Federating Identities for a Successful Enterprise IdP Deployment

Featured Article by Lisa Grady, Senior Solution Architect, Radiant Logic

Don’t stop at federating with SAML or OpenID Connect, that’s only half the battle

When customers, employees, or partners log in—from any device—they expect a seamless experience and secure access to your resources. Organizations are trying to meet a number of benchmarks, not just in terms of security but also productivity and simplicity for your users. So it is no surprise that delivering single sign-on (SSO) that covers portal, legacy applications, and now cloud/SaaS applications is top priority. But it is also, very likely, a struggle. And the challenges keep compounding as the world of access keeps expanding.

The demands for sophisticated authentication and SSO are building, with new cloud applications to enable, new partners to integrate with, and new BYOD policies to support. In today’s infrastructure environment, accessing the cloud and providing SSO to all web applications using federation standards (SAML, OpenID Connect/OAuth 2.0) means that the enterprise identity infrastructure must act as a global Identity Provider (IdP).  This is precisely where the deployment challenges begin.

The hidden IdP hurdle: identity fragmentation inside the enterprise

The dark secret of the industry is that federation standards address only the externally-facing security layer, leaving enterprises with the task of building an IdP (see picture 2). Current identity systems are often the result of years of technological evolution, and feature a conglomeration of disparate silos, instead of a homogenous environment for identity and attributes. Finding, identifying, authenticating users, and gathering their attributes across multiple different repositories (Active Directory, LDAP, SQL to name a few) to enable security policies and smart authorization constitutes a major integration task. What is lacking is a layer that turns your enterprise into a common identity provider—a layer that integrates and funnels identity information across various silos to external applications in the format needed. If the security system isn’t supported by a unified, logically organized identity infrastructure, it lacks the base needed to open the enterprise to multiple web and cloud-based applications.

Without such a service, searching, authenticating, and authorizing users across a wide range of repositories means dealing with different identity representations, authentication methods, protocols and storage systems. In many organizations those constraints are solved in an ad hoc manner, resulting in the multiplication of hard-coded links and script logic between applications, identity sources, and security protocols. The end result is a system that is brittle and expensive and, at the same time, difficult to manage, maintain and evolve. The lack of tools, methods, and processes to develop and manage internal identity as a common service is hampering enterprise SSO and authorization initiatives.

Federating identity to deliver a complete enterprise IdP

A well-established solution to the problem of “links multiplication” is a hub structure. The same way SAML federates access by redirecting an authentication request from multiple service providers to a common IDP, an identity hub reduces the complexity and the number of interactions between your applications and identity sources (see picture 3). An identity hub has the ability to extend federation first inward, rationalizing and integrating identity data to support SSO and fine-grained authorization.

A complete federation solution should be purpose-built to tackle all of the challenges outlined above—and ready to handle more as the organization needs grow. To combine the strengths of technologies such as synchronization (“meta-directories”), virtualization, routing, and data modeling, the enterprise needs to adopt a federated identity service to deliver a modern solution that’s fast, flexible, and cloud-friendly.

Such a service acts as a “logically” central identity hub between the applications and  the organization’s backend identity stores, hiding the heterogeneity of existing identity sources and exposing a logical, coherent, and secure view of users to both internal and external applications. By shielding applications from the diversity of backend data stores, with their alphabet soup of security means and protocols, enterprises radically streamline the authentication and authorization process, while slashing the number of links to manage and subsequently decreasing IT costs.

An identity hub acts as one central junction, allowing organizations to regroup, reformat, and deploy a number of critical functions to rationalize the identity infrastructure. Ideally, the hub must be able to route and delegate credential checking, automatically synchronize attributes across heterogeneous sources, aggregate and disambiguate identities, and provide advanced caching and storage to boost performance. By virtually creating one logical, central, plug-and-play view of identity as expected by the enterprise applications,  an identity hub delivers a solution today and provide a clears a path for all your future initiatives as they come up.

Are you using a Complete Federated Identity Service?

When it comes to a federated identity service, RadiantOne covers all your bases. The RadiantOne federated identity service includes an advanced virtual directory, along with a secure cloud connector to build tokens for cloud-based applications—all fine-tuned to give your enterprise both a global and contextual view of all your users. To learn more about Radiant Logic and RadiantOne, please visit www.radiantlogic.com.

About the Author:   Lisa Grady has been with Radiant Logic for over 14 years, and has extensive experience with Identity and Access Management for enterprise security.  As a Senior Solution Architect, she has been helping Radiant Logic’s customers solve some of their toughest identity and group integration challenges.