Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Identity in Practice Mike Beach The Boeing Company.

Published byLeon Quinn Modified over 9 years ago

Similar presentations

Presentation on theme: "Federated Identity in Practice Mike Beach The Boeing Company."— Presentation transcript:

1 Federated Identity in Practice Mike Beach The Boeing Company

2 Michael Beach, The Boeing Company- 2 - Federated Identity Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation. This applies both within the corporation and across the Internet.

3 Michael Beach, The Boeing Company- 3 - The Boeing Environment  Three user communities  150,000 employees, contractors  80,000 partners, suppliers, customers  1,000,000+ ex-employees, beneficiaries  Three enterprise directories  Comprehensive Sun ONE directory (all people of interest)  Microsoft Active Directory (most employees)  RACF (most employees – but not same employees as MS AD)  Many Boeing web servers  Apache, IPlanet, IIS, ColdFusion, Shadow, Oracle  Over 350 web server platform/version variations  Multiple versions of both Netscape and IE browsers

4 Michael Beach, The Boeing Company- 4 - WSSO Objectives  Simple, consistent user experience  Improved security through centralized access management  Reduction in user accounts and passwords, thus reductions in account administration costs  Applications isolated from authentication mechanisms and authentication technology insertions  Applications agnostic to origin of user’s access (internal or external)  Single sign on across Boeing business domain, including partners, suppliers, customers…

5 Michael Beach, The Boeing Company- 5 - WSSO Key Solution Differentiators  Web Single Sign-on (WSSO) across Boeing and external web sites  Common infrastructure supporting internal and external access, for internal and external users  No control over desktop configuration and no ability to deploy components to the desktop  Leverage existing Boeing infrastructure

6 Michael Beach, The Boeing Company- 6 - The Deployment  Oblix Netpoint infrastructure with 12 Access Servers deployed across 3 geographic regions (plus sand box, development, test, and integration environments – about 50 machines total)  Primarily authentication today, limited authorization  No Identity Management or delegated administration  Custom integration with 5 authentication mechanisms  MS Active Directory  RACF  X.509 personal certificates  Proximity badge  Customer/supplier reverse web proxy user ID and password

7 Michael Beach, The Boeing Company- 7 - Identity And Policy Stores Customers, Suppliers Access Server Customer Authenticator Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Web Browser Logon W2K RACF Certificate PIN Authentication Remote Access Service Boeing Reverse Proxy SAML Services WSSO Proxy Services Login Hub Logon PIN Web Browser Boeing Plugin Major WSSO Components Corporate Sun ONE Directory AD RACF X.509 Groups Oblix Policy All People DMZ

8 Michael Beach, The Boeing Company- 8 - Identity And Policy Stores Access Server Customer Authenticator Service Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Web Browser Logon W2K RACF Certificate Login Hub Logon PIN Web Browser Boeing Plugin WSSO Authentication Sources Corporate Sun ONE Directory AD RACF X.509 W2K RACF X.509 Personal Certificates Customers, Suppliers DMZ External PIN Groups All People Oblix Policy PIN Authentication

9 Michael Beach, The Boeing Company- 9 - Access Server Customer Authenticator Service Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Web Browser Logon W2K RACF Certificate Login Hub Logon PIN Boeing Plugin WSSO Authorization Sources DMZ PIN Authentication Identity And Policy Stores Customers, Suppliers Corporate Sun ONE Directory AD RACF X.509 Groups Oblix Policy All People LDAP Group Authorization LDAP People Branch Customer/Supplier Authorization

10 Michael Beach, The Boeing Company- 10 - Access Server Customer Authenticator Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Web Browser Logon W2K RACF Certificate Login Hub Logon PIN Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service Login Hub Logon PIN Boeing Plugin WSSO Perimeter Access Components DMZ PIN Authentication Identity And Policy Stores AD RACF X.509 Customers, Suppliers Groups All People Oblix Policy Corporate Sun ONE Directory Typical customers, suppliers Employees (VPN, Dial) Federated customers, suppliers External employees, retirees

11 Michael Beach, The Boeing Company- 11 - Access Server Boeing Plugin Customer Authenticator Service Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service Web Server Content WebGate Login Hub Web Browser Logon W2K MyInfo Certificate Login Hub Logon PIN 3rd Party Web Server Content WebGate Web Server Content WSSO-protected Components DMZ PIN Authentication Identity And Policy Stores AD RACF X.509 Customers, Suppliers Groups All People Oblix Policy Corporate Sun ONE Directory Internal Boeing External third party suppliers

12 Michael Beach, The Boeing Company- 12 - Web Browser Access Server Boeing Plugin Customer Authenticator Service Boeing Reverse Proxy WSSO Proxy Services SAML Services Remote Access Service WebGate Web Server Content 3 rd Party Web Server Content WebGate Login Hub Logon W2K MyInfo Certificate Login Hub Logon PIN Web Browser WSSO Users DMZ PIN Authentication Identity And Policy Stores AD RACF X.509 Customers, Suppliers Groups All People Oblix Policy Corporate Sun ONE Directory External employees, retirees, customers, suppliers Internal employees

13 Michael Beach, The Boeing Company- 13 -  Started RFP3/2001  Vendor selection8/2001  Production12/2001  100,000 logins per day  100,000 logins per day2/2003  100+ applications in production4/2003  3rd party web site integration5/2003  External user integration5/2003  SAML production6/2003  Role-based access controlQ3/2003  Complete deployment (1000+ applications)End 2004-2005 Milestones We Are Here

14 Michael Beach, The Boeing Company- 14 - SAML Participants The Boeing Company A leading manufacturer of commercial airplanes, space technology, defense aircraft and systems, and communication systems. Southwest Airlines A major domestic airline that provides primarily shorthaul, high-frequency, point-to-point, low-fare service. Southwest operates over 350 Boeing 737 aircraft in 58 cities. Oblix Inc. A leading developer of identity-based security solutions for e-Business networks. The company's flagship product, Oblix NetPoint, is an enterprise identity management and Web access solution that provides an identity infrastructure for dynamic e-Business environments.

15 Michael Beach, The Boeing Company- 15 - SAML Deployment Objectives  Significantly increase the user base of MyBoeingFleet, the secure web portal that provides Boeing customers access to all of the information required to operate and maintain their fleets  Embed MyBoeingFleet more deeply in Airline’s business process. Facilitate the deployment of MyBoeingFleet content directly to the customer maintenance hanger  User will authenticate to their local intranet, click on a link to MyBoeingFleet, and seamlessly access the data and services without a secondary Boeing authentication request  Role-based access control targeted for next year

16 Michael Beach, The Boeing Company- 16 - The SAML Flow DOMAIN A: swacorp.com DOMAIN B: Boeing.com 2. 1 SAML Server Reverse Proxy DMZ Target Resource: MyBoeingFleet.com Access Server INTERNAL 4 2. 5 2. 4 2.2 3 SAML Services SWA User 2.0 SWA Portal 1 2. 1 2.3

17 Michael Beach, The Boeing Company- 17 - Web Access Management General Challenges  Managing  Executive expectation  User experience  Hundreds of applications with even more policies  Complexity and reliability  Browsers, web servers, networks, directories, libraries, versions, custom code  Session management  Existing applications typically have imbedded session management  Anomalies arise from inconsistent session state  Global “logout” is problematic (hurray for SAML 2.0!)  Security  Vulnerability assessment and risk mitigation where possible is appropriate

18 Michael Beach, The Boeing Company- 18 - SAML Deployment Considerations  Assertions may need to be constrained to a domain  Boeing defined the authentication mechanism to include both user identity and SAML issuer ID  Support for direct bookmarks  For each web session, prior to a SAML transfer, bookmarks and URL references may not work  Oblix-provided solution creates a persistent “SAML Provider” cookie and implements redirection through SAML services for unauthenticated users  Not a part of SAML standard.  SAML only provides the “introduction”  Boeing content resides inside the Boeing security perimeter.  Had to integrate ObssoCookie intelligence into perimeter before users could actually get to content.  Security considerations of interactions across the Internet AFTER the SAML exchange were significant

19 Michael Beach, The Boeing Company- 19 - Recommendations  Focus on communication and marketing  Manage expectations  Educate users  Thoroughly understand and plan user experience (within product capabilities)  Consider limiting scope  Integration of legacy technologies can be costly  Each component integrated adds to complexity and impacts overall reliability  Consider adjusting infrastructure to support IAM  Integration to existing infrastructure required significant custom code  Use of a virtual directory could simplify deployment, but probably with an impact to performance

20 Michael Beach, The Boeing Company- 20 - Standards Wish List  Support for direct bookmarks  Bookmarks and URL references (“deep links”) should work, even prior to the initial SAML transfer.  Global logout  Provide the user with an intuitive logout facility that would ensure complete termination of all application sessions and authentication credentials.  Domains of federated security  Users have need for multiple, disconnected federated security domains. For example, separation of business and personal. (Selective logout?)  Security strength of public Internet technologies  Industry needs to deliver technology that prevents cookie vulnerabilities (hijack and replay).  Support for individual application session timeout settings  Several of our application environments consider a session timeout setting (idle time) mandatory.  Authentication State Visibility  It is important for the user to always be aware of their authentication state. Are they authenticated, and to what?

Download ppt "Federated Identity in Practice Mike Beach The Boeing Company."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Www.cleo.com Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.

Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.

Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Identity and Access Management

Identity and Access Management
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
Understanding Active Directory

Understanding Active Directory
Virtual Private Network

Virtual Private Network
The World's Most Secured Browsing Solution COCKPIT4i is a radically new, powerful solution that protects against the security risks posed by exposure to.

The World's Most Secured Browsing Solution COCKPIT4i is a radically new, powerful solution that protects against the security risks posed by exposure to.
Demi Albuz SENIOR PRODUCT MARKETING MANAGER Samim Erdogan PRINCIPAL ENGINEERING MANAGER Thomas Willingham TECHNICAL PRODUCT MANAGER.

Demi Albuz SENIOR PRODUCT MARKETING MANAGER Samim Erdogan PRINCIPAL ENGINEERING MANAGER Thomas Willingham TECHNICAL PRODUCT MANAGER.
Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.

Similar presentations

Ads by Google