Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes

Séminaire Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes. Nagib Aouini, Head of IAM Division

Genève, 27.11.2014

Organisé par

AGENDA

Contexte / Besoins / Challenges clients – 5 min

Vision Fédération (concepts, benefices, besoins) – 15 min

Architecture sécurité ELCA – 15 min

Stratégie Projet – 5 min

Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min

CURRENT CUSTOMER NEEDS

■ Allow a secure access to a B2B applications based on SharePoint 2013 to all employees, business partners and contractors (maximum 100’000 users).

■ Simplify the registration and on-boarding process to business partners and employee without adding huge administration tasks to Business and IT admins (access right management).

■ Provide the best user-experience for end-users in terms of access, registration and collaboration.

■ Identify user and audit all access to sensitive documents using a unique identifier (which is strongly linked to the phyiscal person).

■ Deliver the best performance for the B2B application and support peak demand during specific events.

BUSINESS DRIVERS

Business FacilitationBusiness Facilitation

Improve security & risk management

Improve security & risk management

Strong authentication to protect sensitive assets Enforce access control policy Timely revocation of inactive accounts Imposing policies and improve audit capability

Regulatory complianceRegulatory compliance Loi fédérale du 19 juin 1992 (LPD) Company Audit policy and compliance report

Reduce operational costsReduce operational costs

Align technology in both data-centers (use of F5) Reducing management costs and security Cutting costs of developments by using standard protocols

(SAML2, OAUTH, WS-Fed …)

Improve user experience (with SSO and federated SSO)

Integrating partners (top sponsors) Integrate new business application in time-to-market

(SaaS apps, on-premises using SAML SSO).

BUSINESS CHALLENGES

Project Business Team :

How to manage this mass amount of users in term of registration and access

rights ? We are only 5 people !

Project Business Team :

How to manage this mass amount of users in term of registration and access

rights ? We are only 5 people !

IT Security OfficerI will not let 100’000 users accessing my network without identifiying them in a secure way ! Today our LAN is not opened to Internet Worldwide.

IT Security OfficerI will not let 100’000 users accessing my network without identifiying them in a secure way ! Today our LAN is not opened to Internet Worldwide.

IT System administratorHow many system administrator we need to manage those amount of servers (required for SharePoint 2013). Do we need to manage a lot of firewall rules for SAML ?

IT System administratorHow many system administrator we need to manage those amount of servers (required for SharePoint 2013). Do we need to manage a lot of firewall rules for SAML ?Help Desk and Support

I don’t want to receive call or ticket for people working outside our company. I’m supposed to handle request only

for employee !

Help Desk and Support

I don’t want to receive call or ticket for people working outside our company. I’m supposed to handle request only

for employee !

Head of ITAre you sure that SAML is the right

choice ? Does it will faster application integration in the future.

Does it enables SSO to SaaS platform ? It cost a lot, No ?

Head of ITAre you sure that SAML is the right

choice ? Does it will faster application integration in the future.

Does it enables SSO to SaaS platform ? It cost a lot, No ?

AGENDA






Company Logo

HOW FEDERATED IDENTITY AND SSO CAN SOLVE THOSES CHALLENGES ?

Federated Identity & SSOFederated Identity & SSOFederated Identity & SSOFederated Identity & SSO

Benefits

User experienceUser experience SimplifySimplifyAccessAccess

SecureSecureAccessAccess

FacilitateFacilitateIntegrationIntegration

simplifier la navigation de l'utilisateur

simplifier la navigation de l'utilisateur

Un service unique d’authentification

Un service unique d’authentification

Plus de mot passe mais des jetons qui transitent

Plus de mot passe mais des jetons qui transitent

Utilisation du standard SAML qui traverse les réseaux

Utilisation du standard SAML qui traverse les réseaux

Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.

Determining which actions an authenticated entity is authorized to perform on the network

WHAT IS FEDERATED IDENTITY MANAGEMENT?

Identity Provider (IdP) – Entity performing authentication

Service Provider (SP) – Entity allowing authorized resource access

Service Provider (SP) – Entity allowing authorized resource access

IDPIDP Service ProviderService Provider

Identity management deals with identifying individuals in a system and controlling access to the resources in that system

AuthorisationAuthorisation

Functionalities and data


AuthenticationAuthentication

App 2App 2




App 2App 2




App 1App 1





App 1App 1

Classic

IDENTIFICATION AND AUTHENTICATION SAML-Based

9

Active Directory


Active Directory

IdPIdP

SPSP

CLAIMS SAMLv2

© ELCA - dd.mm.yyyy VISA

Annuaire

SSO

Ressourcesnumériques

SP

IdP

Fournisseur de service (SP)

Fournisseur d’identité (IdP)

Service de découverte des IdP

IDENTITY FEDERATION OVERVIEW

TRUST ENTRE IDP ET SP

■ Cryptographie asymétrique (paire de clés)

Clé publique (connue de l’émetteur) du récepteur utilisée pour l’encryption

− L’émetteur doit être capable de vérifier l’authenticité de la clé publique!

Clé privée (secret du récepteur) utilisée pour la décryption

La paire de clés (privée et publique) sont générées au même moment

Aussi connu sous le nom de “ cryptographie à clé publique”

L’échange de message est similaire entre un IDP et un SP qui se font confiance

Extract

SignatureEncryptionAlgorithm

EncryptionAlgorithm

DecryptionAlgorithm

DecryptionAlgorithm

SP Public KeySP Public Key SP Private KeySP Private KeyIDP SP

SAML TOKEN

SAML token carry pieces of information about the user(can contain more information than a Windows Kerberos Token)

NameName

AgeAge

LocationLocation

Token

Client Application A

IdentityProvider(ADFS)

1

2

Token

ExternalApplication B<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">

<saml:AttributeStatement> <saml:Attribute AttributeName=“loginID" AttributeNamespace="http://..."> <saml:AttributeValue>A3478372</saml:AttributeValue> </saml:Attribute>

<saml:Attribute AttributeName="name" AttributeNamespace="http://... "> <saml:AttributeValue>Bob</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“employeeType" AttributeNamespace="http://... "> <saml:AttributeValue>internal</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" /></saml:Assertion>

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:AttributeStatement> <saml:Attribute AttributeName=“loginID" AttributeNamespace="http://..."> <saml:AttributeValue>A3478372</saml:AttributeValue> </saml:Attribute>

<saml:Attribute AttributeName="name" AttributeNamespace="http://... "> <saml:AttributeValue>Bob</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“employeeType" AttributeNamespace="http://... "> <saml:AttributeValue>internal</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" /></saml:Assertion>

FEDERATED SSO FLOW

Client Application

SocialIdentityProvider

GET /openid/auth

GET /default.aspx

GET /default.aspx

SSO WITH OPENID PROVIDER AND SOCIAL NETWORK

GET /app1

SSP IdP

Redirect 302 - GET /saml2/SAMLRequest

11

22

33

44

55

OpenId Token

POST /saml/66

77

Service Provider

FEDERATION MODELS – PEER-TO-PEER

SP

SP x

IDP 3IDP 3

IDP 2IDP 2

IDP 1IDP 1

COMPANY LAN

IDP

Trust link

SP y

IDENTITY FEDERATION WITH A “HUB” SAML ARCHITECTURE

16

HUBHUB

Data-Center

SP 1App Z

SP 2App XSP 2

App XSP 3

App YSP 3

App Y

IDP : HQIDP : HQ

IDP : WIDP : W

IDP : ZIDP : Z

IDP : YIDP : Y

IDP : XIDP : X

SP 1App ASP 1

App A

SP 1App CSP 1

App C

SP 1App BSP 1

App B

Other applications:

• SaaS (cloud),• Partners …

PARTNER CATEGORIZATION

- Not mandatory- Make business easier- «Low» level of trust

- Essential for business- Several services used- «Medium» level of trust

- Essential for strategy- Advanced SLA- Sensitive applications- «High» level of trust

ACCOUNT AND ACCESS MANAGEMENT

■ Account provisioning

- Transient (no need to map account to an existing)

- Just-in-time (JIT) provisioning (need a mapping ID)

- Directory synchronization (via CRM or regular export / import)

■ Access management

- Generic partner account

- Establish roles among the partner’s users

- Each partner’s user has its own account partner-gen-user

part-t1-user

part-t2-user

part-t4-user

part-t3-user

WHY DO WE NEED A UNIQUE ID

■ Ability to uniquely identify a user (or application, machine, service,…) in the IT environment for e.g. audit purpose

■ No need to manage matching tables per application between ID and physical user

■ It is a mandatory prerequisite for internal SSO and external identity federation

■ The ID needs to be kept and archived even if the employee left the company. It must never be re-assigned to any other employee to avoid access rights recovery risk.

Partners identified Categorization Reliability Auditability Confidentiality

Federation technology

FEDERATED IDENTITY CHECKLIST

Unique Identifier

User data reliability

Rules and regulations documented

Audit

Service providers

Federation token consumer

SLA - Availability

Identity providers

Federation token issuer

Strong authentication

IAM processes

LEGAL AND CONTRACTUAL CONSTRAINTS

■ Identity authenticity

- Depends on the partner trust level

- Defines constraints on which service is accessed

■ Confidentiality vs. auditability

AuditTrack user activity

ConfidentialityHide user identity

CONSTRAINTSvs.

NEED

FEDERATED SSO EXAMPLE

Multi-organization collaboration common

Accounts generally maintained by one organization

Grant access for externally authenticated users

BusinessAgreement

AuthenticateUser

AccessResources

Customer BusinessPartner

We don’t need to maintain or create external account for those users as Customer trust the partner !

We don’t need to maintain or create external account for those users as Customer trust the partner !

FEDERATED IDENTITY MANAGEMENT : EXAMPLE

23.

Central Directory

Synchronization

Application

AuthenticationServices

User

SAML tokens

Session

Access

Applications ExchangeBase RHSAP Databases

FederatedIAM

Federatedpartners

Trust

CRM or contacts

AGENDA






25

ELCA APPROACH : DEFENSE IN DEPTH APPROACH

Secure CDNSecure CDN

DC3DC3 DC4DC4 DC 1 & 2DC 1 & 2

B2B appIAM & Security B2B appIAM & Security

ADFS

AD Ext

.2FA

ADFS

AD Ext

.2FA

IAM & Security

ADFS

AD Int.

2FA

Use case 2:employee

from Internet

Use case 1:employee from LAN

Use case 3:Federated

partner from LAN

Use case 5:Federated

partner from Internet

Use case 4:Not-federated

partner from Internet

F5 Big-IP F5 Big-IP F5 Big-IP

IdP SAML

TestTest ProdProd

Internet

DEFENSE IN DEPTH APPROACH

Security mechanism•HTML/HTTP inspection•Input/Validation checks•Secured Custom code•Sanitization

Security mechanism•HTML/HTTP inspection•Input/Validation checks•Secured Custom code•Sanitization

Security mechanism•OS Hardening with BPA / Security Templates•IIS Hardening•HIDS

Security mechanism•OS Hardening with BPA / Security Templates•IIS Hardening•HIDS

Security mechanism•Strong Authentication•RBAC model•Security Policy•Encryption at rest/transit•Audit•Access control

Security mechanism•Strong Authentication•RBAC model•Security Policy•Encryption at rest/transit•Audit•Access control

Security mechanism•Secured equipment rack•Physical controlled access•Secure facilities•RFI/EMI shielding•Geographical site locaton

Security mechanism•Secured equipment rack•Physical controlled access•Secure facilities•RFI/EMI shielding•Geographical site locaton

Security mechanism•Network device access control lists•IPSec Encryption•NIDS•Firewall

Security mechanism•Network device access control lists•IPSec Encryption•NIDS•Firewall

• Secure CDN

• F5-ASM • 2FA

• Web Password

• F5-APM

• SIEM - Splunk

• CheckPoint

• IPS – ISS

• VPN IPSec

• Best Practice

Analyzer

• WSUS

• Symantec / McAfee

• DataCenter1 –

ISO27002

• DataCenter2 –

ISO20000/ITIL

Source : Microsoft defense in depth approach

App 1: prod

NETWORK DEFENSE: NETWORK SEGMENTATION

28

App 2: test

Front End

Middle End

App 2: prod

Back End

TRACK USER ACTIVITY : UNIQUE ID

29

Employees

Contacts

Active Directory and

others …

The unique ID will be independent of

the first name and last name of the

user

The unique ID will be generated

according to specific algorithm

Internal and external users will use

their email address to login on the

B2B applications, but the logs will

track them using their unique ID

Site:B

Read

Write

Approve

Create users

Site:A

Read

Write

Download

Create users

Site:C

Read

Update

Delete

SIMPLIFY ACCESS RIGHT MGT : ATTRIBUTE BASED ACCESS CONTROL

01/16/15 30

Internet

B2Bapplication

Name: Mary COrg: X

Fct: AuditLoc: CH

Name: Paul BOrg: Y

Fct: MarketingLoc: BR

Name: Marc AOrg: Z

Fct: AccommodationLoc: UK

AGENDA






OUR IAM METHODOLOGY

32

ORGANISATION CHART

Decide on major options Ensure alignment with corporate and

business strategies Communicate

Steering committee Sponsor Head of Technology Security Officer

Steering committee Sponsor Head of Technology Security Officer

Project team ELCA consultants and technical experts ELCA project manager E-Xpert Solutions F5 experts

Project team ELCA consultants and technical experts ELCA project manager E-Xpert Solutions F5 experts

Project sponsor board B2B Project representatives IT representatives Security representatives

Project sponsor board B2B Project representatives IT representatives Security representatives

Gather and analyse information Propose solutions, evaluate options Produce deliverables Manage the mission

Responsibilities

Responsibilities

Provide information Challenge deliverables and

proposed solutions Validate deliverables and

proposed solutions

Responsibilities

N.Aouini

Others providers

PROJECT PLAN

M1M1 M2M2 M3M3 M4M4 M5M5 .. M11.. M11M6M6 M12M12

21

Légende:Kick-off meetingSteering committee

Workshops

S3

Weekly status

S4S2 S2

S1

S3

4

Plan

PHASE 2 : DEPLOY

& RUN

PHASE 1 : IMPLEMENTPHASE 0 : ANALYZE

PHASE 3 :

ROLL-OUT

S1

3

34

Security ArchitectureConcept

WS#1 : Identity FederationWS#2 : Strong authenticationWS#3 : IAM ProcessesWS#4 : AuthZ Models

F5-APM setup finished

AGENDA






BENEFITS OF FEDERATED SSO

Access to the platform available worldwide with best technology providing high performance, strong security and high quality user-experience .

Support for standard authentication methods (SAML2) and simplification of on-boarding process for trusted partners.

Reduce the overall management cost of registration and troubleshooting user access since it is completely an automated process (based on CRM synch).

Ability to control access to sensitive asset using 2FA authentication coupled with SAML2 SSO (Step-Up authentication possible).

Track and audit user activity using a secure unique identifier linked to a single person while respecting privacy.

.

RECOMMANDATIONS #1

37

■ Document the identity and access management (IAM) plan. Understand what the business want in terms of requirement, How it will be operated (insourced or outsourced ?), Who is responsible for which pieces and how they function.

■ Produce fast results – achieve some quick, low cost results■ Address high risk areas early – security issues are often the primary

business concerns (start with SSO and strong authentication) Allow easier security auditing

■ Increase integration between directory and security and application services with SAML Identity Provider.

■ Improve capabilities that promote the ease and efficiency of finding organisational data

■ Precise management of identity entitlements and modification or termination of system access rights through provisioning and de-provisioning mechanisms

RECOMMANDATIONS #2

38

■ Assess existing systems for accreditation and adherence to industry standards to smooth the SAML migration

■ Use a standard set of security protocols (SAML, OAUTH)■ Rationalise, synchronise and where appropriate reduce numbers of

directory services and identity information repositories■ Reduce identity duplication and combine capabilities

To simplify overall infrastructure Choice of a unique identifier for internal and external users Reduce management/administration efforts Enable a greater degree of single sign-on capabilities across the business

systems Allow easier security auditing

■ Manage identity entitlements of system access rights through provisioning and de-provisioning mechanisms

ELCA has a proven expertise to be your IAM partnerWHY CHOOSE OUR SOLUTION

39

■ Proven IAM expertise

■ Ability to deliver on time

■ Quality of deliverables

■ Business focus first

■ Knowledge of customer

needs

■ Team working with customer

representative

■ Innovation and cutting edge

solution

■ Security focus in mind

■ Efficiency

■ Neutral integrator

■ Customization

■ You local IAM partner

employee

Federating partners with SAML

contractors

stakeholder

Approver User IDAdmin

AutoritativeSource(s)

HR

External

Metadirectory

AccessMgt

DashboardReports

AD + Exchange

EnterprisePlatform

Othersapps

Synch

Self-Service

Auditor Application Auditor

SAMLclaims

IAMconnectors

Log collection for Access

Intelligence

ELCA ARCHITECTURE

ELCA IAM SUCCESS STORY

For a large humanitarian worlwide organization (9’000 users, 20’000 partners)

ELCA IAM SUCCESS STORY

For a large humanitarian worlwide organization (9’000 users, 20’000 partners)

For an insurance company (2’000 users, 20’000 broker)ELCA IAM SUCCESS STORY

| 16.01.15 | 43Presentation Title

For an international sports organization 500 users, 100’000 partners worlwide)ELCA IAM SUCCESS STORY

Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City

Nagib AouiniHead of divisionIdentity & [email protected]

Thank you for your attention

For further informationplease contact:

mailto:[email protected]