From the Blogosphere
Solving Substantiation with SAML
In the digital world, identity verification is not as easy as showing the computer monitor a driver’s license
By: Peter Silva
Feb. 1, 2013 09:00 AM
Organizations are deploying distributed, hybrid architectures that can span multiple security domains. At any moment, a user could be accessing the corporate data center, the organization’s cloud infrastructure, or even a third party, #SaaS web application. #SAML can provide the identity information necessary to implement an enterprise-wide single sign-on solution.
Proving or asserting one’s identity in the physical world is often as simple as showing a driver’s license or state ID card. As long as the photo matches the face, that’s typically all that is needed to verify identity. This substantiation of identity is a physical form of authentication, and depending on the situation, the individual is then authorized either to receive something or to do something, for instance, enter a bar, complete a purchase, etc.
In the digital world, identity verification is not as easy as showing the computer monitor a driver’s license. To gain entry, you must provide information like a name, password, randomly generated token number—something you have, something you know, or something you are—to prove you are who you say you are.
Gaining access to corporate assets is no different. Many organizations have multiple different resource portals, however, each requiring digital proof of identity. Their users may also need to access partner portals, cloud based Software as a Service (SaaS) applications, or distributed, hybrid infrastructures that span multiple data centers, each requiring a unique user name and password. In addition, the average employee must maintain about 15 different passwords for both her private and corporate identities, with many of those passwords also being used for social media and other risky entities. Statistics show that 35 to 50 percent of help desk calls are related to password problems, with each call costing a company between $25 and $50 per request.
Security Assertion Markup Language (SAML) is an XML-based standard that allows secure web domains to exchange user authentication and authorization data. It directly addresses the problem of how to provide the users of web browsers with single sign-on (SSO) convenience. With SAML, an online service provider can contact a separate online identity provider to authenticate users who are attempting to access secure content. For example, a user might need to log in to Salesforce.com, but Salesforce (the service provider) has no mechanism to validate the user. Salesforce would then send a request to an identity provider, such as F5 BIG-IP Access Policy Manager (APM), to validate the requesting user’s identity. BIG-IP APM version 11.3 supports SAML federation, acting as either a service provider or an identity provider, enhancing the employee’s online experience and potentially reducing password-related tickets at the help desk.
BIG-IP APM version 11.3 can act as either a SAML service provider or a SAML identity provider, enabling both federation and SSO within an enterprise.
BIG-IP APM as a Service Provider
When a user initiates a request from a SAML IdP and the resources, such as an internal SharePoint site, are protected by BIG-IP APM, BIG-IP APM consumes that SAML assertion (claim) and validates its trustworthiness. This ultimately allows the user access to the resource. If the user goes directly to BIG-IP APM (as an SP) to access a resource (like SharePoint), then the user will be directed to the IdP to authenticate and get an assertion. Once a user is authenticated with a SAML IdP and accesses a resource behind BIG-IP APM, he or she will not need to authenticate again.
BIG-IP APM as an Identity Provider
Provided there is an SP that accepts assertions, a user can authenticate with BIG-IP APM to create an assertion. BIG-IP APM authenticates the user and displays resources. When the user clicks on an application, BIG-IP APM generates an assertion. That assertion can be passed on to the SP, which allows access to the resource without further authentication. When the user visits the SP first, the process is SP initiated; when the user goes directly to the IdP (in this case, BIG-IP APM) first to authenticate, the process is IdP initiated.
BIG-IP APM in a SAML Federation
SAML can be used to federate autonomous BIG-IP APM systems. This allows a user to connect to one BIG-IP device, authenticate, and transparently move to other participating BIG-IPs devices. Session replication is not part of SAML, but administrators can populate session information on participating systems. This means that BIG-IP device federation does not enable the use of a single session within the federation; it only enables information exchange among multiple members of the federation. Each participating BIG-IP device maintains its own independent session with the client, and each has its own access policy that executes separately and independently.
The benefits of deploying BIG-IP APM as a SAML solution certainly include better password management, fewer help desk calls, and an improved user experience, but BIG-IP APM can also add additional context to requests. For instance, it can include endpoint inspection results as attributes to inform the application of the client’s security posture. In addition, IT administrators do not need to retrofit applications (e.g., .NET apps do not need a Kerberos claims plug-in). Another advantage is extensive session variable support, which allows organizations to
IT infrastructure has changed dramatically over the past few years, with many applications moving to cloud-based services. Corporate employees have also morphed into a mobile workforce that requires secure access to that infrastructure any time, from anywhere, and with any device. Bridging the identity gap between physically and logically separated services allows organizations to stay agile in this ever-changing environment and gives users the secure access they need around the clock.
BIG-IP APM version 11.3, in addition to delivering high availability and protecting organizations’ critical assets, provides a SAML 2.0 solution that offers the identity bridge needed to manage access across systems.
Technorati Tags: saml,big-ip,f5,access,security,apm,v11.3,silva,authentication,cloud computing,federation
Top Stories for Cloud Expo 2012 East
In this Big Data Power Panel at the 10th International Cloud Expo, moderated by Cloud Expo Conference Chair Jeremy Geelan, Govind Rangasamy, Director of Product Management at Eucalyptus Systems; Kevin Brown; CEO of Coraid, Inc.; Christos Tryfonas, CTO and Co-Founder of Cetas; and Max Riggsbee, CMO and VP of Products for WhipTail, discussed such topics as: Big Data has existed since the early days of computing; why, then, do you think there is such an industry buzz around it right now? How is Big Data impacting storage and networking architecture in data centers? How about the intersection of Big Data Analytics and Cloud Computing - how big a sector is that and why? What's the difference between Big Data and Fast Data? ... (more)
Best Recent Articles on Cloud Computing & Big Data Topics
As we enter a new year, it is time to look back over the past year and resolve to improve upon it. In 2014, we will see more service providers resolve to add more personalization in enterprise technology. Below are seven predictions about what will drive this trend toward personalization.
IT organizations face a growing demand for faster innovation and new applications to support emerging opportunities in social, mobile, growth markets, Big Data analytics, mergers and acquisitions, strategic partnerships, and more. This is great news because it shows that IT continues to be a key stakeholder in delivering business service innovation. However, it also means that IT must deliver new innovation despite flat budgets, while maintaining existing services that grow more complex every day.
Cloud computing is transforming the way businesses think about and leverage technology. As a result, the general understanding of cloud computing has come a long way in a short time. However, there are still many misconceptions about what cloud computing is and what it can do for businesses that adopt this game-changing computing model. In this exclusive Q&A with Cloud Expo Conference Chair Jeremy Geelan, Rex Wang, Vice President of Product Marketing at Oracle, discusses and dispels some of the common myths about cloud computing that still exist today.
Despite the economy, cloud computing is doing well. Gartner estimates the cloud market will double by 2016 to $206 billion. The time for dabbling in the cloud is over! The 14th International Cloud Expo, co-located with 5th International Big Data Expo and 3rd International SDN Expo, to be held June 10-12, 2014, at the Javits Center in New York City, N.Y. announces that its Call for Papers is now open. Topics include all aspects of providing or using massively scalable IT-related capabilities as a service using Internet technologies (see suggested topics below). Cloud computing helps IT cut infrastructure costs while adding new features and services to grow core businesses. Clouds can help grow margins as costs are cut back but service offerings are expanded. Help plant your flag in the fast-expanding business opportunity that is The Cloud, Big Data and Software-Defined Networking: submit your speaking proposal today!
What do you get when you combine Big Data technologies….like Pig and Hive? A flying pig? No, you get a “Logical Data Warehouse.” In 2012, Infochimps (now CSC) leveraged its early use of stream processing, NoSQLs, and Hadoop to create a design pattern which combined real-time, ad-hoc, and batch analytics. This concept of combining the best-in-breed Big Data technologies will continue to advance across the industry until the entire legacy (and proprietary) data infrastructure stack will be replaced with a new (and open) one.
While unprecedented technological advances have been made in healthcare in areas such as genomics, digital imaging and Health Information Systems, access to this information has been not been easy for both the healthcare provider and the patient themselves. Regulatory compliance and controls, information lock-in in proprietary Electronic Health Record systems and security concerns have made it difficult to share data across health care providers.
Cloud Expo, Inc. has announced today that Vanessa Alvarez has been named conference chair of Cloud Expo® 2014. 14th International Cloud Expo will take place on June 10-12, 2014, at the Javits Center in New York City, New York, and 15th International Cloud Expo® will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
12th International Cloud Expo, held on June 10–13, 2013 at the Javits Center in New York City, featured four content-packed days with a rich array of sessions about the business and technical value of cloud computing led by exceptional speakers from every sector of the cloud computing ecosystem. The Cloud Expo series is the fastest-growing Enterprise IT event in the past 10 years, devoted to every aspect of delivering massively scalable enterprise IT as a service.
Ulitzer.com announced "the World's 30 most influential Cloud bloggers," who collectively generated more than 24 million Ulitzer page views. Ulitzer's annual "most influential Cloud bloggers" list was announced at Cloud Expo, which drew more delegates than all other Cloud-related events put together worldwide. "The world's 50 most influential Cloud bloggers 2010" list will be announced at the Cloud Expo 2010 East, which will take place April 19-21, 2010, at the Jacob Javitz Convention Center, in New York City, with more than 5,000 expected to attend.
It's a simple fact that the better sales reps understand their prospects' intentions, preferences and pain points during calls, the more business they'll close. Each day, as your prospects interact with websites and social media platforms, their behavioral data profile is expanding. It's now possible to gain unprecedented insight into prospects' content preferences, product needs and budget. We hear a lot about how valuable Big Data is to sales and marketing teams. But data itself is only valuable when it's part of a bigger story, made visible in the right context.
Cloud Expo, Inc. has announced today that Larry Carvalho has been named Tech Chair of Cloud Expo® 2014. 14th International Cloud Expo will take place on June 10-12, 2014, at the Javits Center in New York City, New York, and 15th International Cloud Expo® will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Everyone talks about a cloud-first or mobile-first strategy. It's the trend du jour, and for good reason as these innovative technologies have revolutionized an industry and made savvy companies a lot of money. But consider for a minute what's emerging with the Age of Context and the Internet of Things. Devices, interfaces, everyday objects are becoming endowed with computing smarts. This is creating an unprecedented focus on the Application Programming Interface (API) as developers seek to connect these devices and interfaces to create new supporting services and hybrids. I call this trend the move toward an API-first business model and strategy.
We live in a world that requires us to compete on our differential use of time and information, yet only a fraction of information workers today have access to the analytical capabilities they need to make better decisions. Now, with the advent of a new generation of embedded business intelligence (BI) platforms, cloud developers are disrupting the world of analytics. They are using these new BI platforms to inject more intelligence into the applications business people use every day. As a result, data-driven decision-making is finally on track to become the rule, not the exception.
Digital Transformation Blogs