Federated Identity in Practice Mike Beach The Boeing Company.

Slides:

Advertisements

Similar presentations

Secure Single Sign-On Across Security Domains

Advertisements

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Active Directory: Final Solution to Enterprise System Integration

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Identity and Access Management

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Understanding Active Directory

Virtual Private Network

The World's Most Secured Browsing Solution COCKPIT4i is a radically new, powerful solution that protects against the security risks posed by exposure to.

Demi Albuz SENIOR PRODUCT MARKETING MANAGER Samim Erdogan PRINCIPAL ENGINEERING MANAGER Thomas Willingham TECHNICAL PRODUCT MANAGER.

Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Access Gateway Operation

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

XPand your capabilities with Citrix ® MetaFrame XP ™ for Windows ®, Feature Release 2.

Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.

Security Planning and Administrative Delegation Lesson 6.

Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Microsoft NDA Confidential Enabling users to be productive, responsibly Finding the right balance Devices & Experiences Users Want Applications and.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

® Gradient Technologies, Inc. Inter-Cell Interworking Access Control Across the Boundary Open Group Members Meeting Sand Diego, CA USA April 1998 Brian.

PCIT313. Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.

Alessandro Cardoso Microsoft MVP | Readify National Manager |

Shibboleth: An Introduction

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Identity Management and Enterprise Single Sign-On (ESSO)

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

User and Device Management

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Secure Mobile Development with NetIQ Access Manager

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.

PremierPoint Solutions Announces Significant New Features in Extranet Collaboration Manager for SharePoint 2013 R2 1888PressRelease - PremierPoint Solutions.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data Version 2.6 | July 2014.

Deployment Planning Services

Stop Those Prying Eyes Getting to Your Data

Data and Applications Security Developments and Directions

SaaS Application Deep Dive

Cloud Connect Seamlessly

Azure AD Application Proxy

ESA Single Sign On (SSO) and Federated Identity Management

Access and Information Protection Product Overview October 2013

System Center Marketing

Microsoft Virtual Academy

Presentation transcript:

Federated Identity in Practice Mike Beach The Boeing Company

Michael Beach, The Boeing Company- 2 - Federated Identity Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation. This applies both within the corporation and across the Internet.

Michael Beach, The Boeing Company- 3 - The Boeing Environment  Three user communities  150,000 employees, contractors  80,000 partners, suppliers, customers  1,000,000+ ex-employees, beneficiaries  Three enterprise directories  Comprehensive Sun ONE directory (all people of interest)  Microsoft Active Directory (most employees)  RACF (most employees – but not same employees as MS AD)  Many Boeing web servers  Apache, IPlanet, IIS, ColdFusion, Shadow, Oracle  Over 350 web server platform/version variations  Multiple versions of both Netscape and IE browsers

Michael Beach, The Boeing Company- 4 - WSSO Objectives  Simple, consistent user experience  Improved security through centralized access management  Reduction in user accounts and passwords, thus reductions in account administration costs  Applications isolated from authentication mechanisms and authentication technology insertions  Applications agnostic to origin of user’s access (internal or external)  Single sign on across Boeing business domain, including partners, suppliers, customers…

Michael Beach, The Boeing Company- 5 - WSSO Key Solution Differentiators  Web Single Sign-on (WSSO) across Boeing and external web sites  Common infrastructure supporting internal and external access, for internal and external users  No control over desktop configuration and no ability to deploy components to the desktop  Leverage existing Boeing infrastructure

Michael Beach, The Boeing Company- 6 - The Deployment  Oblix Netpoint infrastructure with 12 Access Servers deployed across 3 geographic regions (plus sand box, development, test, and integration environments – about 50 machines total)  Primarily authentication today, limited authorization  No Identity Management or delegated administration  Custom integration with 5 authentication mechanisms  MS Active Directory  RACF  X.509 personal certificates  Proximity badge  Customer/supplier reverse web proxy user ID and password

Michael Beach, The Boeing Company- 7 - Identity And Policy Stores Customers, Suppliers Access Server Customer Authenticator Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Web Browser Logon W2K RACF Certificate PIN Authentication Remote Access Service Boeing Reverse Proxy SAML Services WSSO Proxy Services Login Hub Logon PIN Web Browser Boeing Plugin Major WSSO Components Corporate Sun ONE Directory AD RACF X.509 Groups Oblix Policy All People DMZ

Michael Beach, The Boeing Company- 8 - Identity And Policy Stores Access Server Customer Authenticator Service Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Web Browser Logon W2K RACF Certificate Login Hub Logon PIN Web Browser Boeing Plugin WSSO Authentication Sources Corporate Sun ONE Directory AD RACF X.509 W2K RACF X.509 Personal Certificates Customers, Suppliers DMZ External PIN Groups All People Oblix Policy PIN Authentication

Michael Beach, The Boeing Company- 9 - Access Server Customer Authenticator Service Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Web Browser Logon W2K RACF Certificate Login Hub Logon PIN Boeing Plugin WSSO Authorization Sources DMZ PIN Authentication Identity And Policy Stores Customers, Suppliers Corporate Sun ONE Directory AD RACF X.509 Groups Oblix Policy All People LDAP Group Authorization LDAP People Branch Customer/Supplier Authorization

Michael Beach, The Boeing Company Access Server Customer Authenticator Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Web Browser Logon W2K RACF Certificate Login Hub Logon PIN Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service Login Hub Logon PIN Boeing Plugin WSSO Perimeter Access Components DMZ PIN Authentication Identity And Policy Stores AD RACF X.509 Customers, Suppliers Groups All People Oblix Policy Corporate Sun ONE Directory Typical customers, suppliers Employees (VPN, Dial) Federated customers, suppliers External employees, retirees

Michael Beach, The Boeing Company Access Server Boeing Plugin Customer Authenticator Service Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service Web Server Content WebGate Login Hub Web Browser Logon W2K MyInfo Certificate Login Hub Logon PIN 3rd Party Web Server Content WebGate Web Server Content WSSO-protected Components DMZ PIN Authentication Identity And Policy Stores AD RACF X.509 Customers, Suppliers Groups All People Oblix Policy Corporate Sun ONE Directory Internal Boeing External third party suppliers

Michael Beach, The Boeing Company Web Browser Access Server Boeing Plugin Customer Authenticator Service Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Logon W2K MyInfo Certificate Login Hub Logon PIN Web Browser WSSO Users DMZ PIN Authentication Identity And Policy Stores AD RACF X.509 Customers, Suppliers Groups All People Oblix Policy Corporate Sun ONE Directory External employees, retirees, customers, suppliers Internal employees

Michael Beach, The Boeing Company  Started RFP3/2001  Vendor selection8/2001  Production12/2001  100,000 logins per day  100,000 logins per day2/2003  100+ applications in production4/2003  3rd party web site integration5/2003  External user integration5/2003  SAML production6/2003  Role-based access controlQ3/2003  Complete deployment (1000+ applications)End Milestones We Are Here

Michael Beach, The Boeing Company SAML Participants The Boeing Company A leading manufacturer of commercial airplanes, space technology, defense aircraft and systems, and communication systems. Southwest Airlines A major domestic airline that provides primarily shorthaul, high-frequency, point-to-point, low-fare service. Southwest operates over 350 Boeing 737 aircraft in 58 cities. Oblix Inc. A leading developer of identity-based security solutions for e-Business networks. The company's flagship product, Oblix NetPoint, is an enterprise identity management and Web access solution that provides an identity infrastructure for dynamic e-Business environments.

Michael Beach, The Boeing Company SAML Deployment Objectives  Significantly increase the user base of MyBoeingFleet, the secure web portal that provides Boeing customers access to all of the information required to operate and maintain their fleets  Embed MyBoeingFleet more deeply in Airline’s business process. Facilitate the deployment of MyBoeingFleet content directly to the customer maintenance hanger  User will authenticate to their local intranet, click on a link to MyBoeingFleet, and seamlessly access the data and services without a secondary Boeing authentication request  Role-based access control targeted for next year

Michael Beach, The Boeing Company The SAML Flow DOMAIN A: swacorp.com DOMAIN B: Boeing.com 2. 1 SAML Server Reverse Proxy DMZ Target Resource: MyBoeingFleet.com Access Server INTERNAL SAML Services SWA User 2.0 SWA Portal

Michael Beach, The Boeing Company Web Access Management General Challenges  Managing  Executive expectation  User experience  Hundreds of applications with even more policies  Complexity and reliability  Browsers, web servers, networks, directories, libraries, versions, custom code  Session management  Existing applications typically have imbedded session management  Anomalies arise from inconsistent session state  Global “logout” is problematic (hurray for SAML 2.0!)  Security  Vulnerability assessment and risk mitigation where possible is appropriate

Michael Beach, The Boeing Company SAML Deployment Considerations  Assertions may need to be constrained to a domain  Boeing defined the authentication mechanism to include both user identity and SAML issuer ID  Support for direct bookmarks  For each web session, prior to a SAML transfer, bookmarks and URL references may not work  Oblix-provided solution creates a persistent “SAML Provider” cookie and implements redirection through SAML services for unauthenticated users  Not a part of SAML standard.  SAML only provides the “introduction”  Boeing content resides inside the Boeing security perimeter.  Had to integrate ObssoCookie intelligence into perimeter before users could actually get to content.  Security considerations of interactions across the Internet AFTER the SAML exchange were significant

Michael Beach, The Boeing Company Recommendations  Focus on communication and marketing  Manage expectations  Educate users  Thoroughly understand and plan user experience (within product capabilities)  Consider limiting scope  Integration of legacy technologies can be costly  Each component integrated adds to complexity and impacts overall reliability  Consider adjusting infrastructure to support IAM  Integration to existing infrastructure required significant custom code  Use of a virtual directory could simplify deployment, but probably with an impact to performance

Michael Beach, The Boeing Company Standards Wish List  Support for direct bookmarks  Bookmarks and URL references (“deep links”) should work, even prior to the initial SAML transfer.  Global logout  Provide the user with an intuitive logout facility that would ensure complete termination of all application sessions and authentication credentials.  Domains of federated security  Users have need for multiple, disconnected federated security domains. For example, separation of business and personal. (Selective logout?)  Security strength of public Internet technologies  Industry needs to deliver technology that prevents cookie vulnerabilities (hijack and replay).  Support for individual application session timeout settings  Several of our application environments consider a session timeout setting (idle time) mandatory.  Authentication State Visibility  It is important for the user to always be aware of their authentication state. Are they authenticated, and to what?