1. Vlad Mihnea, R&D Manager
Cloud Identity Crisis and the
Identity Broker
2.
3. Identity: Definition
Set of information (attributes) by which an
individual is definitively distinguished within
a context, such as an application
þ Identity Attributes:
§ Physiological attributes
§ Biographical information
§ Issued credentials
§ “Secret” information (e.g. history)
4. þ Height: 192cm
þ Weight: 106kg
þ Skin Color: White
þ Eye Color: Blue
þ Hair Color: Black
þ Place of Birth: Krypton
þ Identity: Secret
þ Citizenship: Kryptonian,
American
þ Base: Metropolis, Fortress of
Solitude
þ Occupation: Journalist,
Super Hero
þ Employer: Daily Planet, Self-
employed
10. Superman: One User – Many Identities
Login Email Credentials
superman superman@superman.superman **********
Login Email Credentials
kel kal.el@krypton.gov.ws **********
Login Email Credentials
clark.kent clark.kent@dailyplanet.com **********
Login Email Credentials
superboy1977 superboy1977@gmail.com **********
11. Cloud Identity Crisis: Complex & Fragmented
3
Create
Delete
Attribute
Sync
Active Directory
HR (PeopleSoft, SAP)
Cloud
Office365, Workday, Salesforce, etc
Application
Owner
Business
Manager
Users
IT Helpdesk
Administrator
Administrator
Financials
SharePoint
Sales
Partners, customers, et
12. þ Complexity: One user, many identities
§ If a user has more than one identity then they will deal
with that complexity by having easy to remember
credentials which makes them a weak link for hackers
þ Fragmentation: Many apps, many systems
§ If applications have separate identity systems then it
becomes a manual job to maintain the integrity of the
identities on that system for events such as staff changes
þ Complexity & Fragmentation => Entropy
§ A fragmented identity system leads to fragmented
accountability, allowing suspect users to identify using
unapproved applications
Cloud Identity Crisis: Complex & Hybrid
14. þ Service Brokers - The Cloud Marketplace
§ Cloud Exchange for the enterprise and cloud
services: broker service that integrates, manages
and bills cloud services
§ Essential to the transformation of traditional IT
into IT as a Service
þ Identity Brokers - The Cloud Identity Hub
§ IDaaS: Enables the provisioning and life-cycle
management of users across external cloud
services
§ Virtual Directory in the cloud that brokers
identity from the enterprise to external clouds
providers
Cloud Service Broker ⊆ Cloud Identity Broker
16. Key Features:
• Governance
• Hubris
Key Features:
• “Solving the right problem”
• Enterprise-only scope
Key Features:
• Agility
• Cloud friendliness
• Robustness
ID Protocols: Emerging Standards have an Edge
Source: TechRadar For Security Pros: Zero Trust Identity Standards, Q3 2012
17. ID Protocols: Relevant Jargon
OAuth 2.0
§ Auth Server
§ Resource Server
OpenID Connect 1.0
§ OpenID Provider
§ Relying Party
§ User Claims
§ Client Claims
SAML 2.0
§ Identity Provider
§ Service Provider
§ Attributes
§ SP Metadata
§ Service Provider: A web application that provides identity
information via the SCIM protocol
§ Consumer: An application that uses the SCIM protocol to manage
identity data maintained by the Service Provider
§ Resource: The Service Provider managed artifact containing one
or more attributes; e.g., User or Group
SCIM
18. ID Protocols: Comparison
OAuth 2.0
§ Not responsible for
session initiation
§ Collects user’s
consent to share
attributes
§ No actual identity
tokens
§ No actual claims,
protects APIs
§ Client onboarding
is static
§ No session
OpenID Connect 1.0
§ Initiating user’s
login session
§ Collects user’s
consent to share
attributes
§ High-security
identity tokens
§ Distributed and
aggregated claims
§ Dynamic
onboarding
§ Session timeout
SAML 2.0
§ Initiating user’s
login session
§ Not responsible for
collecting user
consent
§ High-security
identity tokens
§ Distributed and
aggregated claims
§ Client onboarding
is static
§ Session timeout
19. þ SAML
þ OpenID
þ OpenID Connect
þ OAuth
þ SPML
þ SCIM
þ WS-Federation
þ XACML
Identified Standards Identified Gaps
¨ Configuration and
association with an IdP is
not standardized
¨ No standards or rules for
mapping or transforming
attributes between
different domains
¨ No profiles or standard
roles and related attributes
¨ No standards for attributes
¨ No audit standards for IDM
systems
ID Protocols: Standards & Gaps