

Objectives

• User Access Management

• Single Sign-Off• Enterprise Reliability

and Scalability• Legacy Application

Integration

Industry Reports

Forrester Gartner

Extending Enterprise ID Across the Web

Federal E-Authentication

The E-Authentication Solution created the US E-Authentication Identity Federation which allows Federation members to recognize and trust log-in IDs that are issued by other trusted Federation members. The trusted members that issue these log-in IDs may be other government agencies, academic institutions, or commercial entities, such as banks or other financial services institutions. There is opportunity for Utah to participate in this initiative by establishing the UMD as a trusted entity.

Recommendations

• Position UMD Services as more than just a directory or SSO solution but as a comprehensive IAM solution.

• Establish the UMD as a trusted identity source so State users can use UMD identity to access Federal applications and services as a trusted partner.

• Add third party reporting software, such as eIQ, LogRhythm, etc., to facilitate audit tracking of who has access to directory enabled resources, and when they had access.

• Improve the user interface for AppAdmin and AppProfile so they are easier to use by the development and application business management communities.

Provide capability for direct LDAP access by agencies within security model constraints.

Appoint a study group to review UI authentication and look at possible integration of their 36,857 directory subscribers with the UMD directory as a specialized container.