Looking at federation through enterprise eyes Ian Glazer
- Slides: 83
Looking at federation through enterprise eyes Ian Glazer Research VP, Agenda Manager Ian. glazer@gartner. com @iglazer This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2011 Gartner, Inc. and/or its affiliates. All rights reserved.
Recent Past
Federation = SSO
Hub and Spoke
Network of peers
Except • Both hub and spoke, as well as, network of peers faced challenges scaling. - Some of these issues were technical. - Some of these issues were value-related. • Communities of interest formed to address both challenges.
Today's World
Enterprise federation today • Majority of enterprises do not participate in federations per se. • However, enterprises do use federation technologies to connect to externally-provided services. • Federation found its enterprise stride via Saa. S adoption.
Status Quo
Welcome Saa. S and Its Friends
Welcome Saa. S and Its Friends Big shiny object!
Federation = Way to attach Saa. S to the enterprise = SSO
Joining a Federation (The Short Version)
Sign business agreement
Except • The business isn’t involved. • Lawyers are involved. - Appropriate use of attributes and other information is a legal agreement. • Business expectations are assumed to be met but inherent value of the service.
Determine RP’s needs
Except • This isn’t a dialogue. • “Provide the following attributes. ” • But what about entitlements? • But what about authorization policies?
Start building SAML metadata
Map local attributes to RPs entitlements and attributes
Except • These mappings are poorly documented • Lots of tribal knowledge, less institutional knowledge • Brittle mappings aren’t contextual friendly
Perform telekinesis
Perform telekinesis?
Action at a distance
Telekinesis • Want to effect the authorizations in a remote system • Provisioning local objects to effect remote authorization state • But this is a hoax - Provision remote objects too
Spray old data everywhere • Lots of attributes being pushed • But now with less visibility! - RPs don’t know the quality of the data - RPs don’t know the data’s “Sell By” date - Information sources don’t always know where the data went
Today's Federated Provisioning Approaches
How to Connect People to Federated/Cloud Apps?
How to Connect People to Federated/Cloud Apps? ?
Federation = Way to attach Saa. S to the enterprise = SSO
Variety of techniques exist • Broad spectrum of federated provisioning techniques - Manual one-off - “Traditional” - Creative • Service providers lack consistency
Service Provider User Management Tools • User management console: - Allows administrator to manually create and manage user accounts and privileges • Bulk load operations: - Most support. csv file uploads • Integration tools: - Proprietary user management APIs - Directory Synchronization - Support for IAM standards such as LDAP, SAML, SPML, etc.
Service Provider User Management Tools • User management console - Allows administrator to manually create and manage user accounts and privileges Majority • Bulk load operations - Most support. csv file uploads • Integration tools - Proprietary user management APIs The select few - Directory Synchronization - Support for IAM standards such as LDAP, SAML, SPML, etc.
You Call This a Provisioning Tool?
You Call This a Provisioning Tool? Yes!
Local Connector A target application is just a target.
Cloud-Based Connector Everything is better in the cloud?
To the Cloud With Your Provisioning Server
Directory Synchronization Saa. S App Identity Repository Hosted On-Premises Change Detection User Attributes Sync Server Enterprise Identity Store (LDAP or AD)
Just-In-Time Provisioning via SAML
Welcome back!
Except • All of these approaches only solve a portion of the problem: - Administrative authorization - SSO • What happens with attributes and entitlements that get pushed to the federation partner/service? • The enterprise fixation with federated authentication is blinding it from the larger issues – federated authorization 40
Administrative & runtime authorization
Two Kinds of Authorization Policies
Administrative Policies • Sets up attributes and entitlements needed to enable access • Ahead of their use
Where Do Administrative Policies Live? • Provisioning • Identity and access governance (IAG) - Access policy management - Role management • In people’s heads - Workflow as manually enforced policies
Runtime Policies • Authorizes user to perform an action based on context • Context = attributes, entitlements, and external factors
Where Do Runtime Policies Live? • Applications • Web access management • Externalized authorization management • Federated services
Administrative Policy
. . . in Action
Runtime Policy
. . . in Action
Two Policies; One Goal
Attributes and Entitlements Dependencies
A Part and Yet Apart • Each type of policy is maintained by separate teams with separate change management processes • Neither kind of policy is aware of the other • The teams maintained these policies are usually disconnected as well
The Problem • To completely answer who can do what, both administrative and runtime environments must be examined • Lack of awareness and linkage of both environments prevents complete answers • Disconnected policies inhibit traceability • We do not know if we are faithfully fulfilling business controls
Things don’t get better in a federated scenario
Brain surgery with Buckaroo Banzai No, no! Don’t tug on that. You never know what it is attached to. 56
Manipulating attributes has unknown and unknowable consequences
Things don’t get better in a federated scenario • Policy coherence is harder to achieve - Administrative policies are typically tribal in nature - Runtime policies are tribal in nature… and maintained by a different tribe! - Examining both sets of policies together is nearly impossible • Federated SSO is not hard to establish - What happens after sign-on is crucial… and it is often well out of sight of the Id. P 58
Looking into the near future
New developments in federated provisioning
Cloud HR Is the Lifecycle Feed
Cloud Directory Is the New Lifecycle Feed
Token Flipper Is the New Lifecycle Feed
Token Flipper Is the New Connector
Multi-Protocol JIT
But all of these solutions 66
will eventually fail.
Federation = Way to attach Saa. S to the enterprise = SSO
Enterprise fixation with federated authentication is blinding it from the larger issue.
Federated Authorization
Shared Problems
Problems with our administrative tools • Traditional on-premise administrative IAM tools are push-oriented. - These tools are “copy” not “reference” in nature. • Policies should be provisioned, not attributed - Attributes should be referenced not copied. • Authorization policies are increasingly split between administrative and run-time environments.
Problems with our runtime tools • Runtime authorization environments often have opaque policies. - Hard to execute compliance-related activities. • Attribute and entitlement meaning is inferred and codified in varying ways. • What is acceptable use doesn’t always make it into the authorization policies. 73
Problems with federated services • There are inconsistent ways of discovering entitlements - And on-premise tools (especially IAG) don’t know to deal with that • Authorization policies is: - Sometimes managed by the enterprise - Sometimes by the RP - Sometimes both - And not rationalized against administrative policies 74
The problems beneath the problems • Our models are insufficient - IAM tools do not model relationships well. - IAM tools do not model context well. • Authorization is a problem of relationship and context. - Federated authorization is more so • We push attributes instead of pull them. • We lack mechanisms to share, distributed, and link authorization policy. 75
Calls to Action and Readings
What you should do: Know and Map • Know your entitlements - An entitlement catalog transforms tribal knowledge into institutional knowledge • Know your authorization policies - Document authorization policies - Try to close the gap between administrative and runtime authorization policies • Map attribute dependencies - First step to addressing authorization policy coherence is knowing where shared attribute dependencies exist. 77
What can you do: Demand more • Enterprises often lag higher education and federal governments in federation sophistication • Vendors primarily selling to private enterprise will thus lag as well. • Bulk load interface ≠ acceptable federation solution 78
What we must do: Hasten evolution • The industry needs to move from pushing attributes to pushing authorization policies. • Relationships and context must become firstclass citizens in the IAM world and its tools. • The enterprise notion of federation as glorified SSO must evolve. 79
Federation ≠ Way to attach Saa. S to the enterprise ≠ SSO
Federation = Authorization across boundaries
Recommended Gartner Reading • Achieving Greater Control Over Authorization Ian Glazer • Combating Policy Sprawl: Identity and Access Governance and Externalized Authorization Management Systems Ian Glazer • Upcoming - The Brave New World of Federation Robin Wilton • Upcoming - Combating Policy Sprawl: Identity and Access Governance and Externalized Authorization Management Systems Mark Diodati 82
- Zelda glazer
- Looking out looking in chapter 9
- Looking out/looking in
- Eye color punnett square
- What is the genotype of the man? ii i a i i b i i a i a
- What colour is hazel eyes
- Punnett square question
- Through your child's eyes: american sign language
- Through you blind eyes are open
- Huansang
- Crusades through arab eyes
- Through the eyes of imagination
- The process of seeing ourselves through the eyes of others
- Enterprise
- Putting the enterprise into the enterprise system
- Advantages of through and through sawing
- 14 14
- Through one man
- Classes of furcation
- World federation of methodist and uniting church
- Federation of european neuroscience societies
- Comfed logo
- Zsigmondy tooth numbering system
- International federation of freight forwarders associations
- Western federation of professional surveyors
- Federation of schools of accountancy
- All-china youth federation
- International federation of freight forwarders associations
- Arkansas environmental federation
- Elves logistics federation
- Lincolnshire wolds federation
- Delaporte catcheur
- National federation of community development credit unions
- Hockey federation 2010
- American federation of labor
- South warwickshire gp federation
- Italy volleyball federation
- Federation francaise de cardiologie brochures
- European headache federation
- Fep parquet
- European federation of foundation contractors
- Swiss ice hockey federation
- Prague spring
- Federation models
- Playpic fiba
- World federation of colleges and polytechnics
- Federation business school
- Myanmar rice federation
- Federation of european social employers
- Federation rsa
- Occurenced
- Ministry of education and science of the russian federation
- Wrp federation
- "world federation of hemophilia"
- International federation of environmental health
- Interreligious and international federation for world peace
- Dka triad
- Hemophilia federation of america
- Scottish islands federation
- Distance speed time triangle
- European federation of financial analysts societies
- Swiss ice hockey federation
- What continent is the philippines on
- European renewable energies federation
- Eurasia time zone
- Middleware in local government
- Eastern
- National federation spirit rules book
- Olivia latimer matildas
- What is federation
- Permissive federation
- Cloud federation stack
- American culinary federation certification
- Israel boy and girl scouts federation
- World federation of neurological surgeons scale
- The federation
- Italian basketball federation
- International federation of nurse anesthetists
- National federation wrestling rules
- Federation symbol
- Id federation
- New england federation of humane societies
- Colvestone primary school