1© Copyright 2012 EMC Corporation. All rights reserved.

Do You Know Who Your Users Are?

2© Copyright 2012 EMC Corporation. All rights reserved.

Agenda

Current challenges with Identity Federation and Web Access Management

Why a federated identity layer is needed

How RSA and Radiant Logic have collaborated to provide a comprehensive solution that simplifies the process of Authentication, Single Sign-On and Authorization in complex environments

Speakers:

– Tim Bedard, RSA Sr. Manager, Product Management IAM

– Dieter Schuller, Radiant Logic VP of Business Development

3© Copyright 2012 EMC Corporation. All rights reserved.

World of Access is Expanding: Identity and Context is the New Perimeter

• Source: March 22, 2012, Forrester report

“Navigate The Future Of Identity And Access Management”

Partner apps

SaaS apps

Employees

Contractors

Partners

Enterprise computers

Members

Customers

Apps in public clouds

App sourcing and hosting

App access channels User populations

On-premises enterprise apps

Apps in private clouds

Enterprise-issued devices

Personal devices

Public computers

4© Copyright 2012 EMC Corporation. All rights reserved.

Current State: The User Experience

1470233tjones@co.com tomj

Application 1 Application 2 Application 3

5© Copyright 2012 EMC Corporation. All rights reserved.

No Single Sign-On

ID: tjones@co.com / Pwd: 1234 Application 1

1. Authenticate to App 1

2. User granted access

Application 2

Application 3

3. User clicks link for App 3

ID: tjones@co.com

?

6© Copyright 2012 EMC Corporation. All rights reserved.

What is Needed? A Single Identity Source

Application 1

Application 2

Application 3

Tom Jones

tjones@co.com

1470233

tomj

Email

Name +

Company ID

Email +

Company Name

7© Copyright 2012 EMC Corporation. All rights reserved.

Federation/WAM without Federated Identity

Authentication, web access management, federation and fine grained entitlements are complex, expensive and less effective

Salesforce

External-based Cloud Apps

Internal-based Enterprise Apps

Identity Sources

Sharepoint

Google Apps

WebEx

Forest/Domain A

Databases

Directories

Forest/Domain B

AD

AD

8© Copyright 2012 EMC Corporation. All rights reserved.

Required Capability: Complete List of Users and Unified Profile for Each User

Billing

Product 2 System

FulfillmentService Desk

Serviceability

DBProduct 1 System.

Events

Provisioning

Plant DB

9© Copyright 2012 EMC Corporation. All rights reserved.

Required Capability: Identity Virtualization

• Abstraction layer between consuming applications and the underlying identity silos

• Virtualization isolates applications from the complexity of back-ends

Aggre

gation

Co

rre

latio

n

Inte

gra

tion

Virtualization

Population

C

Population

B

Population

A

Groups Roles

LDAP

SQL

Web

Services

/SOA

App A

App B

App C

App D

App E

App F

Contexts

Serv

ices

10© Copyright 2012 EMC Corporation. All rights reserved.

Required Capability:Scaling and Performance

Must scale to millions of users

Must support joining across disparate systems to create a complete profile

Must provide the speed, reliability and functionality of a directory regardless of the limitations of the back-end systems

Requires caching into a materialized view that is updated in near real-time based on changes in the authoritative systems

11© Copyright 2012 EMC Corporation. All rights reserved.

RSA Adaptive Directory

RSA Adaptive Directory Overview

Profiles Context Identities

Persistent Cache

Virtualization Layer Data Sources

Directories

Applications

Databases

Web Services

Applications

MemoryCache

12© Copyright 2012 EMC Corporation. All rights reserved.

RSA Adaptive Directory:Building the Global List

Then a union set can be published, with all users represented once in the set.

Identity Registry3

=

Data Silo A Data Silo B Data Silo C

Common Identities

Existing local identities (often overlapping)

1

Identity Correlation

Second, the intersection must be detected by correlating identities.

2

13© Copyright 2012 EMC Corporation. All rights reserved.

LDAP Directory

userID= jsmithcn=john_smithgivenName=johntitle=managersn=smith

Active DirectoryEmployeeID= 12952SamAcountName=jsmithNTDOMAIN= westEmail= john@acme.comcn=john smith

Database

555-1354Seattle

Smithjsmith

PhoneOfficeLNAMElogin

AdaptiveDirectory

Virtual Identity

cn=john_smith,dv=ldap,o=vdsjsmith

Local IdentifierCorrelation Key (Global Identifier)

UID=jsmithLocalIdentifier=cn=john_smith,dv=ldap,o=vdsLocalIdentifier=cn=john smith,dv=activedirectory,o=vdsLocalIdentifier=login=jsmith,dv=database,o=vdsTitle=managerEmail=john@acme.comOffice=SeattleObjectclass=inetOrgPerson

cn=john smith,dv=activedirectory,o=vds

login=jsmith,dv=database,o=vds

jsmith

jsmith

Virtual Identity (Unified Profile)

RSA Adaptive Directory:Building the Unified Profile

14© Copyright 2012 EMC Corporation. All rights reserved.

Schema Translation Example

• Translate Protocol

• Transform Schema

• Restructure DIT

• Normalize data

• Create Dynamic Groups

• Etc.

Virtualizing the Data

15© Copyright 2012 EMC Corporation. All rights reserved.

Example 1 Before:

Authentication w/o RSA Adaptive Directory

AD

JSmith

BJones

SBrady

…

LDAP

WAM/FederationLayer

Internal Directory

10,000 UsersExternal Directory

1 Million Users

RThomas

EParker

JSmith

TEdwards

GThames

…

16© Copyright 2012 EMC Corporation. All rights reserved.

Example 1 After:

Authentication with RSA Adaptive Directory

AD

JSmith

BJones

SBrady

…

LDAP

RThomas

EParker

JSmith

TEdwards

GThames

…

WAM/FederationLayer

Internal Directory

10,000 UsersExternal Directory

1 Million Users

Adaptive

Directory

JSmith AD, LDAP

BJones AD

SBrady AD

Rthomas LDAP

Eparker LDAP

Jsmith LDAP

Tedwards LDAP

Gthames LDAP

…

17© Copyright 2012 EMC Corporation. All rights reserved.

Example 2 Before:

SSO without RSA Adaptive Directory

AD

TJones 12345

LDAP

TomJ 12345

WAM/FederationLayer

18© Copyright 2012 EMC Corporation. All rights reserved.

Example 2 After:

SSO with RSA Adaptive Directory

AD LDAP

WAM/FederationLayer

Adaptive

Directory

TJones 12345 TomJ 12345

12345 TJones, TomJ

19© Copyright 2012 EMC Corporation. All rights reserved.

Example 3 Before:

Authorization without RSA Adaptive Directory

AD

JSmith 12345 CEO

LDAP

JSmith 99999 Contractor

WAM/FederationLayer

20© Copyright 2012 EMC Corporation. All rights reserved.

Example 3 Before:

Authorization with RSA Adaptive Directory

AD LDAP

WAM/FederationLayer

Adaptive

Directory

JSmith 12345 CEO AD

JSmith 99999 Contractor LDAP

JSmith 12345 CEO JSmith 99999 Contractor

21© Copyright 2012 EMC Corporation. All rights reserved.

RSA Access Manager + RSA Adaptive Directory

Interoperability

User with authentication

Access Manager Agent

Access Manager Server

Access Manager Agent

Resources with Access Manager Agent

Access Manager Admin

Console

Website with Access Manager Agent

LDAP Directory Active Directory Database

Adaptive Directory

22© Copyright 2012 EMC Corporation. All rights reserved.

Positive Business Outcomes

Access to applications is more secure, reducing risk and cost of potential breach– With more information about each user, you are better able to secure

your resources and offer better service to your constituents

Authentication and authorization is easier and cheaper to manage– Single source of truth for integrating & managing disparate

populations and their entitlements across data silos

Business cases not previously possible are enabled– With a complete list of users and a complete profile for each user you

can better serve your constituents and enable cross-sell, up-sell, and improve services.

Business solutions are delivered faster with less custom hard-coding of applications to identity data stores

The capacity of the identity management IT team increases

Questions?More info: http://www.emc.com/IAM