Page 12 – Radiant Logic | Unify, Observe, and Act on ALL Identity Data

A large herd of zebras stands closely packed together, displaying their black and white striped patterns. The overlapping stripes create a visually striking, almost camouflaged effect among the animals.

Cloud Directories, IDaaS, and Federation IdPs vs. the Rest of Your IAM Infrastructure

May 30, 2017/in Blog Michel Prompt/by Josue Ochoa

Integrating the New Identity While Evolving Your Existing Identity

Right at the beginning of the year, I introduced you to Radiant’s Great Migration map, our vision for the identity landscape of today and tomorrow. I’d like to follow up that discussion with a series of posts about the importance of integrating IDaaS cloud services and directories with your existing IAM infrastructure and LDAP applications. After all, unless your company is digital native or you’re starting from scratch with a greenfield deployment, you probably have an identity infrastructure that looks a little something like the lower two-thirds of the map—even as you reach for the cloud.

For many major enterprises, the existing identity system is more ocean and less cloud…

In any case, IDaaS or “identity-as-a-service” is a very promising direction for a field that’s been stuck in the datacenter for a very long time. The value proposition is especially exciting for larger enterprises, like most of our customers. For one, federation makes it easier to offer SSO and a more user-friendly portal, which is great news whether you’re extending access to new employees and partners after a merger or enabling customers to manage accounts across a world of different services, each one brought online at a different time. A directory on the cloud also abstracts location dependency for applications, which is key for mobility, as well as for multi-national companies with sites across the globe.

Are You Confident that All Your Apps Speak Federation Standards or IDaaS APIs?

Yet at the level of access/authentication and directory information, these benefits are available only to applications that can leverage federation standards such as SAML and OpenID Connect and/or specific APIs supported by individual IDaaS vendors. Unfortunately, most enterprise LDAP-based applications and traditional WAM portals can’t do either, which means they cannot authenticate through SAML or a cloud directory because that would require calling an API that is not LDAP. While a directory on the cloud is great for new initiatives and applications, to all your WAM and LDAP apps, that cloud directory just looks like another silo. And that means that all these benefits are confined to the new part of the stack—even though they’d be especially helpful for adding agility to the existing stack. So how does a large company with extensive investments in yesterday’s tech take full advantage of tomorrow’s identity and access solutions? (Hint: it involves virtualization and integration with RadiantOne FID…)

Stay tuned for my next post, where we’ll dive a little deeper into the infrastructure—and soar a little higher into the cloud—as we look at how to empower IDaaS with a federated identity service.

A vibrant sunset sky with orange, pink, and purple hues is reflected in calm water, with silhouetted mountains and a flying bird completing the serene landscape.

The Hidden Requirement for Federation: Syncing and Provisioning to the Cloud

November 8, 2013/in Blog Michel Prompt/by Josue Ochoa

Welcome back—let’s continue where we left off in my last post, looking at bringing identity back to IAM. I was comparing notes on use cases and best practices with Nick Nikols of Gartner recently and came to some conclusions that might appear quite paradoxical—heretical, even!

Although federation divides the work between an identity provider (IdP) and a service provider/relying party (SP/RP), this decoupling has not eliminated the need for some form of identity syncing and remapping between the two. While it sounds counter-intuitive, the act of externalizing identity from applications to reduce dependencies still requires some form of coordination and identity management between an identity provider and its relying parties. To really deploy federation, you have to do some identity syncing and provisioning.
Then, because this operation has to happen for each identity source and target, medium-to-large organizations acting as IdPs—or hosting their IdP functions as a service—are rediscovering a practical requirement: you need a complete identity hub to simplify the identity orchestration required by the different cloud services (including authentication and authorization, along with provisioning).

Beyond connectors and syncing capabilities, Nick and I were struck by the idea that this requirement for a common hub, this staging engine for identities, whether hosted on premise or in the cloud, reminded us of something…what could it be? You guessed it—it’s the second coming of the meta-directory, back from the (near) dead, or at least a similarly centralized structure that drives your cloud provisioning and access efforts. Now wait, before my wife, my mom, and my dog stops reading this blog, let me assure you: I have not been visited by the ghost of Elvis, even though Halloween was just last week. Before you call me crazy, take a look at this cloud apps slide from the gurus in Redmond, depicting a required architecture for the deployment of Microsoft Office 365.

See, it’s not just the nuts in Novato who see the need… 🙂

Federation Provisioning: Seed the Infrastructure, Keep it in Sync, and Remap on the Fly

Now, there’s a lot here to discuss, but let’s analyze each paradox in its turn, so these posts don’t become War and Peace (or its even longer sequel). For today’s post, we’ll take a look at the idea that federation doesn’t eliminate the need for identity management on the part of the service provider or relying party.

Basically, the IdP converts an internal identity representation into a token, then the SP converts that token and checks it against the internal identity representation. What we’re seeing in the authentication operation is the creation of a token through a remapping/conversion operation on the sender’s side and the finalizing of the authentication through a remapping /conversion operation on the receiver’s end. So a whole lot of remapping and conversion here, and even at the level of authentication, we start to see that the system only works if enough parts of the infrastructure have been seeded with some form of identity list, along with a way to look up identities and map them to the proper format.

Shadow IDs: Why the SP Needs a Corresponding Image of Identity

Of course, when the IdP is authenticating a user against some internal store, the user must first exist in such a store. This seems like a reasonable requirement for the “identity provider.” Perhaps less obvious is why an SP should also have some form of corresponding image of this identity. What’s the point of dividing the work if the information is replicated? After all, you divide the work between an IdP and SP in order to keep the concerns separated, and avoiding redundancies is just good engineering design. But the truth is, you cannot avoid it! Even if the IdP is the initiator and owner of the identity information, the SP still needs to replicate part of this info for its own internal management. To identify a user of its service, at a minimum the SP needs some kind of identifier or “handle” for a given user that matches or correlates with the name it’s receiving from the IdP. (We don’t have to go back to OOP101 to remember that any object requires at least an identity, and in a distributed system, you need a way to remap between internal and external ”namespaces”—right? 🙂 )

Here’s an example—see if you can guess who I was for Halloween this year:

IdP: internal identifier: JB007 token format: James Bond
SP: token format: James Bond internal identifier: X2011

In this example, the SP has to know that James Bond = X2011, and the IdP has to know that JB007 = James Bond—because that’s what goes through SAML. So we see that in order to deploy these federation roles, you must seed both the IdP (if it’s not already done) and the SP with some form of identity list and a mechanism for mapping/lookup.

In order for the operation to start, you must first provision the SP with the list of the identities that will access the services. One bulk upload of those identifiers for a given service might be fine in rare cases, but we also know that identities are never static—they go through a lifecycle. What happens when a new user is added, deleted, or changes some relevant info? Whoops—your federation began at access management and now it’s forced to rediscover the wonderful world of identity synchronization and provisioning!

Such services are not described within the federation standards, but make no mistake: they’re essential for securing access for all those SaaS apps you use. Some companies in the federation space would argue that it’s enough to do a poor man’s version—what they’d call “just-in-time” provisioning. But the reality and requirements of your system are more complex than any ad-hoc, piecemeal solution can accommodate.

Think About How Well Provisioning Went Within Your Perimeter…

Then imagine repeating this operation for every underlying identity source in your infrastructure and for each of the cloud apps you’re targeting and you can begin to see the challenge. We all know it’s true: provisioning has never been easy—and why should it be easier now, reaching into the cloud? As I mentioned above, Nick and I would argue that such complexity calls for the establishment of some sort of logical center—a hub where identities can be federated, rationalized, and transformed according to the unique requirements of each SP. At Radiant, we call this a “federated identity system” because it’s the next essential step in developing your federation. Once you’ve federated your security layer, it’s time to federate your identities, as well—only then can you orchestrate those identities within your infrastructure, across the cloud, and even onto the many mobile devices of your stakeholders.

We’ll take a closer look at this idea of the hub in my next post, including ways you can get all the benefits of the metadirectory without the huge expense and hassle—so be sure to check back and stay tuned!

A wooden desk with a laptop, smartphone, blank notebook, coffee cup, pens, camera, wallet, earphones, and bowl of popcorn, arranged in a flat lay style.

From Virtual Directory to Federated Identity: Bringing Identity Back to The Center of IAM

October 23, 2013/in Blog Michel Prompt/by Josue Ochoa

That’s right—we’re bringing identity back… 😉

There is no doubt that IT in general and IAM in particular are facing a sea of change. The disruption of the cloud, along with the emergence and explosion of new devices and form factors, is creating the kind of turbulent environment where major opportunities can be exploited—and major blunders can sink the best organizations. So who will get swept away and who will discover new lands? I’d like to take my next few posts to look at what’s happening in IAM these days and why we believe that federating the identity layer—not just the access layer—is essential for empowering today’s fragmented IAM infrastructures and driving business in a cloud and mobile world. And for a look at the choppy waters we’re all sailing in these days, don’t miss our map of Ye Olde Identity Infrastructure—just click to enlarge:

As the Chinese curse says, we are living through interesting times. When we look at current trends in IAM, the strongest wave is coming from the federation corner. Now, we can discuss at length which protocols will win the Federation Cup—will it be SAML 2.0 or Open-ID connect/Oauth 2.0? My guess is both—and, as usual, the answer will depend on the problem at hand. Are you focused on access for employees, contractors, and other “internal” users, or is your course set for customer and prospects? But there is common consensus that organizations will have to access services—likely in the cloud—as well as expose their own services to other organizations.

The Rise of Federation: Putting New Demands on Your IAM Infrastructure

Beyond the specifics details of protocols, the blueprint of federation is spreading across the whole IT landscape, and will become dominant over the next 3 to 5 years. The federation pattern divides the task of authenticating/authorizing between two main roles for the participating organization: a Service Provider (SP) (with the Relying Party (RP) in a supporting role) and an identity Provider or “IdP.” This division of work was originally designed for a traditional federation, a group or consortium of companies pooling together services/resources while delegating onboarding, registration, and single sign-on to selected members.

But thanks to the existence of the standards I mentioned above, this same framework is becoming the de-facto access method for SaaS or “cloud” applications. Acting as a Service Provider, the SaaS vendor can dedicate its best minds to delivering and supporting a high value, specialized service to its tenants. And when those tenants are themselves medium-to large-enterprises with thousands of employees or members, the only practical approach is delegating user management—in particular the authentication function—back to those same organizations. In short, turning them into IdPs.

Federation Only Routes Access to an IdP…

Let’s see what this process implies. From a SAAS application, or any external application that is based on the federation pattern, your organization is in charge of managing and authenticating your users. This is a smart way to do things: instead of having n applications trying to manage n users in n different ways, the protocols “federate” their request for authentication, delegating it to an agreed-upon “identity provider.”

Identity Provider

So if we analyze a protocol like SAML 2.0, we see that it gives all the details about how the authentication request and response will be made, and we also see that in the agreement between the service provider and the identity provider, the content of the token—the set of attributes that establishes the identity of a given user—can vary widely. No problem there, because different applications or services can require different level of identity insurance and so the protocols support that.

But at a minimum, this means that each of these external applications will require a set of specific attributes to be returned by the identity provider as a proof of authentication, along with additional attributes for authorization, personalization, and other initiatives. It’s like having a single user who needs to present a new boarding pass for every flight on their way to a destination. So as an IdP, you must identify and authenticate a user—we’ll take a closer look at that process in my next blogpost—and then remap the identity information you manage, translating it into the different specific token formats required by each application. This diagram shows how the process works:

The Challenge of IdP Implementation: Managing Different Security Domains

But here we are just looking at the external aspect, the contract to be fulfilled by the service provider and the identity provider. According to this contract, the authentication request will be handed off to the IdP, which identifies the user, and then returns the proof of this authentication with the required attributes in the format of SAML2. Repeat for each application that talks to your IdP and you have the complete picture.

It Won’t Unify Your Identity for You…

Now this all sounds good, but what gets left out of the story is how you would implement your role as IdP on the backend:

First, authenticating the user against your own identity store.
Then remapping the information to the format expected by each service provider (they all speak their own local dialect of SAML).

And here, the devil is in the details. What we’ve learned over many years of diving deep into the wilds of the identity stack is that your infrastructure is most likely messy, with users and attributes scattered across a diverse array for identity stores. And all this heterogeneity means that fulfilling the role of the IdP can become a monumental deployment hassle for every application you’re trying to service.

As we’ve seen above, fulfilling the responsibilities an IdP can be complicated—and costly. But there’s a way to cut that complexity, delivering exactly the identity that each service provider requires. You’ve already federated your access layer, now you need to federate your identity layer, for a completely federated solution. You may have guessed by now that I have a way to do just that, and in my next post, we’ll take a close look at how our RadiantOne federated identity service is a complete system for virtualizing, rationalizing, and even storing your identity—no matter how messy.

Our Federated Identity Service in Action

So be sure to check back to learn more about how you can make your identity work for your federation—and your business.

Three people hold white puzzle pieces close together, their hands meeting in the center of the image, symbolizing teamwork and collaboration.

Man and Machine: Speaking the Same Language

June 5, 2013/in Blog Michel Prompt/by Josue Ochoa

In my last post on digital context, we took a trip back to logic class, looking at how we could begin to describe our world using “sentences” based on first order logic. This essential “predicate semantics” is the foundation of all mathematics, and hence, computing. In fact, it’s the basis for our most key data storage mechanisms (think SQL). With so much of structured information already encoded in this predicate representation, this gives us an excellent foundation for more semantically-driven contextual computing.

Let’s Begin at the Beginning: What is Context, Anyway?

According to my Webster’s, the word “context” comes from the Latin ”contextus,” which means a joining or weaving together. There are a couple of different types of context:

There’s context as represented through language, or “the parts of a sentence, paragraph, or discourse immediately next to or surrounding a specified word or passage and determining its exact meaning (e.g., to quote a remark out of context)”.
And there’s the context we glean through perceptions, meaning “the whole situation, background, or environment relevant to a particular event, personality, creation, etc…”

It’s this second aspect, the perceptual side, which most would agree upon as the meaning of context. Using this definition, our animal friends are “context-aware” up to some level, able to “read” a situation and act accordingly. But we also have the first aspect, language, which allows us to describe the world in sentences, sharing contextual information. So context can be represented by a set of related sentences about a given subject—that’s our “parts of a…discourse immediately next to or surrounding a specified word.” And what makes this especially interesting from my perspective, which begins in the narrow field of security, a “security context” is a set of facts about a given “subject” represented by attributes and relations between entities. As such, a security context can be represented as a subset of first order logic—or by sentences in a limited, constrained form of English.

So if you can find a way to extract information for a given subject from a structured system and represent it as sentences then you are, in fact, extracting the underlying “application” context for this subject. And—drumroll, please—that’s just what we’ve done! Basically, we’ve returned to first principles here at Radiant, devising a “contextual and computational language” method to reverse engineer metadata from an application and represent it in a way that’s as easy to interpret at the human level as it is to execute at the machine level.

Now, this wasn’t my idea alone—if you follow the developments around the semantic web, you know that the idea to semantically encode the web (HTML/text) so that our machines can more meaningfully interpret our descriptions and intentions is based on this same foundation. But standards such as RDF and OWL depend on adoption, which cannot be controlled and is currently confined to a minuscule part of the web. On top of that, they have a different purpose. While they are tagging text the same way than we do—object attribute/verb value or other object—their objective is for machine to be able to interpret these tags. Our goal is bigger: we want to create sentences that are readable by both man and machine. So unless you can read the XML that’s behind RDF as if it were your own language, why not speak in plain English instead, rather than working at the interface level and supporting RDF at the generation phase? But we’ll get to that part a little later on…

From Database Standards to Semantics: Making Structured Data Searchable Across Silos

There’s no single data standard representation in our enterprises—you have vital data stored across SQL databases, LDAP directories, XML, web services/REST, and more. While useful on their own, this “Babel tower” of protocols, data representations, and abstractions makes it difficult, if not impossible, to connect the information across different application kingdoms. Why is this so important? Because each silo offers plenty of powerful contextual richness that we can leverage well beyond the scope of that application.

This is essential because even in the very specialized scope of security, you can’t adequately protect a system of applications if you don’t have a clear picture of what’s really enforced at the level of each application, and how all your applications are interrelated. This is why, despite lots of tools for creating roles and policies, progress in authorization has been extremely slow. The challenge is not just in knowing what you want to enforce—that’s the easy part—you must first understand what exists and what is really enforceable, both at the level of a single application and across a complicated process made up of multiple applications. For instance, when I talk to people in the banking sector about their compliance efforts, what I hear is that it’s not only about defining what they want to enforce, it’s about understanding what they have in the first place.

Context is also vital because this structured data is so valuable. It represents perhaps only 10% of the data in the world, but 90% of the value that we derive from automation. Without structured data, automation would be extremely limited, and the productivity that we derive from automation would evaporate. So wouldn’t it be great if we could understand at the layman’s layer what exists in an application (beyond just forms and interface), and link it to the rest of the infrastructure?

Think about what HTML did for text and other unstructured data on the web, making it searchable, discoverable, and so much more useful. Now imagine your structured data, all that incredible process-driven information and context trapped in application silos. What if we could read all that information, link all that data, and free all those contextual relationships that exist between silos? After all, it’s not only the facts, it’s the links between facts that build up a context. Go back to the etymology we discussed above: “context” is from the Latin contextus and it means the joining, the weaving together.

Again, these ideas are not mine alone—there’s a whole discipline within the semantic web dealing with “linked data,” based on how you could link information once it’s tagged under the form of RDF, which means subject-verb-object or subject-attribute-value. (See my last post for an in-depth look at this.)

Using Model-Driven Virtualization to Reveal the Hidden Semantics of Structured Data

Here at Radiant, we’re leveraging the same principles as those behind the semantic web, but applying them to all the structured data you have stored in SQL, LDAP, web services, REST, etc… We re-discovered these ideas because we were facing the challenge of integrating identity and its extended profiles across silos. And in order to do that, you need first to translate—to tag—this information into a common language or annotation. The method we use is called “virtualization by model,” and we’re going to take a look at how that works in the slideshow below. (And yes, my old friend Dave Kearns, the wise man of IdM, always teases me about the fact that I’ve been telling this same story with the same slides for an eternity now. So Dave, please forgive me here. As far as I know, the theorems of Thales or Pythagoras are more than 2000 years old now and are still presented with the same original proofs, too…). 🙂

The common language is first order logic, and the method we propose just automates to a large extent the tagging, the metadata reverse engineering and translation of our structured data from multiple specific protocols to this common representation. With this virtualization approach, we can extract application contexts that can be linked to unify these application silos. And because those predicates, with the right vocabulary defined by the users, can be read as a limited, “constrained” form of English sentences, these contexts are intelligible for the non-IT person. While it isn’t Shakespeare by any means, our system delivers English sentences that we can all understand—even machines.

A Sort-Of Pidgin English, Readable By Both Marketers and Machines

This basic “caveman” English allows a business user—the exact person who knows precisely what he needs to define the security policy—to “read” into the “books” of his automated process made of application silos. This gives business users a way to directly understand what really exists and is enforced currently in their applications, and to interact with this information to define the security policies they want to enforce.

These application contexts, described in English sentences (a subset of first order logic), would allow any business user understand what exactly is occurring within an automated process as it is enforced by an application. But all this sounds very esoteric—let’s take a look at how this might work in real life. We saw above that using virtualization by model lets us deliver different “views” of identity to meet the needs to diverse applications, whether they’re expecting LDAP, SQL, REST and yes, even RDF. But we can take that a step farther and deliver views of data designed for the human user, as well, using these plain English sentences I keep talking about.

Voilà, digital context, delivered through the magic of first order logic and model-driven virtualization! 🙂

A group of five people stand around a whiteboard covered with notes and diagrams, discussing and brainstorming ideas in a modern office setting.

Attributes, Predicates, and Sentences: The Building Blocks of Context

May 21, 2013/in Blog Michel Prompt/by Josue Ochoa

We covered the key role of attributes in my last blog post, moving from the blunter scope of groups and roles to the more fine-grained approach of attributes. Now we’re going to take this progression a step further, as we narrow in on my favorite topic: digital context. (If you haven’t already, check out my first two posts on context, where I laid out the roadmap and looked at groups, roles, and attributes.) Our first order today is to travel back to logic class and think about predicates.* But Michel, you’re thinking, what does all this have to do with digital context? Well, one way to describe a context about something is to express it using sentences related to the question. While we will come back to the definition of context in a following post, for now let’s just say that we need some building blocks to express facts about the world, some form of sentences that can be interpreted by a computer, and logic is one of the tools for that.

Subject-Predicate-Object: First Order Logic 101

In my most recent post, we saw how the notions of groups and roles ended up in the increased use of attributes as a way to categorize or define identities. This should not be surprising. Behind this use of attributes lays a fundamental mechanism—a way to represent a simple fact. And it’s the same mechanism that we use when we reason based on the rules of formal logic, which has been in practice forever, or when we represent a fact on a computer (think SQL). In fact, one of the greatest achievements of the early 20th century has been the formalization of logic (needed for mathematic foundation) and computation. This type of logical representation is core to everything we do, as reasoned thinkers and as computer scientists.

But in case you’re a few years removed from logic class, let’s examine this mechanism at work by looking at some very simple diagrams about what we are doing when we associate some attribute with a person or an object, such as assigning a person to a group:

Or assigning a subgroup to a group:

Each of these constructs can be summarized by the following diagram:

In this diagram, a fact can be asserted by the notation: subject-predicate-object. In predicate logic (AKA first order logic), it’s conventionally written as predicate(X,Y), where the variables X and Y could be themselves objects (references to entities) and/or values (arbitrarily “quoted” labels belonging to the initial vocabulary of our logic system). For instance, in our example above, the fact that “Jane is member of the product marketing group” can be written as memberOf(“Jane”,”Product Marketing”) and subGroupOf(“Product Marketing”,“Marketing”).

These kinds of predicates are called “binary” predicates and they are quite common. So if there are binary predicates, the astute reader (that’s you!) might well wonder if there are also unary predicates and, more generally, n-ary predicates. Indeed, the unary predicate exists and generally it’s used to assign a label to an entity—so if we want to say that Jane is an executive, you would write it as executive(“Jane”). As for the n-ary predicate, well here’s where you will find the usual “n-slots” notation of entities/tables as they’re used in the relational/SQL world. So we’d see something like this: age(“Jane”, “33”) or employee(“Jane”, “33”,”product marketing”).

Now, if you look at all those diagrams above, you’ll notice they have a direction, an orientation that tells us which entity plays the role of subject, since the object for a given predicate cannot generally be substituted. This translates into a given order for the different slots of a predicate; for example, in the notation age(“Jane”, “33”), the first slot—“Jane”—is for the person, and the second—“33”—is for her age. Of course, there are always exceptions where the slots are permutable, such as the “brother binary predicate,” where if x is a brother of y—brother(“x”,”y”)— then y is also a brother of x, which could read: brother(“y”,”x”)= brother(“x”,”y”). But in general order, orientation matters.

The diagrams above form directed graphs and the orientation is essential for preserving the semantics of this representation. After all, saying that x kills y—Kill(“x”,”y”)—is very different from saying that y kills x—Kill(“y”,”x”)!

Essential Semantics: Describing Our World in First Order Sentences

So all this is great, but what does it have to do with context? Stay with me here…we’ve seen that when we reduce everything into attributes, we are reducing the world to first principles. But at the same time, by associating attributes to an entity and recombining them progressively through predicates, we are describing a complete world based on “sentences” of first order logic. If you combine those sentences with the usual Boolean operators (Not, And, Or, and the rest of the derived Boolean Zoo members), you get a world that’s pretty complete—complete enough to act as the foundation of mathematics.

And the good news here is that this world is also pretty close to our own “world of discourse” (albeit a lot like my English: awkward and somewhat robotic). Basically, it’s made of simple sentences in the form of subject-predicate-value (where the predicate is the adjective or qualifier), or subject-attribute-object (where the attribute is the verb). Remember our friend Jane from above? Here are some things we know related to Jane:

Jane is member of marketing group.

AND

Product marketing is subgroup of marketing group.

The beauty of the predicate representation is that a huge part of our digital world is already encoded this way. In fact, all of our so-called “structured information”—databases, transactions, etc—runs according to these principles. But the maze of protocols and security representations we’re all dealing with, from SQL, to LDAP, to APIs, to programming languages, has long masked this reality. We need a way to rise above this modern tower of Babel, a way to translate all that structured, transactional data into something more useful, more contextually-driven. In my next post, I’m excited to show you that we’ve done exactly that: returned to first principles to deliver a “contextual and computational language” that’s as easy to interpret at the human level as it is to execute at the machine level. And this is a huge leap forward. We know we can’t teach our marketing teams to think like machines—and believe me, I’VE TRIED—but imagine a world where a business person and an application can both understand, and act on, the exact same notation. Such a world is possible today…so do not miss my next post!

PS: Some of you have been in on this series from the beginning, but all this blogging began as a response to Ian Glazer’s video on killing IAM in order to save it.

*See what I did there? That was for all the mathematicians…and for Anil John, who’s just as a big a logic geek as I am. 🙂

A diverse group of people stand in a row with arms around each other’s shoulders, smiling and laughing, in a bright indoor setting with a plain white wall background.

From Groups to Roles to Context: The Emergence of Attributes in Authorization

May 7, 2013/in Blog Michel Prompt/by Josue Ochoa

Last week, I introduced my favorite topic—digital context—and laid out a plan for how to consider the case. Today, we’ll dive in with a real-world example, looking at how freeing context from across application silos helps us make more considered, immediate, and relevant access control decisions. For those of you who have been following along (and thanks for sticking with me in my madness), this is blog 8 in response to Ian Glazer’s provocative video on killing IAM in order to save it. And if you haven’t been with me from the beginning: I’m in favor of skipping the murder and going straight to the resurrection.

It All Starts with Groups: The Simple, Not Especially Sophisticated Solution

Let’s start first with the notion of groups and their implementation. On the surface, nothing could be more straightforward: If I have to manage a sizeable set of users and assign them different rights to applications, I need to categorize those users into groups with the same profile, whether that’s by function, role, need to know, hierarchy, or some other factor. This is the simplest approach to any categorization, creating some “relevant” labels, then assigning people that fit within those label to define groups.

So let’s say we’re creating groups based work functions, such as sales, marketing, production, and administration. All we need to do is list all the people under a particular function, create a label, and then assign this label to those people. Couldn’t be easier, right? The simplicity of the process explains the huge success of groups—and although we implementers tend to make fun of groups as crude categorizations, I would guesstimate that at least 90% of our authorization policies are still implemented through groups. (So much for all that talk about advanced fine-grained authorization! But I’m getting ahead of myself here…)

In fact, we’ve become so dependent on groups that in many cases, especially with sizeable organization where the business processes are quite refined and well managed, we’re seeing that there are often more groups than users! At first glance, this seems paradoxical—after all, what’s the point of regrouping people if you have more groups than people? But the joke is on us technical people because we ignored another key reality: the business one. Sure, we could have a lot of people, but generally a well-managed and productive organization can have more activities (or different aspects of a given activity) that require the multiplication of those groups. So we gave our users a simple mechanism to categorize people into groups, and they used it—talk about being a victim of our own success! 🙂

Basically, we played the sorcerer’s apprentice and our simple formula yielded a multiplication of groups, which quickly became un-manageable. So we went back to the formula and started to tweak it, creating groups inside groups, hierarchies of groups, and nested groups; introducing Boolean operations on groups; aggregating them into roles, and so on. So what we were just saying about groups being simple? Simple for whom? Simple for the group implementers—yes, definitely. Simple for a user in charge of the initial creation of the group—sure. But add any complexity into the mix and the chaos begins.

So Much for the Digital Revolution: Every Change, Managed Manually

From a computer’s point of view, the assignment of a user to a group is totally opaque—just an explicit list entered by the person in charge of creating the group. This explicit list contains no information about why or how a user is dispatched into or associated with a group. In short, the definition of membership rests with the group owner, which is fine on the face of it. But that excludes any automated assignment of a new member to the group without manual intervention of the group owner. That means every change must be entered by hand—imagine the complexity as people constantly change roles and shift responsibilities. And imagine how easy it would be for an overworked manager to miss removing the name of the person she just fired from just one of the groups he was part of. Now imagine the security risk if that guy’s still got access to sensitive files.

Without explicitly externalizing those rules, those policies, the administration of the system becomes tied to the group owners/creators. The effort of sub-categorizing with nested groups or introducing more flexible ways to combine groups by using Boolean operators just reveals the root of the problem: When you give users better ways to characterize their groups, you are forcing those users to either make explicit the formation rules of their groups—or continue to make every single change manually, even as those changes become more complex and unmanageable.

And that’s how we (re)discovered the value of attribute-based group definitions.

Machine-Readable Groups: Using Attributes to Simplify Management and Make Policies Explicit

We realized that if we wanted to automate, to simplify the management of all these groups, we needed to describe them at the lowest level as the set of attributes that defined a given group, role, and—yes—context. We discovered that groups and policies can be managed in a more finely-grained manner with increased automation (and greater productivity!) if we characterized them as a set of attributes, combining them with the usual arsenal of Boolean expressions and functions. Basically, we needed an explicit computer representation of this characterization, instead of leaving such definitions in the head of an overtaxed administrator, hoping that auto-magically our human semantic would be interpreted and executable by our machines.

So we looked at how we represented those policies, groups, and roles and saw that an attribute-based system was a necessary condition. But unless we go further with this the analysis, we run the risk of oversimplification, of coming up with a solution that’s simplistic, instead of elegantly simple—and that would only create another set of problems down the road.

So we could keep all the elements—group, subgroup, etc.—as separated “entities” and link them to a person, as in the first example above. Or we could fuse them together with the definition of a user, as we’ve done in second example. After all, both implementations can technically yield the same categorization, meaning you can get to the definition of the groups and subgroups you need with the right members in both solutions.

But semantically, we’re not talking about exactly the same thing. In one case, we have a notion of groups and subgroups separated from the definition of the person. In the other, we’ve bolted those groups and subgroups on as attributes of that person. So which one is the right definition? That all depends on what you need in your representation—by which I mean it’s contextual—but it’s very important for us to fully grasp the difference. The decomposition into attributes is key for fine-grained authorization, but unless we have a clear understanding about what we are doing, we can take the decomposition too far. In such a case, the world becomes a chaotic set of attributes, where we can’t see the forest for all those trees. While we can peer into a universe made up of the most elementary particles, most real-life problems demand that we recompose that world by gluing all those objects back together again.

Breaking It Down and Building It Back Up, Better Than Before

And that is where we begin to see the need to not only decompose the world into attributes, but also to reorganize that world into objects, relationships, and context. What you get through this reorganization of your information representation is a more complete view of your system, where authorization can be enforced in a more granular way. This is the way we really intend to do it in our policies, as we would define them in natural language—and that’s exactly what we’ll be looking at in my next blog post.

So thanks for reading this introduction to my favorite topic, and be sure to check back for a deep dive into objects, relationships, and context. I’ll even show you how a marketing coordinator and a computer can learn to speak the same language!

Aerial view of a busy multi-layered highway interchange at night, with blurred car lights creating colorful streaks and intersecting roads illuminated by streetlights.

In Context: The Next Frontier of Your Digital Identity

April 30, 2013/in Blog Michel Prompt/by Josue Ochoa

I know I’ve been the Old Man of Novato, ranting about context all these years, but the market, the industry, and—most importantly—the technology are finally evolving toward this direction. For the longest time, it was just me and the usual suspects in academia and elsewhere, muttering in our corners about the Semantic Web, but now we’re hearing about context-aware computing from every direction. While I’ve refined a set of slides on context that I’ve delivered to groups large and small over the years, along with a demo of our Context Browser technology, now seems like a great time to put everything I know down in writing.

Although my French heritage and Math background prefer to start from theory and illustrate through examples, my newly American pragmatic tinkerer side is planning to do a quick roadmap here, then look at examples from our existing systems and, through them, make the theoretical case. It’ll take a few posts to get there, but then, I’ve really been enjoying blogging lately, as my manifesto in response to Ian Glazer will testify.

Context Matters: Where We’re At, Where We’re Headed

We’ve already seen the word creeping into marketing materials, but one of these days—okay, maybe months or years—it’s going to be more than a promise: digital context will be everything. As we get closer to digitalizing our entire lives, we’re also moving toward a context-aware computing world. Now, when we’ve talked about context-aware computing so far, it has seemed like one of those woolly concepts straight from a hyper-caffeinated analyst’s brain (or an over-promising marketer’s pen). But the truth is, any sizeable application that’s not somehow context-aware is pretty useless or poorly designed.

Sure, there are pieces of code or programs that exist to provide some transition between observable states and, as such, are “stateless.” And I know that on the geeking edge, it’s trendy to talk about stateless systems, which are an important part of the whole picture. In reality, however, the world needs to record all kinds of states, because a stateless world also means a world without any form of memory—no past, present, or future. So it’s not like most of our programs and applications are not context-aware. They are, and most of the time they’re pretty good at managing their own context.

The problem is that we move from context to context, and in the digital world this means that unless those programs, those agents, those devices share their context, we are facing a stop-and-go experience where the loss of context can be as annoying—or as dangerous—as an interrupted or broken service. The lack of context integration can mean a bad user experience—or a dead patient due to a wrong medication. In a world where actions and automated decisions can be taken in a split-second, this absence of context integration is a huge challenge. Nowhere is the issue is more acute than in security, in authentication and authorization.

The Big Question: What is Context?

This is what we’ll consider over my next few posts—what context is, how we represent it in current programs, and how we could link each island of context for a fuller, more fluid picture of how everything interrelates. We’ll begin by observing how authorization enforcement has evolved from the use of groups to roles to attributes and try to characterize what is context in those specific cases.

Then we’ll see how generalizing those observations and combining them with an intuitive, natural language description of context can guide us toward a solution to represent and link context across data silos.

Of course, since I’m all about evolution and not disruption, we’ll look at how such an implementation can leverage existing databases and directory structures to deliver the same advantages—familiarity, experience, scalability—while cancelling the current limitations, such as both systems’ known inflexibilities and the problems of large-scale distributed deployments.

Finally, I’ll illustrate how this new category of software—what I call context servers—can be leveraged, first in security and later as a way of gluing together our existing application silos.

Be sure to check back to join our discussion of using context to drive policy development and authorization enforcement.

A single tree stands at the center, with its left side bare over snowy ground and its right side full of green leaves over grass, symbolizing the transition between winter and summer under a partly cloudy sky.

Bringing IAM Back to Life with a Federated Identity Service: Leveraging Your Silos for Authentication and SSO

April 15, 2013/in Blog Michel Prompt/by Josue Ochoa

Welcome to the sixth post of my series in response to Ian Glazer’s video on killing IAM in order to save it (AKA my Russian novel on identity, security, and context). We’ve looked at a lot of the issues surrounding identity today, and if you’ve been following along, my perspective on how to solve these issues is probably pretty clear by now. We at Radiant feel strongly that you need to federate your identity layer, just as we’ve all been busy federating access. But what does that look like? Here’s how the VDS, our RadiantOne virtualization engine, implements a federated identity service—we’ll be focusing on the highlighted part of this diagram today:

The common abstraction, data modeling, and mapping serve as the “backplane” for the whole system. As we see in the leftmost section of the diagram above, the system starts with the existing identity sources and transforms this identity data through three higher-level services built on top of the VDS virtualization layer.

First, the “aggregation” service regroups the different identity sources side by side. In directory talk, this is like “mounting” each different identity source into its own separated branch. Here, we don’t try to merge the different identities, we regroup them under a common virtual root, while keeping each namespace separated. Metaphorically, it’s like people putting different objects (identity sources) into a common bag (the “virtual directory”). The main advantage of this structure is that it allows you to send a global search, from the root to the top of the tree, to find an identity that can be defined in one (or more) aggregated identity sources.

Then, the “correlation” service determines if there are any commonalities across those different identity sources. Beyond the local/specific identifier for a given identity, the service discovers any correlation based on attributes and rules that can disambiguate an entity—a person or object—from across the different identity sources and representations. From a logical point of view, the correlation service is used to create a union of the different identity sources. The end result is a new identification scheme, where each entity in the system is uniquely—and uniformly—identified by a “global identifier” from across all identity silos. This global identifier does not exist in isolation; it’s also tethered back to each specific local identifier, so we always know where every piece of information lives. After the correlation stage, the entire set of existing identity sources is regrouped into a global namespace, where each identity is totally disambiguated.

Finally, the “integration” service links identities with their attributes for a complete global profile. For any given entity that exists in more than one data source (which we determined via the union operation described above), we can now take advantage of the common link—or global identifier—to “join” different attributes that are specific to each source. Through this join operation, we obtain a global profile out of each local description.

Virtualization + Transformations: The Foundation of SSO and Your Bridge to the Cloud

Not every situation requires all three of these advanced services, but at least one is usually required to ensure that your federated identity contains all the information you need for your specific use case. Once you’ve gone through some or all of these stages, you end up with a “rational” federated image of your heterogeneous system.

And if your main target is to authenticate users and deliver single sign-on, this is where you can call it a day. Such an image of your system makes it easy to identify and check credentials for any given user. All you do is a simple search, followed by an authentication request against the federated system, and you’ve got everything you need: you know if a user is defined in one or more of your identity sources, how to check his or her credentials, and which protocols to use. Once the user found, the virtual layer automatically conducts whatever specific authentication operation is required.

Beyond Credential Checking: Adding Extra Assurance to Authentication

Using our federated identity hub to solve this authentication challenge is a huge win, in and of itself. But for many industries, today’s world demands new layers of assurance—a form of extended authentication, like that second photo ID you have to produce when extra security is required. As service offerings grow more complex and demand greater security, you need different levels of identity assurance, unless you want to fall victim to what Anil John so brilliantly characterized as a “Maginot line of authentication.” His blogpost on identity assurance explained these issues perfectly and I encourage you to read it. For my purposes here, I’m borrowing one of his diagrams.

Here we have the “state” flow for a banking user, along with the requirements in terms of security. Once the credentials have been verified on the left, the other red diamonds indicate decision points where a user wants to access different levels of regulated service—and best security practices call for escalating identity verification. Those additional security challenges provide the right “level of assurance” needed to grant access to increasingly sophisticated services.

As we progress across this activity flow, each step requires more and more information from a user—and this is information that needs to be collected, either at identification/authentication time or as the user goes. So we can see that the authentication process in itself is beginning to demand a richer profile, a set of information that can be progressively disclosed based on a user’s activity. And here’s where the lines between authentication and authorization begin to blur, and where a federated —and context-aware—identity becomes increasingly imperative.

As the need for enhanced security grows, authentication and authorization will form a continuum where information needs to be disclosed and accessed based on context. And now we’ve come to my very favorite topic. Although RadiantOne does a great many important things, the system is at its best when it’s discovering context from across disparate sources to drive deeper security decisions—and build richer relationships with customers. My next blogpost will dive deep into how context works in a federated identity system, then we’ll finish up the series with a closer look at the other half of the security puzzle: authorization and provisioning.

Thanks again for reading, and stay tuned for Michel’s primer on context.

Close-up of the rear wheel of a bicycle, showing metal spokes, blue frame, chain, and axle nut against a light background.

The Federated Identity Service as a Hub for Authentication, Authorization, and Provisioning

April 1, 2013/in Blog Michel Prompt/by Josue Ochoa

I’ve been blogging in response to Ian Glazer’s video about killing IAM in order to save it (I’m in favor of saving, even if we don’t agree on the killing part).

A Millions Paths to Everywhere: The Internal Authentication Challenge

As we discussed in my most recent post, authenticating users and securely communicating authorization information with a cloud application—or any web-based portal—requires a common endpoint acting as the enterprise IdP. We also know you’ll need to be able to access multiple cloud applications, such as Salesforce, Workday, and Google Apps, as your enterprise moves toward this model. And we’ve seen that you’ll need many token translations on a per-application basis. But this is only one part of the requirement.

Another key function to support is being able to authenticate an incoming user against multiple internal authentication sources. Think about all the legacy applications and identity stores deployed across your infrastructure, with their various authentication methods and protocols—they’re all over the map, right? First, you encounter the AD domains, and get lost in all those forests. The authentication method here could be name/UPN and password or based on Kerberos and Windows integrated authentication. But the user could also be stored in some SQL database with a proprietary hard-coded password encryption. Chasing the user across diverse forests and data stores and knowing which authentication method is appropriate for presenting and checking credentials is a full-time job—one that predates the challenge of cloud applications. In fact, the search for a common identity structure has been a primary headache for IAM for as nearly long as the category has existed. Multiple attempts have been made to solve these issues, from in-house script-and-sync to metadirectories to virtual directories. These new requirements for supporting the cloud have just made it more acute.

No matter what you call it (or how it works)—whether it’s an enterprise directory, metadirectory, or virtual directory—the logical mechanism you need is a federated form of identity. Why federated? Because you don’t want to reinvent this layer, which already exists in a highly distributed, heterogeneous way across your identity silos. Better to tap into what already exists, while giving your underlying data more scope and flexibility by bringing it—or a flexible representation of it—into an identity hub. Now, you could implement this hub in many different ways, but we believe that a virtualization layer, based on a global data model that rationalizes and reconciles the different local views, is the most effective way to do it. And in a world where you will connect to multiple applications using “federation” standards, you need to do more than just federate access via the SaML or OpenID Connect layer—you need to federate your identity layer, as well. And the way to get to a federated identity is through virtualization.

All Roads Lead to the Hub: The Need for a Common Attribute Server and Better Provisioning

But authentication is only the first challenge for bridging your identity infrastructure to the cloud. Beyond providing secure internal authentication, you must also deliver attributes that are required for groups, access rights, and authorization. So as an identity provider, you will need to act as (or be coupled to) an attribute server. And then there is the huge challenge of accounts and attribute provisioning. Despite tons of progress in terms of user interface, connectors, workflow, business logic , transaction support, and standards (anyone remember SPML?), provisioning on the internal, legacy side of applications has only encountered limited success and remains a stop-and-go process. I believe you need all the features I just mentioned, but unless you want to go through endless iterations of manual workflow definition, you need an automated system that can normalize the different versions of the truth for your identity, before pushing it through your provisioning and logic engine.

Fast forward and think about the n different applications in the cloud you need to provision to, and it’s like déjà vu all over again…with even more complications. So again, as both a final authoritative source of your identity and as an attribute server, you will need a rationalized view of your identity, a federated Identity system.

This diagram illustrates how such a federated identity service would enable authorization and provisioning to cloud-based applications, using attributes from across your heterogeneous stores:

Next time we will look at the architecture of this federated identity, or “FID,” and then we’ll end this series with a deep dive into my favorite topic—context—along with graph and protocols support.

A large group of Star Wars Stormtrooper figures arranged in neat rows, all facing forward in identical white armor and helmets.

Token Translation and Internal Authentication: Where Your Federation Needs a Federated Identity

March 26, 2013/in Blog Michel Prompt/by Josue Ochoa

I ran into Ian Glazer at last week’s Gartner IAM conference. It was an excellent event, and the weather was so cold in London (or perhaps that’s just my inner Californian talking) that the crowd was even more attentive than usual. Although he had places to go and people to see, Ian gave me some quick but very valuable feedback about this blog series in response to his video about killing IAM to save it. His big takeaway was that “it’s not about the storage.”

And I’ve had lots of flight time since then to think about what he said. I’m a “coder” at heart (and you know the old adage: “program first, think later”), so I jumped quickly to the hardcore story about SQL, graph, and LDAP, with lots of good justification for that focus—and you can follow along here, here, and here. But I agree that the drivers, the pain points that are forcing us to re-think identity management as we know it, are the fast adoption of the cloud and its multiple SaaS applications on one side and the unstoppable growth and demand for access through all kinds of mobile devices on the other.

And here I believe is where the analysis from Ian is at its best.

Let’s look at the two main players (beyond the dreaded form-based, name/password authentication) when it comes to federated access to an application that’s delivered on the cloud (or even on the internet). Our best candidates here would be SAML 2.0-based federation and Open-ID Connect/Oauth 2.0. You would find SAML 2.0 in use with most SaaS vendors. And more and more, your web applications, Facebook, Google +, Windows Azure, and others can act as a “trusted identity provider” to allow external users to sign to your application.

I will illustrate the issue by looking at SAML 2.0, but the need for mapping “external identity” to your own internal representation will still exist, even when you trust Facebook.

Federating Access and Federating Identity

One of the main values of a “federation” layer is to funnel authentication requests to an “identity provider” or IdP. In the case of SaaS applications, this redirection points to your company—basically, your enterprise is the IdP.

Once the IDP receives the authentication request, it must:

Authenticate the user against some “internal authentication sources,” such as AD, LDAP, or databases.
Map the internal identity representation to the external format the SaaS application requires.
Encode the authentication token based on the mapping result.
Send it back to the SaaS application.

The process is illustrated here:

What Could Go Wrong? The Care and Feeding of Your IdP

This process raises a couple of major challenges. The first challenge is the need for internal authentication and remapping. The first three operations—authentication, mapping, and token creation—need to be done by you, the identity provider. All the SAML layer does is move the token around; all the rest is up to you. So what does this mean for the enterprise-as-identity-provider? In a typical scenario, you would have to map InetOrgperson attributes to a SAML2.0 attribute or a JSON structure. And that can get very complex very quickly.

The second challenge is that there are as many remappings as there are applications. The translation and mapping is based on a given list of token attributes for each application. So the mapping for Google apps has nothing to do with the mapping for SaleForce, etc. Basically, every SaaS application speaks a different “dialect” of SAML—and expects to get that exact language back from the IdP.

The bottom line is that without an authentication hub and application-specific mapping to act as a bridge between your internal and external systems, you still have what I call “Star Wars” syndrome when it comes to authentication—and that’s not the fun part with light sabers or ewoks.

This diagram shows the Star Wars effect happening in today’s identity environments (I sense a disturbance in the infrastructure, Luke):

Now that we’ve established what’s ailing IdM these days, I’ll spend some time on the cure in my next blogpost. Be sure to check back for a look at how a federated identity service solves the “Star Wars” syndrome and lets you leverage your current infrastructure to do some very cool new things (think context-aware applications).