Access management for SAML enabled vendor applications - June 27 | Identiverse 2019

Presenters:
Namitha Krishna

User authentication and access management is always expected to go hand in hand. In an ideal case, Identity provider performs the user authentication and an authorization framework provides the entitlement information for the authenticated user, based on which an application can make a decision to allow or deny access to the user. However, this might not be a feasible solution in the case of federated third party vendor applications which cannot leverage enterprise’s authorization framework. At Morgan Stanley, we extensively use SAML for federation with third party vendor applications. SCIM has not been adopted yet by majority of these vendor applications and hence not used in the firm. Instead access management is handled based on a set of user IDs or ACL groups exchanged periodically between vendors and business units through batch syncs. Vendor makes authorization decisions based on the user ID or ACL group memberships included in the SAML assertion of the authenticated user. Some vendors even manage fine grained access control using the same approach. However, this approach has many drawbacks: •Even an unauthorized user, after successful authentication, can end up at the vendor application resulting in unnecessary disclosure of user data to third parties. •Burden on the business units to monitor the batch syncs necessary to provide the information required for access management on the vendor applications. •Firm’s complex entitlement models include the possibility of granting temporary access for a user. Such complex entitlement models demand for a real time lookup of the user entitlement information. Batch syncs can result in stale entitlement data on the vendor side, thus creating a potential risk. •Not a scalable approach to maintain fine grained user entitlements. To solve this problem, our team created a centralized system to manage user entitlement information. We also developed a plugin that enabled the Identity provider to query centralized entitlements system to obtain the entitlements for an authenticated user. Based on the query results, Identity provider can decide to either allow an authorized user to access a vendor application or abort the operation for an unauthorized user with a suitable error message. This eliminated the risks that were inherent to the older approach as well as made it easier to maintain the entitlements of users across all the vendor applications.

• Category

  How-to & Style