secureauth is an idp - cio summits · secureauth is an idp 14 november 2012 ... federate id mapping...

© 2012 SecureAuth. All rights reserved.

SecureAuth is an IDP

14 November 2012

www.GoSecureAuth.com

http://www.gosecureauth.com/

2

WHY DOES AN ENTERPRISE NEED TO

BECOME AN IDENTITY PROVIDER?

1X ID

DEVICE

PASSWORD

FEW APPLICATIONS

2005 ENTERPRISE USERS:

2012 ENTERPRISE USERS:

nX IDS

DEVICES

PASSWORDS

MANY APPLICATIONS

VS.

BYOD


AN IDENTITY PROVIDER CAN APPLY

SAME POLICIES, PROFILE & PROCEDURES

TO CLOUD, MOBILE & WEB/NETWORK APPLICATIONS

2012 Copyright 3

WHAT WILL BE THE BENEFIT OF

BECOMING AN IDENTITY PROVIDER?

© 2012 SecureAuth. All rights reserved. 4

WHAT IS AN IdP ?

Definition:

• A system that creates, maintains, and

manages identity information.

• Provides principal authentication to

other service providers (applications)

within a federation or distributed

network.

• The IdP sends an attribute assertion

containing trusted information

about the user to the Service

Provider (SP).

Source: MIT Knowledge Base

An IdP (Identity Provider) establishes a circle of trust

between the User and the Service Provider i.e. Applications

1. User directed to IdP

2. IdP authenticates user

3. User redirected to SP with token

1

2

3

Enterprise

Identity

Provider

(IdP)

Service

Provider

(SP) User


• Responsibility • Issue Benefits

• IT Security • 2-Factor • Log-in • User log

• Provides an audit of access • Reduces workflow burden on staff • Reduces cost of management

• Network Security

• User access provisioning

• VPN • Wireless Devices

• Secures access to proliferating apps • Enables secure access to every application

being managed, from mobile devices, desktops, geographically dispersed devices

• Application Manager

• SSO on Cloud • SAML

• Streamlines the acceptance and authentication of all identities for application access, whether IDs are social, biometric, mobile, other industry-standard

• Facilitates the assertion of identities to any application and device on the network

• Facilitates Cloud migration by leveraging current investment in infrastructure

WHAT CAN YOU DO FOR ME?

2F/SSO for

mobile provides

• 2-Factor Auth

• Directory-

based Auth

• SSO to other

apps

• No thick client

Assert identity 2F/SSO

1. Web

2. Gateway / VPN

3. SaaS / Cloud

4. Mobile Apps

SecureAuth IdP – Native Mobile Apps

Secure IdP Value: Build vs. Buy

Item Home Grown SecureAuth

Build WebServer (IdP)

(Hardened Server, WebServer, Forms) Manual Automated

Identity Authentication (AD SSO) Manual Automated

SAML Assertion Manual Automated

SAML Attributes Manual Automated

X.509 Storage/Signed with Cert Manual Automated

SSO Portal (SaaS, Web) Manual Automated

Federate ID Mapping Manual Automated

2-Factor Integration Manual Automated

IdM tools (PWD reset, Help Desk, etc) Manual Automated

Log Authentication Manual Automated

Mobile SSO/2Factor Manual Automated

7


FINANCIAL HEALTHCARE GOVERNMENT TECHNOLOGY RETAIL EDUCATION ENTERTAINMENT

WHO IS USING SECUREAUTH IdP?

• 2-factor

• SaaS Portal

• Password

reset

• 2-factor Cisco

ASA

• SAML SP

Portal

• Password

reset

• 2-factor

• IdP Portal for

.Net Apps

• User mgmt.

• 2-factor X.509

• IdP –SAML to

Juniper

• User mgmt.

Help Desk, PW

Reset

• 2-factor

Cisco

• IdP –

Google,

Salesforce,

Oracle

• User mgmt.

• 2-factor Juniper

• IdP –

SaaS/SAML

portal

• PW reset • 2-factor

• IdP – IBM LDAP

- SAML

• Google PW sync

for Mobile

Western Union

Challenge: • Needed secure 2-factor for BYOD initiative that is easy to use.

• Tokens were not only lacking in the security needed, but were far too expensive and

difficult to manage for a global deployment.

Past Attempts: • RSA SecurID

• No 2-factor

• Use of own PKI

SecureAuth Solution: (10,000 Users) • 2-Factor

• External 2-Factor

• SecureAuth X.509 on Android platforms and iOS

• IdP

• SAML -> Juniper

Current Project:

• Testing company portal for Single Sign-on to SaaS applications (Accellion, salesforce,

workday) using SecureAuth as the Identity Provider


State of New Hampshire

Challenge:

Business Portal for State

Web Applications (.NET and Lawson)

Past Attempts:

• Home grown attempts

• Directory synching (AD, mySQL (1M) users, LDAP(Lawson))

SecureAuth Solution: (250,000+ Users)

• 2-Factor:

• ASA (VPN)

• IdP for Employees and Business portal

• .NET apps

• Lawson

• IdM

• User Self-Management (User On-boarding)

Future:

• More web integrations (.NET and other)


https://sson.nh.gov/

https://sson.nh.gov/

Dish Networks

Challenge:

2-Factor Remote Access and Identity/Access Portal

Past Attempts:

• Tokens for remote access

• Looked at Ping and ADFS2

SecureAuth Solution: (6.5M Users)

• 2-Factor

• Cisco ASA

• SecureAuth IdP

• Business Portal for Drivers, Employees, Suppliers

• Web Headers -> SAML SP (SecureAuth) [SAML Attributes]

• IdM

• Password Aging/Reset to Siebel partner portal

Future:

• IdP for Google

• IdP for “Dish” Hopper


Demo

SecureAuth IdP

Blue Cross, Blue Shield - MI

Challenge: • Deploy Apps, securely to contractors overseas

• Remote Access

Past Attempts: • RSA SecurID (coupled with VPN thick client – Cisco ASA)

SecureAuth Solution: (40,000 Users) • 2-Factor

• External 2-Factor (SecureAuth X.509 w/ SMS, Telephony registraion)

• International

• IdP

• SaaS / SAML

• IdM

• 2-Factor Password Reset

• 2-Factor User Self Management of IDs

• Help Desk Management of User IDs (2-Factor Revocation)

Future:

• 100+ apps with 2-Factor SecureAuth through F5 APM


1

3

http://www.bcbsm.com

http://www.bcbsm.com/


Thank you!

Additional Slides

http://www.GoSecureAuth.com

http://www.gosecureauth.com/

1. Consume Identity From varied resources, devices

Desktop, Mobile, Web SSO, AD SSO

2. Map Identity From varied resources

Map to relevant data store

3. Authenticate 2-Factor Authentication

SMS, Tele, X.509, PIN, Yubikey

KBA, E-mail, Help Desk

4. Assert Identity X.509

Web Identity

VPN, Web, SaaS, Mobile

5. Log the event • Text, Syslog

15

HOW DOES

SECUREAUTH IdP

WORK?

SecureAuth IdP – 2-Factor Authentication

16

SecureAuth Authentication Supports:

• X.509 v3 Certificates

• SMS OTP

• Telephony OTP

• E-mail OTP

• Help Desk

• Yubikey USB Keys

• CAC/PIV Cards

• Kerberos / IWA

• Static PIN

• Custom


1. SecureAuth IdP – SSO (Web)

1. Web

2. Gateway / VPN

3. SaaS / Cloud

4. Mobile Apps


K

P KBA

Enterprise Web

Applications

2-Factor


3. SecureAuth IdP – SSO (Cloud/SaaS)

1. Web

2. Gateway / VPN

3. SaaS / Cloud

4. Mobile Apps


P KBA

SaaS

Apps

K

2-Factor


2. SecureAuth IdP – SSO (VPN/Gateway)

1. Web

2. Gateway / VPN

3. SaaS / Cloud

4. Mobile Apps


P KBA

Gateway / VPNs 2-Factor


SecureAuth IdP - The (4) Resources

4 Key IdP integrations

1. Web

2. VPN/Gateways

3. SaaS/Cloud

4. Mobile

(1)

(2)

(3)

(4)

1. Consume Identity From varied resources, devices

Desktop, Mobile, Web SSO, AD SSO

2. Map Identity From varied resources

Map to relevant data store

3. Authenticate 2-Factor Authentication

SMS, Tele, X.509, PIN, Yubikey

KBA, E-mail, Help Desk

4. Assert Identity X.509

Web Identity

VPN, Web, SaaS, Mobile

5. Log the event • Text, Syslog

21

HOW DOES

SECUREAUTH IdP

WORK?

secureauth is an idp - cio summits · secureauth is an idp 14 november 2012 ... federate id mapping...

Documents