Friday, November 27, 2015

SaaS Identity and Directory Services

For SaaS providers, what are the available mechanisms for integrating with a directory service?

  1. The LDAP can be fronted by an IdP hosted in DMZ that provides authentication and authorisation mechanisms to Cloud services. The authentication/authorisation mechanisms can be via web federation protocols such as SAML/OIDC. This is show in the above figure.

  2. The LDAP (rather a replica of it) can be exposed via "ldaps" (ssl protected ldap) to the external Cloud services

  3. The LDAP itself can be synced to the Cloud services. Technologies like Azure AD Connect can be used to implement this methodology

From 1st to 3rd mechanism, the security/privacy responsibility that lies on the SaaS provider increases.

In order to the 3rd mechanism, the users must trust the SaaS provider to store data and passwords. I believe, any organization will think twice before syncing LDAP with external parties.

So one might ask, hold on, what about online enterprise identity providers? Online identity providers such as OneLogin has obtained certifications to prove that data is private and well protected.  Obtaining such certifications are very expensive, and they needs to be maintained (audits must be done periodically).

The first mechanism can be illustrated as follows.

Wednesday, November 25, 2015

Federation Patterns - Why/How federated authentication only?

Federated authentication (SSO) and Service Provider maintained sign in can co-exist in the system, but this has account management problems. Consider your HR system has the following.

For example, when an employee leaves the organization, it is required to delete him from both places manually. This is error prone.

In order to overcome this problem, it is better if the system can give an option to disable maintaining passwords at their end, when there is an external IdP.
When an organization decides that they want federated authentication only, the system must provide a way to disable local authentication mechanisms. This means,
  • Show only the Identity Provider Sign In option in login screen
  • Forgot password link is not there in system login screen
  • Existing passwords get scrambled
  • Users cannot reset passwords from the their profile
Now comes the interesting question, how is my mobile app going to work? It can be done in One of the two ways.
  • Users can go to profile and generate a pin number for the mobile app
  • Implement SSO for mobile app. Here SAML based SSO is challenging because it is based on browser redirects but Native SSO support is available based on OIDC (Open ID Connect ) and OAuth