Download - Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes
![Page 1: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/1.jpg)
Séminaire Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes. Nagib Aouini, Head of IAM Division
Genève, 27.11.2014
Organisé par
![Page 2: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/2.jpg)
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
![Page 3: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/3.jpg)
CURRENT CUSTOMER NEEDS
■ Allow a secure access to a B2B applications based on SharePoint 2013 to all employees, business partners and contractors (maximum 100’000 users).
■ Simplify the registration and on-boarding process to business partners and employee without adding huge administration tasks to Business and IT admins (access right management).
■ Provide the best user-experience for end-users in terms of access, registration and collaboration.
■ Identify user and audit all access to sensitive documents using a unique identifier (which is strongly linked to the phyiscal person).
■ Deliver the best performance for the B2B application and support peak demand during specific events.
![Page 4: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/4.jpg)
BUSINESS DRIVERS
Business FacilitationBusiness Facilitation
Improve security & risk management
Improve security & risk management
Strong authentication to protect sensitive assets Enforce access control policy Timely revocation of inactive accounts Imposing policies and improve audit capability
Regulatory complianceRegulatory compliance Loi fédérale du 19 juin 1992 (LPD) Company Audit policy and compliance report
Reduce operational costsReduce operational costs
Align technology in both data-centers (use of F5) Reducing management costs and security Cutting costs of developments by using standard protocols
(SAML2, OAUTH, WS-Fed …)
Improve user experience (with SSO and federated SSO)
Integrating partners (top sponsors) Integrate new business application in time-to-market
(SaaS apps, on-premises using SAML SSO).
![Page 5: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/5.jpg)
BUSINESS CHALLENGES
Project Business Team :
How to manage this mass amount of users in term of registration and access
rights ? We are only 5 people !
Project Business Team :
How to manage this mass amount of users in term of registration and access
rights ? We are only 5 people !
IT Security OfficerI will not let 100’000 users accessing my network without identifiying them in a secure way ! Today our LAN is not opened to Internet Worldwide.
IT Security OfficerI will not let 100’000 users accessing my network without identifiying them in a secure way ! Today our LAN is not opened to Internet Worldwide.
IT System administratorHow many system administrator we need to manage those amount of servers (required for SharePoint 2013). Do we need to manage a lot of firewall rules for SAML ?
IT System administratorHow many system administrator we need to manage those amount of servers (required for SharePoint 2013). Do we need to manage a lot of firewall rules for SAML ?Help Desk and Support
I don’t want to receive call or ticket for people working outside our company. I’m supposed to handle request only
for employee !
Help Desk and Support
I don’t want to receive call or ticket for people working outside our company. I’m supposed to handle request only
for employee !
Head of ITAre you sure that SAML is the right
choice ? Does it will faster application integration in the future.
Does it enables SSO to SaaS platform ? It cost a lot, No ?
Head of ITAre you sure that SAML is the right
choice ? Does it will faster application integration in the future.
Does it enables SSO to SaaS platform ? It cost a lot, No ?
![Page 6: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/6.jpg)
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
![Page 7: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/7.jpg)
Company Logo
HOW FEDERATED IDENTITY AND SSO CAN SOLVE THOSES CHALLENGES ?
Federated Identity & SSOFederated Identity & SSOFederated Identity & SSOFederated Identity & SSO
Benefits
User experienceUser experience SimplifySimplifyAccessAccess
SecureSecureAccessAccess
FacilitateFacilitateIntegrationIntegration
simplifier la navigation de l'utilisateur
simplifier la navigation de l'utilisateur
Un service unique d’authentification
Un service unique d’authentification
Plus de mot passe mais des jetons qui transitent
Plus de mot passe mais des jetons qui transitent
Utilisation du standard SAML qui traverse les réseaux
Utilisation du standard SAML qui traverse les réseaux
![Page 8: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/8.jpg)
Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.
Determining which actions an authenticated entity is authorized to perform on the network
WHAT IS FEDERATED IDENTITY MANAGEMENT?
Identity Provider (IdP) – Entity performing authentication
Service Provider (SP) – Entity allowing authorized resource access
Service Provider (SP) – Entity allowing authorized resource access
IDPIDP Service ProviderService Provider
Identity management deals with identifying individuals in a system and controlling access to the resources in that system
![Page 9: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/9.jpg)
AuthorisationAuthorisation
Functionalities and data
Functionalities and data
AuthenticationAuthentication
App 2App 2
AuthorisationAuthorisation
Functionalities and data
Functionalities and data
App 2App 2
AuthorisationAuthorisation
Functionalities and data
Functionalities and data
App 1App 1
AuthorisationAuthorisation
Functionalities and data
Functionalities and data
AuthenticationAuthentication
App 1App 1
Classic
IDENTIFICATION AND AUTHENTICATION SAML-Based
9
Active Directory
AuthenticationAuthentication
Active Directory
IdPIdP
SPSP
CLAIMS SAMLv2
![Page 10: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/10.jpg)
© ELCA - dd.mm.yyyy VISA
Annuaire
SSO
Ressourcesnumériques
SP
IdP
Fournisseur de service (SP)
Fournisseur d’identité (IdP)
Service de découverte des IdP
IDENTITY FEDERATION OVERVIEW
![Page 11: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/11.jpg)
TRUST ENTRE IDP ET SP
■ Cryptographie asymétrique (paire de clés)
Clé publique (connue de l’émetteur) du récepteur utilisée pour l’encryption
− L’émetteur doit être capable de vérifier l’authenticité de la clé publique!
Clé privée (secret du récepteur) utilisée pour la décryption
La paire de clés (privée et publique) sont générées au même moment
Aussi connu sous le nom de “ cryptographie à clé publique”
L’échange de message est similaire entre un IDP et un SP qui se font confiance
Extract
SignatureEncryptionAlgorithm
EncryptionAlgorithm
DecryptionAlgorithm
DecryptionAlgorithm
SP Public KeySP Public Key SP Private KeySP Private KeyIDP SP
![Page 12: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/12.jpg)
SAML TOKEN
SAML token carry pieces of information about the user(can contain more information than a Windows Kerberos Token)
NameName
AgeAge
LocationLocation
Token
![Page 13: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/13.jpg)
Client Application A
IdentityProvider(ADFS)
1
2
Token
ExternalApplication B<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:AttributeStatement> <saml:Attribute AttributeName=“loginID" AttributeNamespace="http://..."> <saml:AttributeValue>A3478372</saml:AttributeValue> </saml:Attribute>
<saml:Attribute AttributeName="name" AttributeNamespace="http://... "> <saml:AttributeValue>Bob</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“employeeType" AttributeNamespace="http://... "> <saml:AttributeValue>internal</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" /></saml:Assertion>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:AttributeStatement> <saml:Attribute AttributeName=“loginID" AttributeNamespace="http://..."> <saml:AttributeValue>A3478372</saml:AttributeValue> </saml:Attribute>
<saml:Attribute AttributeName="name" AttributeNamespace="http://... "> <saml:AttributeValue>Bob</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“employeeType" AttributeNamespace="http://... "> <saml:AttributeValue>internal</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" /></saml:Assertion>
FEDERATED SSO FLOW
![Page 14: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/14.jpg)
Client Application
SocialIdentityProvider
GET /openid/auth
GET /default.aspx
GET /default.aspx
SSO WITH OPENID PROVIDER AND SOCIAL NETWORK
GET /app1
SSP IdP
Redirect 302 - GET /saml2/SAMLRequest
11
22
33
44
55
OpenId Token
POST /saml/66
77
Service Provider
![Page 15: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/15.jpg)
FEDERATION MODELS – PEER-TO-PEER
SP
SP x
IDP 3IDP 3
IDP 2IDP 2
IDP 1IDP 1
COMPANY LAN
IDP
Trust link
SP y
![Page 16: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/16.jpg)
IDENTITY FEDERATION WITH A “HUB” SAML ARCHITECTURE
16
HUBHUB
Data-Center
SP 1App Z
SP 2App XSP 2
App XSP 3
App YSP 3
App Y
IDP : HQIDP : HQ
IDP : WIDP : W
IDP : ZIDP : Z
IDP : YIDP : Y
IDP : XIDP : X
SP 1App ASP 1
App A
SP 1App CSP 1
App C
SP 1App BSP 1
App B
Other applications:
• SaaS (cloud),• Partners …
![Page 17: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/17.jpg)
PARTNER CATEGORIZATION
- Not mandatory- Make business easier- «Low» level of trust
- Essential for business- Several services used- «Medium» level of trust
- Essential for strategy- Advanced SLA- Sensitive applications- «High» level of trust
![Page 18: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/18.jpg)
ACCOUNT AND ACCESS MANAGEMENT
■ Account provisioning
- Transient (no need to map account to an existing)
- Just-in-time (JIT) provisioning (need a mapping ID)
- Directory synchronization (via CRM or regular export / import)
■ Access management
- Generic partner account
- Establish roles among the partner’s users
- Each partner’s user has its own account partner-gen-user
part-t1-user
part-t2-user
part-t4-user
part-t3-user
![Page 19: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/19.jpg)
WHY DO WE NEED A UNIQUE ID
■ Ability to uniquely identify a user (or application, machine, service,…) in the IT environment for e.g. audit purpose
■ No need to manage matching tables per application between ID and physical user
■ It is a mandatory prerequisite for internal SSO and external identity federation
■ The ID needs to be kept and archived even if the employee left the company. It must never be re-assigned to any other employee to avoid access rights recovery risk.
![Page 20: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/20.jpg)
Partners identified Categorization Reliability Auditability Confidentiality
Federation technology
FEDERATED IDENTITY CHECKLIST
Unique Identifier
User data reliability
Rules and regulations documented
Audit
Service providers
Federation token consumer
SLA - Availability
Identity providers
Federation token issuer
Strong authentication
IAM processes
![Page 21: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/21.jpg)
LEGAL AND CONTRACTUAL CONSTRAINTS
■ Identity authenticity
- Depends on the partner trust level
- Defines constraints on which service is accessed
■ Confidentiality vs. auditability
AuditTrack user activity
ConfidentialityHide user identity
CONSTRAINTSvs.
NEED
![Page 22: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/22.jpg)
FEDERATED SSO EXAMPLE
Multi-organization collaboration common
Accounts generally maintained by one organization
Grant access for externally authenticated users
BusinessAgreement
AuthenticateUser
AccessResources
Customer BusinessPartner
We don’t need to maintain or create external account for those users as Customer trust the partner !
We don’t need to maintain or create external account for those users as Customer trust the partner !
![Page 23: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/23.jpg)
FEDERATED IDENTITY MANAGEMENT : EXAMPLE
23.
Central Directory
Synchronization
Application
AuthenticationServices
User
SAML tokens
Session
Access
Applications ExchangeBase RHSAP Databases
FederatedIAM
Federatedpartners
Trust
CRM or contacts
![Page 24: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/24.jpg)
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
![Page 25: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/25.jpg)
25
ELCA APPROACH : DEFENSE IN DEPTH APPROACH
![Page 26: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/26.jpg)
Secure CDNSecure CDN
DC3DC3 DC4DC4 DC 1 & 2DC 1 & 2
B2B appIAM & Security B2B appIAM & Security
ADFS
AD Ext
.2FA
ADFS
AD Ext
.2FA
IAM & Security
ADFS
AD Int.
2FA
Use case 2:employee
from Internet
Use case 1:employee from LAN
Use case 3:Federated
partner from LAN
Use case 5:Federated
partner from Internet
Use case 4:Not-federated
partner from Internet
F5 Big-IP F5 Big-IP F5 Big-IP
IdP SAML
TestTest ProdProd
Internet
![Page 27: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/27.jpg)
DEFENSE IN DEPTH APPROACH
Security mechanism•HTML/HTTP inspection•Input/Validation checks•Secured Custom code•Sanitization
Security mechanism•HTML/HTTP inspection•Input/Validation checks•Secured Custom code•Sanitization
Security mechanism•OS Hardening with BPA / Security Templates•IIS Hardening•HIDS
Security mechanism•OS Hardening with BPA / Security Templates•IIS Hardening•HIDS
Security mechanism•Strong Authentication•RBAC model•Security Policy•Encryption at rest/transit•Audit•Access control
Security mechanism•Strong Authentication•RBAC model•Security Policy•Encryption at rest/transit•Audit•Access control
Security mechanism•Secured equipment rack•Physical controlled access•Secure facilities•RFI/EMI shielding•Geographical site locaton
Security mechanism•Secured equipment rack•Physical controlled access•Secure facilities•RFI/EMI shielding•Geographical site locaton
Security mechanism•Network device access control lists•IPSec Encryption•NIDS•Firewall
Security mechanism•Network device access control lists•IPSec Encryption•NIDS•Firewall
• Secure CDN
• F5-ASM • 2FA
• Web Password
• F5-APM
• SIEM - Splunk
• CheckPoint
• IPS – ISS
• VPN IPSec
• Best Practice
Analyzer
• WSUS
• Symantec / McAfee
• DataCenter1 –
ISO27002
• DataCenter2 –
ISO20000/ITIL
Source : Microsoft defense in depth approach
![Page 28: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/28.jpg)
App 1: prod
NETWORK DEFENSE: NETWORK SEGMENTATION
28
App 2: test
Front End
Middle End
App 2: prod
Back End
![Page 29: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/29.jpg)
TRACK USER ACTIVITY : UNIQUE ID
29
Employees
Contacts
Active Directory and
others …
The unique ID will be independent of
the first name and last name of the
user
The unique ID will be generated
according to specific algorithm
Internal and external users will use
their email address to login on the
B2B applications, but the logs will
track them using their unique ID
![Page 30: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/30.jpg)
Site:B
Read
Write
Approve
Create users
Site:A
Read
Write
Download
Create users
Site:C
Read
Update
Delete
SIMPLIFY ACCESS RIGHT MGT : ATTRIBUTE BASED ACCESS CONTROL
01/16/15 30
Internet
B2Bapplication
Name: Mary COrg: X
Fct: AuditLoc: CH
Name: Paul BOrg: Y
Fct: MarketingLoc: BR
Name: Marc AOrg: Z
Fct: AccommodationLoc: UK
![Page 31: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/31.jpg)
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
![Page 32: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/32.jpg)
OUR IAM METHODOLOGY
32
![Page 33: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/33.jpg)
ORGANISATION CHART
Decide on major options Ensure alignment with corporate and
business strategies Communicate
Steering committee Sponsor Head of Technology Security Officer
Steering committee Sponsor Head of Technology Security Officer
Project team ELCA consultants and technical experts ELCA project manager E-Xpert Solutions F5 experts
Project team ELCA consultants and technical experts ELCA project manager E-Xpert Solutions F5 experts
Project sponsor board B2B Project representatives IT representatives Security representatives
Project sponsor board B2B Project representatives IT representatives Security representatives
Gather and analyse information Propose solutions, evaluate options Produce deliverables Manage the mission
Responsibilities
Responsibilities
Provide information Challenge deliverables and
proposed solutions Validate deliverables and
proposed solutions
Responsibilities
N.Aouini
Others providers
![Page 34: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/34.jpg)
PROJECT PLAN
M1M1 M2M2 M3M3 M4M4 M5M5 .. M11.. M11M6M6 M12M12
21
Légende:Kick-off meetingSteering committee
Workshops
S3
Weekly status
S4S2 S2
S1
S3
4
Plan
PHASE 2 : DEPLOY
& RUN
PHASE 1 : IMPLEMENTPHASE 0 : ANALYZE
PHASE 3 :
ROLL-OUT
S1
3
34
Security ArchitectureConcept
WS#1 : Identity FederationWS#2 : Strong authenticationWS#3 : IAM ProcessesWS#4 : AuthZ Models
F5-APM setup finished
![Page 35: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/35.jpg)
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
![Page 36: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/36.jpg)
BENEFITS OF FEDERATED SSO
Access to the platform available worldwide with best technology providing high performance, strong security and high quality user-experience .
Support for standard authentication methods (SAML2) and simplification of on-boarding process for trusted partners.
Reduce the overall management cost of registration and troubleshooting user access since it is completely an automated process (based on CRM synch).
Ability to control access to sensitive asset using 2FA authentication coupled with SAML2 SSO (Step-Up authentication possible).
Track and audit user activity using a secure unique identifier linked to a single person while respecting privacy.
.
![Page 37: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/37.jpg)
RECOMMANDATIONS #1
37
■ Document the identity and access management (IAM) plan. Understand what the business want in terms of requirement, How it will be operated (insourced or outsourced ?), Who is responsible for which pieces and how they function.
■ Produce fast results – achieve some quick, low cost results■ Address high risk areas early – security issues are often the primary
business concerns (start with SSO and strong authentication) Allow easier security auditing
■ Increase integration between directory and security and application services with SAML Identity Provider.
■ Improve capabilities that promote the ease and efficiency of finding organisational data
■ Precise management of identity entitlements and modification or termination of system access rights through provisioning and de-provisioning mechanisms
![Page 38: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/38.jpg)
RECOMMANDATIONS #2
38
■ Assess existing systems for accreditation and adherence to industry standards to smooth the SAML migration
■ Use a standard set of security protocols (SAML, OAUTH)■ Rationalise, synchronise and where appropriate reduce numbers of
directory services and identity information repositories■ Reduce identity duplication and combine capabilities
To simplify overall infrastructure Choice of a unique identifier for internal and external users Reduce management/administration efforts Enable a greater degree of single sign-on capabilities across the business
systems Allow easier security auditing
■ Manage identity entitlements of system access rights through provisioning and de-provisioning mechanisms
![Page 39: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/39.jpg)
ELCA has a proven expertise to be your IAM partnerWHY CHOOSE OUR SOLUTION
39
■ Proven IAM expertise
■ Ability to deliver on time
■ Quality of deliverables
■ Business focus first
■ Knowledge of customer
needs
■ Team working with customer
representative
■ Innovation and cutting edge
solution
■ Security focus in mind
■ Efficiency
■ Neutral integrator
■ Customization
■ You local IAM partner
![Page 40: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/40.jpg)
employee
Federating partners with SAML
contractors
stakeholder
Approver User IDAdmin
AutoritativeSource(s)
HR
External
Metadirectory
AccessMgt
DashboardReports
AD + Exchange
EnterprisePlatform
Othersapps
Synch
Self-Service
Auditor Application Auditor
SAMLclaims
IAMconnectors
Log collection for Access
Intelligence
ELCA ARCHITECTURE
![Page 41: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/41.jpg)
ELCA IAM SUCCESS STORY
For a large humanitarian worlwide organization (9’000 users, 20’000 partners)
![Page 42: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/42.jpg)
ELCA IAM SUCCESS STORY
For a large humanitarian worlwide organization (9’000 users, 20’000 partners)
![Page 43: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/43.jpg)
For an insurance company (2’000 users, 20’000 broker)ELCA IAM SUCCESS STORY
| 16.01.15 | 43Presentation Title
![Page 44: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/44.jpg)
For an international sports organization 500 users, 100’000 partners worlwide)ELCA IAM SUCCESS STORY
![Page 45: Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes](https://reader030.vdocuments.pub/reader030/viewer/2022032616/55a695201a28ab6d148b4631/html5/thumbnails/45.jpg)
Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City
Nagib AouiniHead of divisionIdentity & [email protected]
Thank you for your attention
For further informationplease contact: