Federation, Entitlement Management, and the Cloud

| | Comments (0) | TrackBacks (0)
Now that I'm w/ Ping Identity in Sweden, it was only a matter of time before I bumped into the guys at Axiomatics. When I was in Stockholm the other day, we had fika and talked about federation, entitlement management, financial services, and the upcoming EIC conference. While we sipped our coffee, we discussed what it would look like to put our products, PingFederate and Axiomatics Policy Server (APS), together to form a best-of-breed solution that provides organizations like financial institutions with the ability to easily get prospects into the customer corridor by leveraging identities that they already have while simultaneously removing authentication and authorization from their line of business (LOB) applications.

Before our bullar were done, we had come up w/ an architecture that used PingFederate's Cloud Identity Connectors to reduce the number of steps prospective retail banking customers have to perform when deciding whether or not to do business with a particular financial institution. Using these, prospects can connect with Facebook, Google, Twitter, or other social networks to easily provide basic information about themselves (e.g., the country they live in). With this, a bank can show the prospect personalized and targeted information such as local contact phone numbers, state- or country-specific terms of service, local market news (e.g., exchange rates for the Krona if in Sweden or USD if in the States), and locations of nearby branches and ATMs. Using existing identities, organizations can provide Web surfers with more relevant information, helping them find what they need to decide to begin doing business with the provider.

In the banking scenario that we were chatting about as well as in many others, security in critical. In such cases, social sign-on, though helpful in reducing friction and increasing conversion rates, cannot provide a high enough level of assurance (LoA) that a person really is who they say they are. To overcome this, after someone signs up for an account, a bank would verify their physical identity and then provide them w/ a new digital identity. Using the new one and not a social network identity, the customer could gain access to higher value assets like online banking. This account would be stored in a directory maintained by the financial institution. Even with this and the support for all the different protocols used by the various social networks, our architecture was simple because PingFederate supports so many types of identity providers. The overall scheme we cooked up is shown in the following sketch:

When a prospect or customer accesses the banking Web site, they are given the opportunity to use a social login or an identity provided by the bank. Regardless, information about the requested page and how the user authenticated is sent to APS in a XACML message which renders a decision about whether or not access should be granted or denied. As a result, if a prospect has authenticated using a social networking account, APS will not allow them to access sensitive area of the Web site; instead it will redirect them back to the login page where they can login using a more trustworthy identity. If APS decides that access should be allowed to the page, which buttons, tabs, bank accounts, and other elements should be render will also be determined using claims asserted by PingFederate.

With an architecture like this, the application doesn't have to understand the numerous federation protocols and security tokens used by the various social networks. It also doesn't have to interface directly with the identity store where customers are kept which could be an LDAP directory, a RDBMS, a mainframe, and/or something else. The LOB application handles identities as claims asserted by PingFederate, giving it one normalized representation of the customer or prospect. Authorization rules that governs access to resources are also maintained outside of the application. Policies can be stored centrally and updated without recompiling or redeploying the application.

After finishing our coffee, we couldn't help ourselves; it seemed so simple, we had to try to implement it. Before I had to catch my train home, we had the basics working. It didn't require any custom coding whatsoever. (The only coding needed was for the online banking application because neither of us had one of those.)

Given that we are both going to be at EIC, we thought we might show it off there. Stay tuned on that. In the meantime, if you have questions or thoughts about this, please drop me a line.