iam/irm considerations for saas provider selection
DESCRIPTION
DAVID TAYLOR, IAM Consultant, Smart421 and CLIFF DOBBS, IAM Architect, ARM, at the European IRM Summit 2014.TRANSCRIPT
IAM/IRM considerations for SaaS provider selection
David Taylor (Smart421)Cliff Dobbs (ARM)
Who for: Project managers & Business Analysts Architects Mainly companies using SaaS providers
What: Connecting your company’s IAM infrastructure to that of
a SaaS provider
Why:
What & Why
Questions for “them – the SaaS provider”:1. Does their service support an open SSO federation protocol?2. How easy is it to automate the provisioning and de-
provisioning of users?3. Does their technical environment fit with your constraints?4. Can the integration be tested before go-live?5. What about mobile access?
And for “us”:6. Do you understand your own requirements?7. What can we do to make federation easier?8. Can IDaaS vendors help with this?
Questions for the SaaS providers
Does their service support an open federation protocol?
Does their service support an open federation protocol?
You: AP / IdP SaaS Vendor: RP / SP
1: Visit Resource (no session)2: Authenticate user
3: Generate Fed. Assertion
4: Validate Assertion
5: Create Session & allow access
Does their service support an open federation protocol?
You: AP / IdP SaaS Vendor: RP / SP
3: Generate Fed. Assertion
4: Validate Assertion
5: Create Session & allow access
Protocol
Profile
Assurance
‘Proper’ Identity Federation protocols Shibboleth SAML 1.x WS-Fed SAML 2.0 OpenID OpenID Connect
Pseudo Identity Federation Protocols OAuth OAuth 2.0 OATH
Does their service support an open federation protocol?Which Federation Protocols?
‘Proper’ Identity Federation protocols Shibboleth SAML 1.x WS-Fed SAML 2.0 OpenID OpenID Connect
Pseudo Identity Federation Protocols OAuth OAuth 2.0 (but OK for authorization scenarios) OATH
Does their service support an open federation protocol?Which Federation Protocols?
Does their service support an open federation protocol?Which Federation Protocols?
SAML 2.0 Protocols
What technical constraints do you have?
What user journey requirements do you have?
What security policy requirements do you have?
What audit requirements around provisioning?
Do you understand your own requirements?
Does their technical environment fit with your constraints?
IdP SP
SSO ACS
Ms Mobile
My.Com MyCloudCRM
IdP
Artefact
Does their technical environment fit with your constraints?
IdP SP
SSO ACS
Ms Mobile
My.Com MyCloudCRM
IdP SSO2FA
Artefact
Does their technical environment fit with your constraints?
IdP SP
Cusdtomer / Partner
IdP
SSO ACSMy.Com MyCloudCRM
IdP SSO
2FA?
Does their technical environment fit with your constraints?
IdP SPIdP Proxy
Cusdtomer / Partner
SSO ACSMy.Com MyCloudCRM
IdP
IdP
Ms Mobile
IdPSP
2FA
2FA?
Does their technical environment fit with your constraints?
IdP SPIdP Proxy
SSO ACSMy.Com MyCloudCRM
IdP
IdPSP
2FAX
Identity Lifecycle Management
None / Implicit / Dynamic Flat file exchange (usually proprietary) LDIF exchange - > Directory Synchronisation SAML 2.0 explicit support SCIM
Frequency, Latency… how fast does SaaS provider need to react to changes?
Transactional integrity / Audit …. I thought we turned off Johnny’s access
How easy is it to automate the provisioning and de-provisioning of users?
SCIM Resource Model, with thanks to http://www.simplecloud.info
Can the integration be tested before go-live?
Questions for the IAM experts
What should we be asking the SaaS providers to do?Play nicely together …
… like the ARM Connected Community does
Can IDaaS vendors help with this?
What can we do to make federation easier?
SaaS vendor supports a good ID Federation protocol – fit to constraints
Solution can be tried out in a non-live situation
Provisioning and de-provisioning is painless – audit / assurance of events
Mobile application security mechanisms are appropriate
Summary – What does good look like?