Beyond SPML: Access Provisioning in a Services World
1. Beyond SPML: Access Provisioning in a Services World
Nishant Kaushik
Lead Strategist, Identity & Access Management, Oracle
2. The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
3. The Evolution of Provisioning
Native Administration Tools Governance Controls
Automated Account Management
IT Optimization & ROI
Regulatory Compliance
4. Provisioning at Center of Enterprise IdM
Partner
Application
SPML
Connector
Users
Major
Managers
Cloud-based
Proprietary Apps
Connector
APIs
Administrators
Provisioning Cloud-based
System Services
?
Connector
Internal
Applications
Auditors Connector
User Stores
(SSO, IdP, Fed)
Connector
6. Provisioning.Current
Effective, but Overburdened & Brittle
• Does what it needs to do, but
implementation too difficult
• Scope of Identity Data has
grown
• Connectors is a constant battle
• SPML hasn’t delivered
• Consolidating access requests
into single portal increases
deployment complexity,
decreases usability
• Compliance already extracted
into focused GRC tools
Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
7. So What is Provisioning.Next?
Native Administration Tools Governance Controls
Automated Account Management Provisioning.Next
IT Optimization & ROI ?
Regulatory Compliance
9. Evolution of Application Architecture
User Tables externalized to Identity Store
Native U/P Authentication externalized to SSO
Native Authorization Engine externalized to Entitlements Server
10. Evolution of Application Architecture
User Tables externalized to Identity Store
Native U/P Authentication externalized to SSO
Native Authorization Engine externalized to Entitlements Server
The Future of Identity is Pull - Bob Blakley, Burton Group
11. Service-Oriented Security
• Applications pull identity data
from a centralized (if
necessary virtualized)
identity store
• Authorization based on
attributes and roles
IGF (ArisID) OpenAZ
• ISP provides developer
Identity Services Platform
friendly API layer that plugs
into Service Providers based SAML LDAP XACML
on standards
SSO Identity Entitlement
Server Store Server
12. Is Provisioning Out On The Street Now?
IGF (ArisID) OpenAZ
Identity Services Platform
SAML LDAP XACML
Provisioning
Engine
SSO Identity Entitlement
Server Store Server
13. Or Just Getting More Specialized?
• Provisioning still holds the
policy keys for “who should
have access to what”
• Responds to identity events
and keeps identity store
consistent
IGF (ArisID) OpenAZ
• More importantly, ensures
that identities have Identity Services Platform
necessary attributes/roles to
satisfy authorization checks SAML LDAP XACML
Identity Events
Ad-Hoc Requests Provisioning SSO Identity Entitlement
Engine Server Store Server
14. Provisioning-as-a-Service
HR Activities, User Registration,
Access Requests, Profile Updates
• Any application can be an
“identity source” also
Users
• Applications now own their
Managers
contextual access requests
• Handles both enterprise
and application roles
? IGF (ArisID) OpenAZ
• Collaborative identity Identity Services Platform
management (by apps)
SPML SAML LDAP XACML
Provisioning SSO Identity Entitlement
Administrators Service Server Store Server
Approvers
15. New Challenges for Applications
Request Handling
• Partial Registration
• Gap Handling, User Notification, Feedback Loops
Identity-Based Access Control
• Support mix of RBAC and ABAC for Provisioning
• Greater degree of automation: Policy-based Auto-Provisioning and Auto-
Approval of Requests
Holistic Role Management
• Centralized Management of Enterprise Roles and Application Roles
• Enterprise to Application Role Mappings
16. Provisioning.Evolved
Delivering Provisioning-as-a-Service
• Provisioning becoming more
about policy, less about data
• Managing identity store
• Supports automated and ad-hoc
(manual) decision-making that is
compliant, informed
• Returning control over usability
back to application
• Support intelligent UI
• Implement feedback loop
Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
20. Ian Glazer proclaimed…
Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
22. A lively battle ensued…
Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
23. And at the end…
Image: Monty Python and the Holy Grail, TM and Copyright Columbia Pictures or the Killer Rabbit, whoever comes after me first
24. My Secret Weapon: JIT Provisioning
Just-In-Time Provisioning
• Not new, but never
mainstream
• Real-time provisioning
triggered by User arriving at
RP needing access
• Light-touch provisioning based
on standards, not integrations
• Challenge has always been
trust and policy model
25. JIT Provisioning and the Cloud
Just-In-Time Provisioning
On-the-fly federations enable
• Not new, but never
& secure short-lived and
mainstream limited-use cloud services for
• Real-time provisioning the enterprise
triggered by User arriving at
RP needing access
• Light-touch provisioning based
on standards, not integrations
26. External User Coming In
Federation or Cloud Scenario
IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER
Users
AuthN token w/ Claims
? IGF (ArisID) OpenAZ
Identity Services Platform
SPML SAML LDAP XACML
Provisioning SSO / Fed Identity Entitlement
Server Server Store Server
27. External User Coming In
Federation or Cloud Scenario
IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER
Users
AuthN token w/ Claims
? IGF (ArisID) OpenAZ
Identity Services Platform
SPML SAML LDAP XACML
Request w/
Claims
Provisioning SSO / Fed Identity Entitlement
Server Server Store Server
28. Provisioning needs more Identity Data
IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER
Users
AuthN token w/ Claims
OAuth based
authorization to
access IdP data
? IGF (ArisID) OpenAZ
Identity Services Platform
CARML SPML SAML LDAP XACML
Request w/
Claims
IGF based
Data Retrieval
Provisioning SSO / Fed Identity Entitlement
Provisioning AAPML Server Server Store Server
Constraints
based IdP
29. OAuth as Trust Framework
IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER
Requests Token
User
Issues
Request Token
Provisioning Provisioning
Server Server
User “approves” introduction of Provisioning Engines
• User must be on list of users authorized to do this
• Acts as basis of (limited) trust
• Initiates a review on IdP side
• IdP Provisioning Engine can validate RP against
black list/white list
30. IGF (ArisID) as Data Retrieval API
IDENTITY PROVIDER RP policyPARTY/SERVICE PROVIDER
RELYING disclosures include
• How, why it intends to use data
• Certifications (e.g. SAS 70)
• Change notification requirements
CARML
IGF based
Data Retrieval
Provisioning AAPML Provisioning
Server Constraints Server
Provisioning Engine makes decision IdP policy constraints include
• Based on configured policies • Expectations around data
• Based on RP policy disclosures management
• Based on approvals • Change notification details
31. Change Notification
IDENTITY PROVIDER RELYING PARTY/SERVICE PROVIDER
Notifies About Change
CARML
IGF based
Data Retrieval
Provisioning AAPML Provisioning
Server Constraints Server
Doesn’t send changes (data), just notifies
RP pulls data if needed
• Per IGF agreement when data access
was granted (previous steps) • Doesn’t have to be immediate
• Only for changes RP is interested in • Can be ignored in favor of JIT
pull when user comes back
• No standard exists for this, though there
is discussion in SSTC (SAML)
32. Provisioning.Next
• Engine for delivering
Provisioning-as-a-Service
• Management & Policy
Enforcement of Identity Store
• Request Engine for Approval-
based Provisioning
• Automation Engine for Role- and
Attribute-based Provisioning
• Policy-compliant Identity Data
Exchange with IdPs
• For federated & cloud contexts
• SPML-based Batch Provisioning
Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
33. Learn More
oracle.com/identity
Connect, Discuss
@nishantk
blog.talkingidentity.com