IAM - Authentication vision

Get Started. It's Free
or sign up with your email address
Rocket clouds
IAM - Authentication vision by Mind Map: IAM - Authentication vision

1. sign sensitive transactions

1.1. Can be embedded in mobile app

2. Out-of-scope

2.1. Person centric 2020 vision

2.1.1. Personal orriented cockpit

2.1.2. personal accounts instead of corporate account

2.2. Access entitlment / authorization

2.3. Customer user account provisioning (really out of scope?)

2.3.1. Partners

2.3.1.1. Tools4ever?

2.3.2. Link created identity

2.4. Enable mobile app authentication (really out-of-scope?)

2.4.1. What is the mobile strategy

2.5. White labeled login page

3. Where are we

3.1. Broker is there

3.2. Ping directory for storage

3.3. Ping access for authentication

3.4. API for user provisioning from core system / portal to ping

3.5. 2 customer live (raet and boels)

3.6. Conclusion: base infra is there

4. Next

4.1. Replace reversed proxy

4.1.1. authentication

4.1.1.1. ping access

4.1.2. redirecting

4.1.2.1. ping access

4.1.3. authorization - which pages can a user access (pages can be marked as blocked)

4.1.4. Images style sheets

4.1.5. reversed proxy

4.1.5.1. ping access

4.1.6. Why: unmaintainable

5. Business goals

5.1. Improve maintainability

5.1.1. Tickets service

5.1.2. Reversed proxy

5.1.3. Simplify logging

5.2. Industry level

5.2.1. Support industry best practices

5.2.1.1. Customer in control of identity

5.2.1.1.1. Compliance of customer

5.2.1.1.2. Support of customer IT department

5.2.1.1.3. (save a lot of roadmap and support for Raet)

5.2.2. Support industry standards

5.2.2.1. SAML, OpenID Connect, federation, oauth

5.3. Enable disruptive UX

5.3.1. Support for pre-post employment authentication

5.3.1.1. Recruitement fase

5.3.1.2. onboarding

5.3.1.3. after termination

5.3.2. Support for role independent UI (UX)

5.3.2.1. No more l2/l3 portal but dynamic UI based authorization instead of authentication

5.3.2.2. Step authentication

5.3.3. Enable deeplinking from customer environment (ABN)

5.3.4. Enable new portal/navigation experience

5.4. Enable single sign on experience for partners

5.4.1. Become IDP for patner

5.4.2. Out of scope: Support provisioning of partners

5.4.2.1. Just in time provisioning

5.4.2.2. Employee data from HR core

5.4.2.3. Authorization data from ??

6. Domains

6.1. Administration office

6.2. User (l1-l3)

6.3. system to system (application authentication)

6.4. File exchange (=application authentication?)

7. Small companies?

7.1. Raet identity as a service (e.g using ping or azure ad)

7.2. Partner

7.3. Rely on their office 365 / google enviornment?

8. Multi factor authentication

8.1. L1-l3 access

8.2. What responsibility do we take?

8.2.1. Raet or IDP

8.3. What technologies

8.3.1. SM|S

8.3.2. Authenticator

8.4. How to deal with the transition?

8.5. Provide 'strenght' info for authorization purposes

8.5.1. Step up authnetication

8.6. Certificates are 2nd factor, but are given for free. How to migrate and monetize this?

8.6.1. SMS is not secure enough anymore

8.6.2. Ceritfiicate is not indusytr pratice anymore

8.6.3. Tokens generators are most likely canidate

8.6.3.1. require self-service token infrastracture

8.6.3.2. New support support process

8.6.3.3. What can we move to partners/identity providers? What should we do our selves?

9. Compliance challenges

9.1. (Single) logout is and will not be supported

9.2. Session management

10. Use cases

10.1. Setup / update SSO without cloud solutions

10.1.1. Self-service SSO configuration

10.1.2. How to authenticate the first user?

10.1.3. What is the procedure?

10.1.3.1. IDP assurance level NIST

10.1.3.2. Create vs Update

10.1.3.3. Onboarding

11. Multiple accounts?

12. Roadmap priority

12.1. Reversed proxy (risk reduction and crucial for IAM, cost: takes a lot of VM, blocking new technology use)

12.1.1. 4+ sprints

12.2. API access through Ping

12.2.1. Gateway

12.2.2. Hidden cost in CS on pingwin and gateway team

12.2.3. WSJF

12.2.4. 1-4 sprints?

12.3. MIgrate existing L1 customers

12.3.1. Customers on SAML

12.3.1.1. Uses reversed proxy which needs to be resplaced

12.3.2. Customers on SAML via surfconnect

12.3.3. XSSO customers

12.3.3.1. ??

12.3.4. Customers with username/password

12.3.5. Support other services

12.3.5.1. Mobile app

12.3.5.2. Community support

12.3.6. 2 factor support?

12.3.7. Estimate: Rest of the year

12.3.7.1. needs more scoping

12.4. Goto market

12.5. Migrate Level 2 & level 3