SlideShare a Scribd company logo

Beyond SPML: Access Provisioning in a Services World

Nishant Kaushik
Nishant Kaushik
1 of 33
Beyond SPML: Access Provisioning in a Services World Nishant Kaushik Lead Strategist, Identity & Access Management, Oracle
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
The Evolution of Provisioning Native Administration Tools Governance Controls Automated Account Management IT Optimization & ROI Regulatory Compliance
Provisioning at Center of Enterprise IdM Partner Application SPML Connector Users Major Managers Cloud-based Proprietary Apps Connector APIs Administrators Provisioning Cloud-based System Services ? Connector Internal Applications Auditors Connector User Stores (SSO, IdP, Fed) Connector
Provisioning Got Complicated Partner Application SPML Connector Users Request Portal Major Managers Cloud-based Provisioning Connector Policy Engine APIs Proprietary Apps Engine Administrators Provisioning Audit Module Cloud-based System Services ? Connector Internal Applications Auditors Connector User Stores (SSO, IdP, Fed) Connector
Provisioning.Current Effective, but Overburdened & Brittle • Does what it needs to do, but implementation too difficult • Scope of Identity Data has grown • Connectors is a constant battle • SPML hasn’t delivered • Consolidating access requests into single portal increases deployment complexity, decreases usability • Compliance already extracted into focused GRC tools Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
So What is Provisioning.Next? Native Administration Tools Governance Controls Automated Account Management Provisioning.Next IT Optimization & ROI ? Regulatory Compliance
Identity Externalization
Evolution of Application Architecture User Tables externalized to Identity Store Native U/P Authentication externalized to SSO Native Authorization Engine externalized to Entitlements Server
Evolution of Application Architecture User Tables externalized to Identity Store Native U/P Authentication externalized to SSO Native Authorization Engine externalized to Entitlements Server The Future of Identity is Pull - Bob Blakley, Burton Group
Service-Oriented Security • Applications pull identity data from a centralized (if necessary virtualized) identity store • Authorization based on attributes and roles IGF (ArisID) OpenAZ • ISP provides developer Identity Services Platform friendly API layer that plugs into Service Providers based SAML LDAP XACML on standards SSO Identity Entitlement Server Store Server
Is Provisioning Out On The Street Now? IGF (ArisID) OpenAZ Identity Services Platform SAML LDAP XACML Provisioning Engine SSO Identity Entitlement Server Store Server
Or Just Getting More Specialized? • Provisioning still holds the policy keys for “who should have access to what” • Responds to identity events and keeps identity store consistent IGF (ArisID) OpenAZ • More importantly, ensures that identities have Identity Services Platform necessary attributes/roles to satisfy authorization checks SAML LDAP XACML Identity Events Ad-Hoc Requests Provisioning SSO Identity Entitlement Engine Server Store Server
Provisioning-as-a-Service HR Activities, User Registration, Access Requests, Profile Updates • Any application can be an “identity source” also Users • Applications now own their Managers contextual access requests • Handles both enterprise and application roles ? IGF (ArisID) OpenAZ • Collaborative identity Identity Services Platform management (by apps) SPML SAML LDAP XACML Provisioning SSO Identity Entitlement Administrators Service Server Store Server Approvers
New Challenges for Applications Request Handling • Partial Registration • Gap Handling, User Notification, Feedback Loops Identity-Based Access Control • Support mix of RBAC and ABAC for Provisioning • Greater degree of automation: Policy-based Auto-Provisioning and Auto- Approval of Requests Holistic Role Management • Centralized Management of Enterprise Roles and Application Roles • Enterprise to Application Role Mappings
Provisioning.Evolved Delivering Provisioning-as-a-Service • Provisioning becoming more about policy, less about data • Managing identity store • Supports automated and ad-hoc (manual) decision-making that is compliant, informed • Returning control over usability back to application • Support intelligent UI • Implement feedback loop Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
Identity Federations & the Cloud
It’s All About The Cloud Now
Some Legends Are Meant To Be Retold
Ian Glazer proclaimed… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
I Couldn’t Not Respond…
A lively battle ensued… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
And at the end… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
My Secret Weapon: JIT Provisioning Just-In-Time Provisioning • Not new, but never mainstream • Real-time provisioning triggered by User arriving at RP needing access • Light-touch provisioning based on standards, not integrations • Challenge has always been trust and policy model
JIT Provisioning and the Cloud Just-In-Time Provisioning On-the-fly federations enable • Not new, but never & secure short-lived and mainstream limited-use cloud services for • Real-time provisioning the enterprise triggered by User arriving at RP needing access • Light-touch provisioning based on standards, not integrations
External User Coming In Federation or Cloud Scenario IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims ? IGF (ArisID) OpenAZ Identity Services Platform SPML SAML LDAP XACML Provisioning SSO / Fed Identity Entitlement Server Server Store Server
External User Coming In Federation or Cloud Scenario IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims ? IGF (ArisID) OpenAZ Identity Services Platform SPML SAML LDAP XACML Request w/ Claims Provisioning SSO / Fed Identity Entitlement Server Server Store Server
Provisioning needs more Identity Data IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims OAuth based authorization to access IdP data ? IGF (ArisID) OpenAZ Identity Services Platform CARML SPML SAML LDAP XACML Request w/ Claims IGF based Data Retrieval Provisioning SSO / Fed Identity Entitlement Provisioning AAPML Server Server Store Server Constraints based IdP
OAuth as Trust Framework IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Requests Token User Issues Request Token Provisioning Provisioning Server Server User “approves” introduction of Provisioning Engines • User must be on list of users authorized to do this • Acts as basis of (limited) trust • Initiates a review on IdP side • IdP Provisioning Engine can validate RP against black list/white list
IGF (ArisID) as Data Retrieval API IDENTITY PROVIDER RP policyPARTY/SERVICE PROVIDER RELYING disclosures include • How, why it intends to use data • Certifications (e.g. SAS 70) • Change notification requirements CARML IGF based Data Retrieval Provisioning AAPML Provisioning Server Constraints Server Provisioning Engine makes decision IdP policy constraints include • Based on configured policies • Expectations around data • Based on RP policy disclosures management • Based on approvals • Change notification details
Change Notification IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Notifies About Change CARML IGF based Data Retrieval Provisioning AAPML Provisioning Server Constraints Server Doesn’t send changes (data), just notifies RP pulls data if needed • Per IGF agreement when data access was granted (previous steps) • Doesn’t have to be immediate • Only for changes RP is interested in • Can be ignored in favor of JIT pull when user comes back • No standard exists for this, though there is discussion in SSTC (SAML)
Provisioning.Next • Engine for delivering Provisioning-as-a-Service • Management & Policy Enforcement of Identity Store • Request Engine for Approval- based Provisioning • Automation Engine for Role- and Attribute-based Provisioning • Policy-compliant Identity Data Exchange with IdPs • For federated & cloud contexts • SPML-based Batch Provisioning Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
Learn More oracle.com/identity Connect, Discuss @nishantk blog.talkingidentity.com

Recommended

Compuware APM Solution
Compuware APM SolutionCompuware APM Solution
Compuware APM Solutionbackfire_88
 
Build Scanning into Your Web Based Business Application
Build Scanning into Your Web Based Business ApplicationBuild Scanning into Your Web Based Business Application
Build Scanning into Your Web Based Business Applicationbgalusha
 
Identity and Request Management Using Novell Identity Manager: Identity Manag...
Identity and Request Management Using Novell Identity Manager: Identity Manag...Identity and Request Management Using Novell Identity Manager: Identity Manag...
Identity and Request Management Using Novell Identity Manager: Identity Manag...Novell
 
Unwired Platform
Unwired PlatformUnwired Platform
Unwired PlatformConnected-Blog
 
Gomez loadtesting salesnov2011
Gomez loadtesting salesnov2011Gomez loadtesting salesnov2011
Gomez loadtesting salesnov2011Perfecto Mobile
 
ALM Integration in a Web 2.0 World
ALM Integration in a Web 2.0 WorldALM Integration in a Web 2.0 World
ALM Integration in a Web 2.0 Worldoslc
 
IBM Worklight - Introduction
IBM Worklight - IntroductionIBM Worklight - Introduction
IBM Worklight - IntroductionMaarga Systems
 
DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013Sanjeev Sharma
 

Recommended

Compuware APM Solution
Compuware APM SolutionCompuware APM Solution
Compuware APM Solutionbackfire_88
 
Build Scanning into Your Web Based Business Application
Build Scanning into Your Web Based Business ApplicationBuild Scanning into Your Web Based Business Application
Build Scanning into Your Web Based Business Applicationbgalusha
 
Identity and Request Management Using Novell Identity Manager: Identity Manag...
Identity and Request Management Using Novell Identity Manager: Identity Manag...Identity and Request Management Using Novell Identity Manager: Identity Manag...
Identity and Request Management Using Novell Identity Manager: Identity Manag...Novell
 
Unwired Platform
Unwired PlatformUnwired Platform
Unwired PlatformConnected-Blog
 
Gomez loadtesting salesnov2011
Gomez loadtesting salesnov2011Gomez loadtesting salesnov2011
Gomez loadtesting salesnov2011Perfecto Mobile
 
ALM Integration in a Web 2.0 World
ALM Integration in a Web 2.0 WorldALM Integration in a Web 2.0 World
ALM Integration in a Web 2.0 Worldoslc
 
IBM Worklight - Introduction
IBM Worklight - IntroductionIBM Worklight - Introduction
IBM Worklight - IntroductionMaarga Systems
 
DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013DevOps for Mobile - DevOpsDays, NY, 2013
DevOps for Mobile - DevOpsDays, NY, 2013Sanjeev Sharma
 
Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001jucaab
 
Donny - EAI
Donny - EAIDonny - EAI
Donny - EAIDonald David
 
Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...Radware
 
Managing API Security in SaaS and Cloud
Managing API Security in SaaS and CloudManaging API Security in SaaS and Cloud
Managing API Security in SaaS and CloudCA API Management
 
Managing API Security in SaaS and Cloud
Managing API Security in SaaS and CloudManaging API Security in SaaS and Cloud
Managing API Security in SaaS and CloudCA API Management
 
Oracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao DatacenterOracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao DatacenterGeneXus
 
Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001jucaab
 
Understanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareUnderstanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareRefundation
 
02 Ms Online Identity Session 1
02 Ms Online Identity Session 102 Ms Online Identity Session 1
02 Ms Online Identity Session 1Sivadon Chaisiri
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA
 
Systems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManagerSystems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManagerAdvanced Logic Industries
 
Ibm mobile strategy may2012 mark.cesario v1.0
Ibm mobile strategy may2012 mark.cesario v1.0Ibm mobile strategy may2012 mark.cesario v1.0
Ibm mobile strategy may2012 mark.cesario v1.0Mark Cesario
 
Application Performance Management in the Clouds - Lessons Learned
Application Performance Management in the Clouds - Lessons LearnedApplication Performance Management in the Clouds - Lessons Learned
Application Performance Management in the Clouds - Lessons LearnedMichael Kopp
 
Blaze Ds Slides
Blaze Ds SlidesBlaze Ds Slides
Blaze Ds Slidesmichael.labriola
 
Oracle Realizing the Potential of SOA
Oracle Realizing the Potential of SOAOracle Realizing the Potential of SOA
Oracle Realizing the Potential of SOASylvio Silveira Santos
 
Oracel ADF Introduction
Oracel ADF IntroductionOracel ADF Introduction
Oracel ADF IntroductionHojjat Abedie
 
Infrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpeInfrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpeFabrizio Volpe
 
Modernize your-java ee-app-server-infrastructure
Modernize your-java ee-app-server-infrastructureModernize your-java ee-app-server-infrastructure
Modernize your-java ee-app-server-infrastructurezslmarketing
 
Timelytrendsin appdelivery
Timelytrendsin appdeliveryTimelytrendsin appdelivery
Timelytrendsin appdeliveryKelly Emo
 
SOA Service Reusability for iWay SM
SOA Service Reusability for iWay SMSOA Service Reusability for iWay SM
SOA Service Reusability for iWay SMHariharan V Ganesarethinam
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a ServicePrabath Siriwardena
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CloudIDSummit
 

More Related Content

What's hot

Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001jucaab
 
Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...Radware
 
Managing API Security in SaaS and Cloud
Managing API Security in SaaS and CloudManaging API Security in SaaS and Cloud
Managing API Security in SaaS and CloudCA API Management
 
Managing API Security in SaaS and Cloud
Managing API Security in SaaS and CloudManaging API Security in SaaS and Cloud
Managing API Security in SaaS and CloudCA API Management
 
Oracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao DatacenterOracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao DatacenterGeneXus
 
Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001jucaab
 
Understanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareUnderstanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareRefundation
 
02 Ms Online Identity Session 1
02 Ms Online Identity Session 102 Ms Online Identity Session 1
02 Ms Online Identity Session 1Sivadon Chaisiri
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA
 
Systems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManagerSystems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManagerAdvanced Logic Industries
 
Ibm mobile strategy may2012 mark.cesario v1.0
Ibm mobile strategy may2012 mark.cesario v1.0Ibm mobile strategy may2012 mark.cesario v1.0
Ibm mobile strategy may2012 mark.cesario v1.0Mark Cesario
 
Application Performance Management in the Clouds - Lessons Learned
Application Performance Management in the Clouds - Lessons LearnedApplication Performance Management in the Clouds - Lessons Learned
Application Performance Management in the Clouds - Lessons LearnedMichael Kopp
 
Oracel ADF Introduction
Oracel ADF IntroductionOracel ADF Introduction
Oracel ADF IntroductionHojjat Abedie
 
Infrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpeInfrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpeFabrizio Volpe
 
Modernize your-java ee-app-server-infrastructure
Modernize your-java ee-app-server-infrastructureModernize your-java ee-app-server-infrastructure
Modernize your-java ee-app-server-infrastructurezslmarketing
 
Timelytrendsin appdelivery
Timelytrendsin appdeliveryTimelytrendsin appdelivery
Timelytrendsin appdeliveryKelly Emo
 

What's hot (20)

Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001
 
Donny - EAI
Donny - EAIDonny - EAI
Donny - EAI
 
Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...Providing best response times, tightest security and highest availability for...
Providing best response times, tightest security and highest availability for...
 
Managing API Security in SaaS and Cloud
Managing API Security in SaaS and CloudManaging API Security in SaaS and Cloud
Managing API Security in SaaS and Cloud
 
Managing API Security in SaaS and Cloud
Managing API Security in SaaS and CloudManaging API Security in SaaS and Cloud
Managing API Security in SaaS and Cloud
 
Oracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao DatacenterOracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao Datacenter
 
Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001
 
Understanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareUnderstanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion Middleware
 
02 Ms Online Identity Session 1
02 Ms Online Identity Session 102 Ms Online Identity Session 1
02 Ms Online Identity Session 1
 
SPEC INDIA Java Case Study
SPEC INDIA Java Case StudySPEC INDIA Java Case Study
SPEC INDIA Java Case Study
 
Systems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManagerSystems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManager
 
Ibm mobile strategy may2012 mark.cesario v1.0
Ibm mobile strategy may2012 mark.cesario v1.0Ibm mobile strategy may2012 mark.cesario v1.0
Ibm mobile strategy may2012 mark.cesario v1.0
 
Application Performance Management in the Clouds - Lessons Learned
Application Performance Management in the Clouds - Lessons LearnedApplication Performance Management in the Clouds - Lessons Learned
Application Performance Management in the Clouds - Lessons Learned
 
Blaze Ds Slides
Blaze Ds SlidesBlaze Ds Slides
Blaze Ds Slides
 
Oracle Realizing the Potential of SOA
Oracle Realizing the Potential of SOAOracle Realizing the Potential of SOA
Oracle Realizing the Potential of SOA
 
Oracel ADF Introduction
Oracel ADF IntroductionOracel ADF Introduction
Oracel ADF Introduction
 
Infrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpeInfrastructure components configure and deploy 24 hiapc fabrizio volpe
Infrastructure components configure and deploy 24 hiapc fabrizio volpe
 
Modernize your-java ee-app-server-infrastructure
Modernize your-java ee-app-server-infrastructureModernize your-java ee-app-server-infrastructure
Modernize your-java ee-app-server-infrastructure
 
Timelytrendsin appdelivery
Timelytrendsin appdeliveryTimelytrendsin appdelivery
Timelytrendsin appdelivery
 
SOA Service Reusability for iWay SM
SOA Service Reusability for iWay SMSOA Service Reusability for iWay SM
SOA Service Reusability for iWay SM
 

Viewers also liked

CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CloudIDSummit
 
Putting Security in Identity-as-a-Service
Putting Security in Identity-as-a-ServicePutting Security in Identity-as-a-Service
Putting Security in Identity-as-a-ServiceCA Technologies
 
Identity as a Managed Cloud Service
Identity as a Managed Cloud ServiceIdentity as a Managed Cloud Service
Identity as a Managed Cloud ServiceForgeRock
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012Twobo Technologies
 
Introduction to Identity-as-a-Service and Secure Access to SaaS
Introduction to Identity-as-a-Service and Secure Access to SaaSIntroduction to Identity-as-a-Service and Secure Access to SaaS
Introduction to Identity-as-a-Service and Secure Access to SaaSCA Technologies
 
Ethical Market Models in the Personal Data Ecosystem
Ethical Market Models in the Personal Data EcosystemEthical Market Models in the Personal Data Ecosystem
Ethical Market Models in the Personal Data EcosystemKaliya "Identity Woman" Young
 
Introducing New Identity as a Service
Introducing New Identity as a ServiceIntroducing New Identity as a Service
Introducing New Identity as a ServiceCA Technologies
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...oow123
 
Maintaining the Front Door to Netflix : The Netflix API
Maintaining the Front Door to Netflix : The Netflix APIMaintaining the Front Door to Netflix : The Netflix API
Maintaining the Front Door to Netflix : The Netflix APIDaniel Jacobson
 
Orchestration and provisioning architecture for effective service management
Orchestration and provisioning architecture for effective service managementOrchestration and provisioning architecture for effective service management
Orchestration and provisioning architecture for effective service managementAlan McSweeney
 

Viewers also liked (12)

Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a Service
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
 
Putting Security in Identity-as-a-Service
Putting Security in Identity-as-a-ServicePutting Security in Identity-as-a-Service
Putting Security in Identity-as-a-Service
 
Identity as a Managed Cloud Service
Identity as a Managed Cloud ServiceIdentity as a Managed Cloud Service
Identity as a Managed Cloud Service
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
 
Introduction to Identity-as-a-Service and Secure Access to SaaS
Introduction to Identity-as-a-Service and Secure Access to SaaSIntroduction to Identity-as-a-Service and Secure Access to SaaS
Introduction to Identity-as-a-Service and Secure Access to SaaS
 
Ethical Market Models in the Personal Data Ecosystem
Ethical Market Models in the Personal Data EcosystemEthical Market Models in the Personal Data Ecosystem
Ethical Market Models in the Personal Data Ecosystem
 
Introducing New Identity as a Service
Introducing New Identity as a ServiceIntroducing New Identity as a Service
Introducing New Identity as a Service
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
 
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
 
Maintaining the Front Door to Netflix : The Netflix API
Maintaining the Front Door to Netflix : The Netflix APIMaintaining the Front Door to Netflix : The Netflix API
Maintaining the Front Door to Netflix : The Netflix API
 
Orchestration and provisioning architecture for effective service management
Orchestration and provisioning architecture for effective service managementOrchestration and provisioning architecture for effective service management
Orchestration and provisioning architecture for effective service management
 

Similar to Beyond SPML: Access Provisioning in a Services World

Compliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementCompliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementNoam Bunder
 
API Management for Enterprise Mobile Access a How-to Guide
API Management for Enterprise Mobile Access a How-to GuideAPI Management for Enterprise Mobile Access a How-to Guide
API Management for Enterprise Mobile Access a How-to GuideCA API Management
 
Implementing Applications with SOA and Application Integration Architecture
Implementing Applications with SOA and Application Integration ArchitectureImplementing Applications with SOA and Application Integration Architecture
Implementing Applications with SOA and Application Integration ArchitectureBob Rhubart
 
IBM Pulse 2013 session - DevOps for Mobile Apps
IBM Pulse 2013 session - DevOps for Mobile AppsIBM Pulse 2013 session - DevOps for Mobile Apps
IBM Pulse 2013 session - DevOps for Mobile AppsSanjeev Sharma
 
2010 Software Licensing and Pricing Survey Results and 2011 Predictions
2010 Software Licensing and Pricing Survey Results and 2011 Predictions2010 Software Licensing and Pricing Survey Results and 2011 Predictions
2010 Software Licensing and Pricing Survey Results and 2011 PredictionsFlexera
 
Tracking SLAs In Cloud
Tracking SLAs In CloudTracking SLAs In Cloud
Tracking SLAs In CloudSatish Agrawal
 
Mobile Performance Testing - Best Practices
Mobile Performance Testing - Best PracticesMobile Performance Testing - Best Practices
Mobile Performance Testing - Best PracticesEran Kinsbrunner
 
The Cloud Concierge
The Cloud ConciergeThe Cloud Concierge
The Cloud ConciergeBob Rhubart
 
Viestinnän seminaari 8.11.2012 / Exchange
Viestinnän seminaari 8.11.2012 / ExchangeViestinnän seminaari 8.11.2012 / Exchange
Viestinnän seminaari 8.11.2012 / ExchangeSalcom Group
 
Datacenter
DatacenterDatacenter
Datacenterjayconde
 
Building and Managing Cloud Applications and Infrastructure
Building and Managing Cloud Applications and InfrastructureBuilding and Managing Cloud Applications and Infrastructure
Building and Managing Cloud Applications and InfrastructureDarren Cunningham
 
Vincent Desveronnieres, Oracle
Vincent Desveronnieres, OracleVincent Desveronnieres, Oracle
Vincent Desveronnieres, OracleEwa Stepien
 
F5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Networks
 
Jazz for Service Management - OMNIbus
Jazz for Service Management - OMNIbusJazz for Service Management - OMNIbus
Jazz for Service Management - OMNIbusIBM_BSM
 
21st Century Service Oriented Architecture
21st Century Service Oriented Architecture21st Century Service Oriented Architecture
21st Century Service Oriented ArchitectureBob Rhubart
 
EclipseCon 2013 Learn and share about integrations using Eclipse Lyo, OSLC an...
EclipseCon 2013 Learn and share about integrations using Eclipse Lyo, OSLC an...EclipseCon 2013 Learn and share about integrations using Eclipse Lyo, OSLC an...
EclipseCon 2013 Learn and share about integrations using Eclipse Lyo, OSLC an...Steve Speicher
 
Test Centre case studies - Brendan Kearns (Eircom)
Test Centre case studies - Brendan Kearns (Eircom)Test Centre case studies - Brendan Kearns (Eircom)
Test Centre case studies - Brendan Kearns (Eircom)NGN Test Centre
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureBob Rhubart
 
Cloudcamp Barcelona 2009 Lightning Talk - 3scale
Cloudcamp Barcelona 2009 Lightning Talk - 3scaleCloudcamp Barcelona 2009 Lightning Talk - 3scale
Cloudcamp Barcelona 2009 Lightning Talk - 3scaleSteven Willmott
 
OpenStack Quantum Network Service
OpenStack Quantum Network ServiceOpenStack Quantum Network Service
OpenStack Quantum Network ServiceLew Tucker
 

Similar to Beyond SPML: Access Provisioning in a Services World (20)

Compliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementCompliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement Management
 
API Management for Enterprise Mobile Access a How-to Guide
API Management for Enterprise Mobile Access a How-to GuideAPI Management for Enterprise Mobile Access a How-to Guide
API Management for Enterprise Mobile Access a How-to Guide
 
Implementing Applications with SOA and Application Integration Architecture
Implementing Applications with SOA and Application Integration ArchitectureImplementing Applications with SOA and Application Integration Architecture
Implementing Applications with SOA and Application Integration Architecture
 
IBM Pulse 2013 session - DevOps for Mobile Apps
IBM Pulse 2013 session - DevOps for Mobile AppsIBM Pulse 2013 session - DevOps for Mobile Apps
IBM Pulse 2013 session - DevOps for Mobile Apps
 
2010 Software Licensing and Pricing Survey Results and 2011 Predictions
2010 Software Licensing and Pricing Survey Results and 2011 Predictions2010 Software Licensing and Pricing Survey Results and 2011 Predictions
2010 Software Licensing and Pricing Survey Results and 2011 Predictions
 
Tracking SLAs In Cloud
Tracking SLAs In CloudTracking SLAs In Cloud
Tracking SLAs In Cloud
 
Mobile Performance Testing - Best Practices
Mobile Performance Testing - Best PracticesMobile Performance Testing - Best Practices
Mobile Performance Testing - Best Practices
 
The Cloud Concierge
The Cloud ConciergeThe Cloud Concierge
The Cloud Concierge
 
Viestinnän seminaari 8.11.2012 / Exchange
Viestinnän seminaari 8.11.2012 / ExchangeViestinnän seminaari 8.11.2012 / Exchange
Viestinnän seminaari 8.11.2012 / Exchange
 
Datacenter
DatacenterDatacenter
Datacenter
 
Building and Managing Cloud Applications and Infrastructure
Building and Managing Cloud Applications and InfrastructureBuilding and Managing Cloud Applications and Infrastructure
Building and Managing Cloud Applications and Infrastructure
 
Vincent Desveronnieres, Oracle
Vincent Desveronnieres, OracleVincent Desveronnieres, Oracle
Vincent Desveronnieres, Oracle
 
F5 Application Delivery Optimization
F5 Application Delivery OptimizationF5 Application Delivery Optimization
F5 Application Delivery Optimization
 
Jazz for Service Management - OMNIbus
Jazz for Service Management - OMNIbusJazz for Service Management - OMNIbus
Jazz for Service Management - OMNIbus
 
21st Century Service Oriented Architecture
21st Century Service Oriented Architecture21st Century Service Oriented Architecture
21st Century Service Oriented Architecture
 
EclipseCon 2013 Learn and share about integrations using Eclipse Lyo, OSLC an...
EclipseCon 2013 Learn and share about integrations using Eclipse Lyo, OSLC an...EclipseCon 2013 Learn and share about integrations using Eclipse Lyo, OSLC an...
EclipseCon 2013 Learn and share about integrations using Eclipse Lyo, OSLC an...
 
Test Centre case studies - Brendan Kearns (Eircom)
Test Centre case studies - Brendan Kearns (Eircom)Test Centre case studies - Brendan Kearns (Eircom)
Test Centre case studies - Brendan Kearns (Eircom)
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference Architecture
 
Cloudcamp Barcelona 2009 Lightning Talk - 3scale
Cloudcamp Barcelona 2009 Lightning Talk - 3scaleCloudcamp Barcelona 2009 Lightning Talk - 3scale
Cloudcamp Barcelona 2009 Lightning Talk - 3scale
 
OpenStack Quantum Network Service
OpenStack Quantum Network ServiceOpenStack Quantum Network Service
OpenStack Quantum Network Service
 

Beyond SPML: Access Provisioning in a Services World

  • 1. Beyond SPML: Access Provisioning in a Services World Nishant Kaushik Lead Strategist, Identity & Access Management, Oracle
  • 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 3. The Evolution of Provisioning Native Administration Tools Governance Controls Automated Account Management IT Optimization & ROI Regulatory Compliance
  • 4. Provisioning at Center of Enterprise IdM Partner Application SPML Connector Users Major Managers Cloud-based Proprietary Apps Connector APIs Administrators Provisioning Cloud-based System Services ? Connector Internal Applications Auditors Connector User Stores (SSO, IdP, Fed) Connector
  • 5. Provisioning Got Complicated Partner Application SPML Connector Users Request Portal Major Managers Cloud-based Provisioning Connector Policy Engine APIs Proprietary Apps Engine Administrators Provisioning Audit Module Cloud-based System Services ? Connector Internal Applications Auditors Connector User Stores (SSO, IdP, Fed) Connector
  • 6. Provisioning.Current Effective, but Overburdened & Brittle • Does what it needs to do, but implementation too difficult • Scope of Identity Data has grown • Connectors is a constant battle • SPML hasn’t delivered • Consolidating access requests into single portal increases deployment complexity, decreases usability • Compliance already extracted into focused GRC tools Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  • 7. So What is Provisioning.Next? Native Administration Tools Governance Controls Automated Account Management Provisioning.Next IT Optimization & ROI ? Regulatory Compliance
  • 9. Evolution of Application Architecture User Tables externalized to Identity Store Native U/P Authentication externalized to SSO Native Authorization Engine externalized to Entitlements Server
  • 10. Evolution of Application Architecture User Tables externalized to Identity Store Native U/P Authentication externalized to SSO Native Authorization Engine externalized to Entitlements Server The Future of Identity is Pull - Bob Blakley, Burton Group
  • 11. Service-Oriented Security • Applications pull identity data from a centralized (if necessary virtualized) identity store • Authorization based on attributes and roles IGF (ArisID) OpenAZ • ISP provides developer Identity Services Platform friendly API layer that plugs into Service Providers based SAML LDAP XACML on standards SSO Identity Entitlement Server Store Server
  • 12. Is Provisioning Out On The Street Now? IGF (ArisID) OpenAZ Identity Services Platform SAML LDAP XACML Provisioning Engine SSO Identity Entitlement Server Store Server
  • 13. Or Just Getting More Specialized? • Provisioning still holds the policy keys for “who should have access to what” • Responds to identity events and keeps identity store consistent IGF (ArisID) OpenAZ • More importantly, ensures that identities have Identity Services Platform necessary attributes/roles to satisfy authorization checks SAML LDAP XACML Identity Events Ad-Hoc Requests Provisioning SSO Identity Entitlement Engine Server Store Server
  • 14. Provisioning-as-a-Service HR Activities, User Registration, Access Requests, Profile Updates • Any application can be an “identity source” also Users • Applications now own their Managers contextual access requests • Handles both enterprise and application roles ? IGF (ArisID) OpenAZ • Collaborative identity Identity Services Platform management (by apps) SPML SAML LDAP XACML Provisioning SSO Identity Entitlement Administrators Service Server Store Server Approvers
  • 15. New Challenges for Applications Request Handling • Partial Registration • Gap Handling, User Notification, Feedback Loops Identity-Based Access Control • Support mix of RBAC and ABAC for Provisioning • Greater degree of automation: Policy-based Auto-Provisioning and Auto- Approval of Requests Holistic Role Management • Centralized Management of Enterprise Roles and Application Roles • Enterprise to Application Role Mappings
  • 16. Provisioning.Evolved Delivering Provisioning-as-a-Service • Provisioning becoming more about policy, less about data • Managing identity store • Supports automated and ad-hoc (manual) decision-making that is compliant, informed • Returning control over usability back to application • Support intelligent UI • Implement feedback loop Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  • 18. It’s All About The Cloud Now
  • 19. Some Legends Are Meant To Be Retold
  • 20. Ian Glazer proclaimed… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
  • 21. I Couldn’t Not Respond…
  • 22. A lively battle ensued… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
  • 23. And at the end… Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
  • 24. My Secret Weapon: JIT Provisioning Just-In-Time Provisioning • Not new, but never mainstream • Real-time provisioning triggered by User arriving at RP needing access • Light-touch provisioning based on standards, not integrations • Challenge has always been trust and policy model
  • 25. JIT Provisioning and the Cloud Just-In-Time Provisioning On-the-fly federations enable • Not new, but never & secure short-lived and mainstream limited-use cloud services for • Real-time provisioning the enterprise triggered by User arriving at RP needing access • Light-touch provisioning based on standards, not integrations
  • 26. External User Coming In Federation or Cloud Scenario IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims ? IGF (ArisID) OpenAZ Identity Services Platform SPML SAML LDAP XACML Provisioning SSO / Fed Identity Entitlement Server Server Store Server
  • 27. External User Coming In Federation or Cloud Scenario IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims ? IGF (ArisID) OpenAZ Identity Services Platform SPML SAML LDAP XACML Request w/ Claims Provisioning SSO / Fed Identity Entitlement Server Server Store Server
  • 28. Provisioning needs more Identity Data IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Users AuthN token w/ Claims OAuth based authorization to access IdP data ? IGF (ArisID) OpenAZ Identity Services Platform CARML SPML SAML LDAP XACML Request w/ Claims IGF based Data Retrieval Provisioning SSO / Fed Identity Entitlement Provisioning AAPML Server Server Store Server Constraints based IdP
  • 29. OAuth as Trust Framework IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Requests Token User Issues Request Token Provisioning Provisioning Server Server User “approves” introduction of Provisioning Engines • User must be on list of users authorized to do this • Acts as basis of (limited) trust • Initiates a review on IdP side • IdP Provisioning Engine can validate RP against black list/white list
  • 30. IGF (ArisID) as Data Retrieval API IDENTITY PROVIDER RP policyPARTY/SERVICE PROVIDER RELYING disclosures include • How, why it intends to use data • Certifications (e.g. SAS 70) • Change notification requirements CARML IGF based Data Retrieval Provisioning AAPML Provisioning Server Constraints Server Provisioning Engine makes decision IdP policy constraints include • Based on configured policies • Expectations around data • Based on RP policy disclosures management • Based on approvals • Change notification details
  • 31. Change Notification IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER Notifies About Change CARML IGF based Data Retrieval Provisioning AAPML Provisioning Server Constraints Server Doesn’t send changes (data), just notifies RP pulls data if needed • Per IGF agreement when data access was granted (previous steps) • Doesn’t have to be immediate • Only for changes RP is interested in • Can be ignored in favor of JIT pull when user comes back • No standard exists for this, though there is discussion in SSTC (SAML)
  • 32. Provisioning.Next • Engine for delivering Provisioning-as-a-Service • Management & Policy Enforcement of Identity Store • Request Engine for Approval- based Provisioning • Automation Engine for Role- and Attribute-based Provisioning • Policy-compliant Identity Data Exchange with IdPs • For federated & cloud contexts • SPML-based Batch Provisioning Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  • 33. Learn More oracle.com/identity Connect, Discuss @nishantk blog.talkingidentity.com