Identity management as a platform is an emerging branch of Information security. Top vendors such as Microsoft, IBM, and Oracle have taken serious plunges into the Identity management arena. In this article, we shall see what it takes to implement an Identity management solution. Information security comprises various individual components that need to go hand in hand. One of the most important components is Identity management. Be it an intrusion prevention system, site advisors, or anti-malware solutions, each has one common requirement, the identity of the user. Identity management comprises various smaller components, such as LDAP authentication, active directory authentication, authentication chain mechanisms, one-time password transactions, Kerberos authentication, and integrated Windows authentication. A successful Identity management solution uses all these flavors seamlessly.

Let’s start with understanding the basic concept of single sign-on (SSO). Suppose a user wishes to manage various online accounts; then entering the credentials for each of the service providers is a redundant task. Identity solutions aim to cater to such users by providing a single sign-on functionality, where the user enters the credentials the first time he/she wishes to access a particular service. From the second time onwards, the service provider queries the identity provider about the authenticity of the user. The user is no longer expected to provide the credentials. These credentials are stored in a credential store. The credential store can be a database (MySql or HyperSql) or a file system.

Next we come across one-time password providers (OTP servers). There are various modes of OTP transactions available, including SMS verification, e-mail verification, and IVR calls, to name a few. These are unique patterns of alphanumeric characters which are sent to the user to authorize him/her to use a particular service. The most common example is a bank transaction, where the user who wishes to perform a transaction is asked to enter the one-time password sent to him/her in that instant of time. This is more secure and authentic than the traditional username-password authorization, because the service provider is using multifactor authentication.

Every Identity management solution has two major components: an identity provider and a service provider. The identity provider provides the Identity of the user to the service provider. A classic example is your Google account. A Gmail account can be used for various online services, such as BlogSpot, YouTube, Facebook, etc. The service provider, such as YouTube, queries the identity provider (Google in this example) for the authenticity of the user, and then grants access to the services. Other forms of Identity provisioning include LDAP authentication and active directory authentication. LDAP authentication is basically a user who is present in your LDAP database. LDAP service by default runs on port 389 of you system. The query is done on the basis of uid. Generally a LDAP tree looks like this:

There is top level group called as system (generally represented as ou=system)

There is a mid-level group called as users (generally represented as ou=users)

Finally, the usernames (represented as uid=username or cn=username)

A classic LDAP search would look like:

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Search on server <IP-address: Port number> for “uid = admin”

In “ou=system, ou=users” where password = “password”

The above illustration is just an English translation of what happens when you search an LDAP server for the identity of a particular user.

The other component that I mentioned is active directory services by Windows. Use the dcpromo command in the Windows server to enable the active directory services. Once enabled, the system configures a DNS server at the same time. The service provider queries the active directory for the list of users to authenticate the current user whose name is present in the directory.

Identity management on the cloud!

Cloud computing has emerged as a very effective medium for starting a business with optimum resources. With various vendors coming up with software-as-a-service (SaaS), many SMBs depend hugely on these SaaS providers. On the other hand, large-scale organizations have their own cloud deployments. Identity management on the cloud is in its nascent stages and various implementations of this flavor of identity are emerging. Most of the organizations use active directory implementation to authenticate their employees for using the network. Using the active directory as an Identity provider saves an organization from having to maintain a separate Identity provider. Most companies are unwilling to expose their active directory to the Internet because the slightest mistake can lead to a huge financial loss and data theft. Using a VPN connection to do the same is not a very cost-effective method. This challenge led to an emerging exchange format called as SAML (secure assertion markup language). SAML is based on XML, which is generally used for authentication and authorization data exchange. SAML, as the name implies, works on assertions. Each SAML specification consists of three major parts – the user, the identity provider, and the service provider. As mentioned above, when a user requests a service from service provider, the service provider queries the identity provider. The only difference here is that, the service provider looks for an identity assertion, and based on this assertion grants service to the user. A service provider and Identity provider is a one to many mapping.

So, as in the above case, SAML can provide Identity assertions in the case of active directory, which can be used by the SaaS provider to authorize and authenticate a user. Service providers are implemented in the form of connectors within an Identity application. SaaS-based service providers are called cloud connectors. As an Identity provider, the Identity connectors are implemented. While composing a cloud connector, we also map it to a corresponding Identity connector, thus the identity of the user is provided to the service provider. A cloud connectors can be an HTTP-post-based connector or an SAML-based connector. Each SAML-based connector has its own SSO URLS used for SAML assertions.

Authentication Chains

Authentication chains are generally multi-step authentication which is dependent on the result of the previous authentication. These include OpenID, LDAP, Active Directory, OTP, etc. In the following section we will see some of the popular products in the market with their features.

Here are a few popular products offering identity solutions:

Ping Federate

Ping Federate is one of the largest players in the identity domain. They provide cloud-based single sign-on services through federated Identity management services. This in turn helps maintain scalability and robustness in maintaining the single sign-on feature within an enterprise. The major advantage of this product is that it provides a wrapper over SAML 2.0 implementations, making it very user-friendly. This also has dynamic token handling when authenticating users through cloud connectors.

Oracle Identity management Solutions

This is a complete next-generation product, aimed at scalability and compliance management with added security for enterprise-related information. This solution is available for all the devices across firewall to work with the single sign-on functionality.

IBM Identity and Access management

The principle aim of this IBM product is to aid in enhancing business productivity by providing secure access to all enterprise services through its wide range of integration capabilities. It contains provisioning modules as well as single sign-on modules. The brand name under which IBM releases Identity solutions is Tivoli.

These are just the top few products on the market. Identity management is a wide spectrum of various topics under one roof. There is no single product that can offer everything, but as an enterprise you can always weigh various products and choose the right one for your needs.