[CLIENT] - Identity Federation Workshop 4-25-07

8/3/2019 [CLIENT] - Identity Federation Workshop 4-25-07

1/30


2/30

PwC Confidential19-Feb-12 2

Preface (5 minutes

) Workshop Objectives Our Understanding of [CLIENT]s Online Initiatives

Our Understanding of the Business Drivers/Value Proposition of Identity Federation at[CLIENT]

Section 1 (5 minutes)

Introduction to Identity Federation Identity Federation Roles

Identity Federation The Solution

Section 2 (25minutes)Identity Federation Business Scenarios

[CLIENT] Identity Federation Business Scenarios

Section 3 (25 minutes)Preparing for Identity Federation

[CLIENT] Identity Federation Strategy

[CLIENT] Legal/Regulatory Compliance Requirements

[CLIENT] Agreements: Business Level, Service Level

[CLIENT] Technical Requirements

Agenda (60 min)


3/30


Our objectives for this workshop are listed below:

Facilitate the business, privacy and technical issues around Federation for

[CLIENT].

Discuss privacy considerations both general and specific to the issues stated above.

Discuss the extension of [CLIENT]s current identity management infrastructure with

Federation.

Start to identify next steps.

Workshop Objectives


4/30


Our Understanding Of [CLIENT]s Online Initiatives

[CLIENT] has launched a collaborative portal for volunteers and state

sites. The collaborative environment may expand to include other

external parties.

[CLIENT] is deploying several new online services for members this

year, including [CLIENT PROGRAM] and [CLIENT PROGRAM]

[CLIENT] is launching a new social networking site for visitors

interested in a relationship with [CLIENT] (members and non-

members). The site will enable registered users to setup personalized

websites, share photos, and upload video content.

[CLIENT] is expanding internationally through the launch of the

[CLIENT PROGRAM] . The first member of the network is [CLIENTPARTNER] . [CLIENT] intends to offer reciprocity of benefits to

individual members of [CLIENT PARTNER] beginning in January

2008.


5/30


Our Understanding of [CLIENT]s Online Initiatives

(Contd.)

Are there other online initiatives at [CLIENT] that we have not

discussed?


6/30


Improved Member Online Experience Federation can be deployed to enable [CLIENT] members to experience SSO when linking to

partner websites.

For example, an [CLIENT] member can experience single sign-on from [CLIENT WEBSITE]

to the website of a trusted partner e.g. [CLIENT PARTNER]

Information Security

In a federated environment, personal identifiable information of [CLIENT] members can be

kept private while exchanging a limited set of member data.

Cost Savings [CLIENT] can potentially reduce costs associated with building and maintaining custom

interfaces with 3rd parties who need access to member data.

Our Understanding of the Business Drivers/Value

Proposition of Identity Federation at [CLIENT]


7/30


Are there other business drivers for Identity Federation at [CLIENT] thatwe have not discussed?

Our Understanding of the Business Drivers/Value

Proposition of Identity Federation at [CLIENT] (Contd.)


8/30


Identity Federation Workshop

Section 1:

Introduction to Identity Federation


9/30


Introduction to Identity Federation (Contd.)

When discussing Federation, it is important to understand the terms and

concepts commonly used when describing Federation transactions. These

include:

Person/User/Principal This is an entity that can be authenticated, make use of services,and obtain a federated identity.

Identity Provider (IdP or source domain) The IdP is the organization that authenticatesand asserts identities within an established trust.

Service Provider (SP, relying party or destination domain) The SP relies on an IdP to

authenticate and assert the identity of Principals who wish to access web based services orgoods provided by the SP.

Note:An organization can be an IdP, SP, or both, depending on the business scenario.

Circle of Trust This is a trust relationship established by a group of IdP's and SP's.There can be multiple IdP's and SP's in a circle of trust.

Federation Roles


10/30


Introduction to Identity Federation (Contd.)

Federation -The Solution

IdentityFederationSolution

IdentityFederationSolution


11/30



Section 2:

[CLIENT] Identity Federation

Business Scenarios


12/30


1. Access to Externally Hosted [CLIENT] Systems or Trusted PartnerWebsites

A. [CLIENT] Members

[CLIENT] members access 3rd party hosted sites e.g. [CLIENT PROGRAM],

[CLIENT PROGRAM] and trusted partner websites e.g. Travelocity, The Hartford

and United Healthcare.

Most of these systems require a separate username/password for [CLIENT]

members to login.

[CLIENT] - Identity Federation Business Scenarios


13/30



(Contd.)

1. Access to Externally Hosted [CLIENT] Systems or Trusted PartnerWebsites (Contd.)

A. [CLIENT] Members (Contd.)

Benefits of Federation

Can enable single sign-on from [CLIENT].org to the trusted partner site.

Can reduce or eliminate the need to enter the same information (addresses, phone

numbers, etc) at multiple service provider (SP) web sites.

Third Party partners do not have to revalidate that the customer is an [CLIENT]

member

Simplifies password management for [CLIENT] members while they access

externally hosted applications related to member services.

Enables a richer online experience for [CLIENT] members (while accessing

externally hosted or trusted partner applications) and increases the value of the[CLIENT] relationship for trusted partners.

Simplified interaction between [CLIENT] members and trusted partners could lead

to increased awareness of member benefits and increased online enrollment to

trusted partner offerings by members.


14/30


1. Access to Externally Hosted [CLIENT] Systems or Trusted PartnerWebsites (Contd.)

B. Employees

[CLIENT] hosts several business, finance and HR systems with 3rd party companies.

Most of these systems require a separate username/password for [CLIENT]

employees to login. Federation can enable web SSO from [CLIENT] to the external

system.

Potential federation integration candidates include [CLIENT PARTNER], [CLIENT

PARTNER], [CLIENT PARTNER], [CLIENT PARTNER], and [CLIENT PARTNER].


Simplifies password management for [CLIENT] employees while they access

several business, finance and HR applications

Enables [CLIENT] employees to have a rich online experience while accessing

applications hosted with 3rd party companies.


(Contd.)


15/30


2. Trusted partners customer to [CLIENT] website Federation can enable [CLIENT] to act as a service provider and accept Federated

users from trusted partners.

Trusted partner is responsible for authenticating the end user.

[CLIENT] can accept the trusted assertion and allow the person access to[CLIENT] hosted web content and services.


- Provide new avenues for [CLIENT] to recruit members or drive traffic to

[CLIENT]s website.

- Enable the trusted partner's customer to be identified by [CLIENT], therebydelivering a personalized experience.


(Contd.)


16/30


3. [CLIENT] Global Network Support Federation can enable [CLIENT] members to obtain personalized services from

international organizations participating in the [CLIENT] Global Network (or vice-

versa).

Ensure that only validated users obtain access to online Global Network benefits.


- Potentially help to address the legal and regulatory obligations [CLIENT] may

encounter when engaging in the sharing or transfer of personal or private data

about members or Global Network participating users.

- Federation can enable the experience of engaging with a Global Network partner

to be simpler and more personal.

Note: It is recommended that [CLIENT] conduct a detailed analysis of US, EU, and other

international privacy and compliance laws prior to engaging in shared services with Global

Network members and organizations.


(Contd.)


17/30


4. Business Unit Federation Certain [CLIENT] business units may be required to operate independently.

Federation can be used internally to enable users from one business unit to access

web applications hosted by another business unit.

An example of this scenario could be employees of [CLIENT] Financial Inc.accessing web-based applications and systems hosted by [CLIENT], or vice-versa.


- Federation enables the systems to remain separate while still providing users

with a single sign-on experience.


(Contd.)


18/30



Section 3:

Preparing forIdentity

Federation


19/30


Preparing for Identity Federation

Identity Federation will enable [CLIENT] to extend the capabilities of its IdentityManagement infrastructure to provide integration with trusted third parties such as

service providers. However there are business issues inherent in Identity Federation.

Business issues in the following areas should be discussed before implementing

Identity Federation:


Legal/Regulatory Compliance Requirements

Business-Level Agreements

Service-Level Agreements

Technical Requirements


20/30


Preparing for Identity Federation (Contd.)


Gather information about existing Federation framework that the [CLIENT] priority third

parties may already have in place.

Determine the identity data elements to be transmitted amongst Federation partners.

This will help to determine which regulatory requirements need to be addressed

Pilot one of the business scenarios (mentioned earlier) involving a priority third party (e.g.

[CLIENT PARTNER] or [CLIENT PARTNER], ) as a Federation partner.


21/30



Legal/Regulatory Compliance Requirements

[CLIENT] should analyze applicable local, state, national, and international privacy and data protectionregulations, directives, and laws, and develop appropriate strategies and operational plans to addresscompliance responsibilities.

Privacy & Data Protection Review local and international laws and requirements, e.g. EU Data Protection Directive.

International Laws Are Different than U.S. and may be a barrier to overcome, requiring addedtechnical and operational components.

Restrictions and operational requirements around trans-border flows of personal information Broader scope of information goes beyond just customers

In-country representation, filing requirements, and potential approval processes

Ability to demonstrate adequate technical, physical, and administrative safeguards

Review, enhance, and implement appropriate policies, processes, and technical safeguards.

Compliance Policies and procedurescustomer and employee policies, and internal policies and procedures

Governance and accountabilitylocal and international roles and responsibilities Due diligencecontract amendments and security assessments with trusted partners (Circle of

Trust)

Communication, training, and awareness Ongoing monitoring, auditing, and reportinginternal and trusted partner (Circle of Trust)

reviews

Discipline and incentives

Incident response and crisis managementbreach notification requirements


22/30



Business-Level AgreementsInherent in the Federation model is the concept of a Circle of Trust. This is both a businessand technical requirement.

Business Relationships & Terms of Engagement

Examine contractual agreements with business partners to determine if they contain thenecessary terms, conditions, etc, to allow for such a business relationship.

Review membership agreements to ensure Federation of member data is adequately

addressed. Create contractual agreements addressing the technical requirements of Federation e.g.

the authentication process of a user by the IdP.

Financial Commitments

Establish contractual agreements defining financial responsibilities of Federation partners.

Risk Management Refresh Third-party Security Program (TSP) to ensure it addresses Identity Federation

security models and relevant security controls

Examine how [CLIENT] can limit the risk incurred to its trusted partners in the event of asecurity breach, identity theft, error etc. originating from [CLIENT].

Establish contractual agreements between [CLIENT] and its partners that would determinewho liability is assigned to in the event of a security breach, identity theft, error etc.


23/30



Service-Level AgreementsCustomerService

Review contractual agreements with trusted partners on the service level.

Clearly define terms regarding who is responsible for managing customer/user

issues.

Business Continuity Planning Establish processes to deal with disaster recovery for both [CLIENT] and its trusted

partners.

Incident Management

Establish contractual agreements with business partners regarding how

events/incidents are managed when a security breach, identity theft or error etc.occurs.

Establish a process for communicating and responding to incidents during

Federation between [CLIENT] and its partners


24/30



Technical Requirements[CLIENT] and its trusted partners should agree on the technical specifications to be used fortheir federation.

Federation Standards, Models and Protocols

- [CLIENT] must determine which standard it will support (SAML 2.0, WS-Federation,

Liberty).

-[CLIENT] should decide the Federation model(s) it wishes to operate under. [CLIENT]must decide if it will be an Identity Provider, a Service Provider, or both.

- [CLIENT] should work with its trusted partners to determine the Federation models,

protocols and standards the Circle of Trust will operate within.

- Develop a Federation integration guide for new partners that will ease the process of how

technically Federation will work within the Circle of Trust.

- [CLIENT] and its trusted partners should establish a steering committee to oversee

adoption and roll-out of Federation.

Federation Product/Vendor

Integrate Federation product with existing WAM infrastructure to leverage its Identity

Management capabilities.


25/30



Technical Requirements (Contd.)

User Administration

[CLIENT] and its trusted partners should agree on how user data is administered.

A process that supports the lifecycle of the user's identity credentials, from creation,

modification to deletion should be discussed.

Will need to adopt common user enrollment and entitlement process.

Access Policy

[CLIENT] and its trusted partners should establish policies governing service access

within their Circle of Trust.

Circle of Trust members other than the IdP, give up their control around authentication

but still control authorization.

Session Policy

[CLIENT] and its trusted partners should determine rules governing a users browser

sessions while accessing services provided by them.


26/30



Technical Requirements (Contd.)

Data Attributes

[CLIENT] and its trusted partners should determine the specific data attributes that will

be shared to enable Federation within their Circle of Trust.

Technology Skills of[CLIENT]s (and 3rd Party)IT Organization Review the skill sets of IT employees of [CLIENT]s and its trusted partners to

determine if it compliments the processes and technologies required for Identity

Federation.

Provide training and documentation for future application development for [CLIENT] and

3rd parties to incorporate federated identities.


27/30



Recap:

Processes surrounding the management of user information (Strategy, Business-Level,

Service-Level, Legal/Regulatory Compliance, Technical Requirements etc.) must be

defined prior to implementing an Identity Federation solution.

Having the properPeople and Technology in place allows Processes surrounding user

data to be properly handled.


28/30



Next Steps


29/30


Next Steps

Phase I Create a detailed Identity Federation Strategy and address the following

- Identity Federation Strategy

- Legal/Regulatory Compliance Requirements

- Agreements: Business Level, Service Level

- Technical Requirements

Phase II

Design and implement a technical pilot based on the Identity Federation Strategy that is

created.

Develop Federation integration guide for potential partners.

Phase III Update/finalize business, service level agreements and other requirements with

Federation partners

Start to implement and deploy Federation to selected partners


30/30


Identity Federation WorkshopLegal DisclaimerThe information contained in this presentation is for general guidance only. The applicationand impact of laws can vary widely based on the specific facts involved. Given the changing

nature of technology landscape, there may be omissions or inaccuracies in informationcontained in this presentation. Accordingly, the information in this presentation is providedwith the understanding that PricewaterhouseCoopers LLP is not engaged in renderingprofessional advice and services. As such, it should not be used as a substitute forconsultation with professional, legal or other competent advisers.

While every effort has been made to ensure the accuracy of the contents of this presentation,PricewaterhouseCoopers LLP will accept no responsibility for any errors or omissions, or forany loss or damage, consequential or otherwise, suffered by a result of any materialpublished here. All information in this presentation is provided "as is", with no guarantee ofcompleteness, accuracy, timeliness or of the results obtained from the use of this information,

and without warranty of any kind, express or implied, including, but not limited to warrantiesof performance, merchantability and fitness for a particular purpose. In no event willPricewaterhouseCoopers, its related partnerships or corporations, or the partners, agents oremployees thereof be liable to you or anyone else for any decision made or action taken in

reliance on the information in this presentation or for any consequential, special or similardamages, even if advised of the possibility of such damages.

Date post:	06-Apr-2018
Category:	Documents
Upload:	prakash-venkata
View:	217 times
Download:	0 times

[CLIENT] - Identity Federation Workshop 4-25-07

Documents