I have two affiliations, Manis with Evolvium, which is company behind open source IGA system
midpoint and also I'm active in academia helping scientists across the world get together
and solve their identity problems and in this talk I will kind of combine all of my experience
with this rather complicated topic. So let's see with some introduction. If we're talking
about multilateral identities we are meaning basically the whole scale of identities that
are available to the users because the users today have a lot of identities that they just
own and they can use to access systems. So it can be like identities from one's institution
but it can also be social identity, identity on for example GitHub or even though states
especially here in Europe are pushing some European IDs, digital wallets, some academic
identities, banks and so on and so on. There's a little lot of them and all of these identities
can be used somehow. Then the next item in the name of the talk was access management.
So it's a component basically responsible for really giving access to people and do
everything related to access. So one thing you can do is of course just type your username
and password in but in principle you can use all these identities as well and that we have
IGA which is identity governance administration for those who don't know this term is basically
an extension of identity management and its main purpose is get the identity management
rather technical stuff for administrator to people who are actually making decisions.
So some managers or even support just get them in, let them manage what they supposed
to manage, not have everything done by technical people when the others call them. And in this
talk the identity governance system will be represented by midpoint and I will try to
show you how all these pieces fit together and what can you do with the combinations.
So let me introduce midpoint as well. As Zawar said it's identity governance and identity
management system and because I'm here of course it's fully open source and usually
suppose it's not important to say it but when you are dealing with identity management and
access management areas a lot of the products there are claiming to be open source but in
reality they are just open core or something even else but with midpoint we are really doing our
best to make it fully open source including all the documentation guidelines for the developers
whatever is needed everything is open and available to use. And the product itself is
maintained by Evolveum and we have few external contributors. We would happy to have more of
them but it's kind of hard. The identity management, identity governance is very complex tool contains
a lot of code so it's very tough to get contributors. But luckily we have some contribution at least
to some integration part something that is easier to get to. So about midpoint it's very
feature rich and I would say it's really comparable to any commercial alternative. So I consider it
a big success and even we are recognized by some analytics company which is really nice
and what we can expect from open open source system it's really customizable is using as much
standard as possible if you want to get more there is a link that you can find all the information.
So let's get to access management integration because this is quite a common but I think there is
a lot of potential if you are integrated IGA system of access management. So from the IGA to access
management this is the more common path so the IGA because from the identity management part
most less information about users and their accesses naturally IGA can provision all this
profile information about users to access management and also provide data for authorization.
It might be attributes, might be roles, even some combination. So this is quite natural.
The other way around it's something not that heavily used and then I think there is a lot of
potential in that because the access management especially when we when using some external
identities have a lot of information to pass back to the IGA because and if we are talking about
single organization, if you're using a password and you have no new information, if we are using
these external identities usually with the identity we are getting some attributes that can be used.
So if it's a state identity we at least know this person was verified by state and we have
some identifier from the state that can be laid to use. For example if we are dealing with some
big security incidents, if we have academic identities we can get information whenever
this person is an academic employee or student and again use it for access control later.
If we have social identities at least we have some social identifiers of the person
that we can use for some integrations for example or we might have also other attributes like names,
emails, whatever that can be used such as to make life of the person easier just to
request them just use the information that we already have. Second thing that we can get from
access management is access timestamp because the access management of course know when the user
was accessing the system so we can get these timestamps and work with them later and I will get
to this. What are the typical interfaces for the integration? There is no standard unfortunately
but we have some standard common option so from the identity management part integrated
anything is usually through some kind of connector basically writing custom connector to
to get whatever API is that for the access management or there can be some middle layer like
some let's say LDAP or Active Directory some standard database that access management can use.
And to get some information back I do if there's this direct synchronization of connector
identity management can read it back or if you want some like just like runtime integration
you can always call some API and do some something that. Let's move to identity governance benefit.
Basically if you are familiar with identity governance it probably won't be anything new
but I will just repeat it. The very important one is overall visibility. If identity governance
deployed because you usually deploy it within a single organization you want to be in control
and have some visibility of it's happening in your organization mostly to tight your security
be able to go through audits and so on. So the main feature is some kind of reporting or web pages
dashboards who has access to what and why so you can visualize for example if you are using
role based access control who has which role what the role is entitled to to which applications
and why every person has this role. In midpoint we are using something that we call they are calling
policy driven RBEC because the RBEC is very good tool it's very easy to visualize it to explain
to people but you need something more in order to work with some attributes with some automated
rules so we have kind of extension of RBEC and if we are thinking about this talk how we can get
this multilateral identities and this data we can get through the access management to AGA I have
to use it. So first one is use these attributes for example if I know the person was wedded by state
come with state identity I may note this as a level of assurance attribute I have big
restaurants in this identity and based on it I can give some access through RBEC classically
and then I can visualize it in the standard way using dashboards and really know what the
person has access to. Also when I have time stamp when the user is accessing each system
for the last time again through the access management I can use it to build some policies
either to remove unused accounts and to tighten security or I can naturally work with some kind
of expiration renewables of account whatever I need for my particle workflow and of course
AGA wants to automate all of this so using airbag automated rules some provisioning through
connectors and integration in the system make sure that everything that I just said is completely
automated and you don't have to worry about it. If the full automation is not enough you want some
human element some kind of interaction you can have some approval processes, expirations, renewables
and so on. So let's get to some interesting feature about integration all of this together
and I will start with integration of basically access management to given surveys using just
in time provisioning now without identity governance. What you can do and this is very nice trick
you can basically create accounts on the fly because when we are using these multilateral
identities which are coming already with attributes we can just pass this identity to target system
and by passing it we basically authorizing the identity to access the system and the system
if the system supports it can create the identity and accounts for it on the fly,
use the attributes and give proper permissions within the system.
What this basically here is how to how to deprovision such accounts because this
creating of accounts is ideal it's very simple you can use it really on the fly but you have no
way how to disable these accounts the only way how to do it is again by the end system itself to
have some kind of expiration because what is important here if the person accessing losing the
access they are not going to the system anymore and the system doesn't know never gets the information
there's no way how to get the information and also with this we have no central visibility
who has account where and why which might be tough for doing some audits or resolving security
incidents you have to manually go through all the systems and get through it. So with midpoint
if identity governance component in place we can basically extend this using some extra tricks
so the basic premise is in midpoint we are managing entitled users so I'm not saying the user
should have active account on the target service at the moment we're just saying
he or she is entitled to have it and whenever the user decides to access the system again using
just in time provisioning we can create the account on the fly using this entitlement at
midpoint midpoint managers. Also what is nice about midpoint midpoint supports provisioning and
it's really quick it can be done in real time so even though if the target system doesn't support
just in time provisioning can create in accounts immediately basically access management can
ping midpoint and say now it's time to provision this account midpoint checks if the user is
entitled and if so triggers the provisioning so we can have just in time support even for system
doesn't support it not that able. Also midpoint and is this provisioning connector can read some
data back so regardless if the account was created on the service or through midpoint
midpoint will get the information the account is there is active and also we can read any additional
information and basically then we have full scale information for the IGA we have who has the
account active who is entitled but doesn't activate the account and we can build all the policies on
top of that including some expiration renewals work with last access timestamp and combine this
all together so for example if the user doesn't use the system for a long time it's kind of a
security risk we can deprovision but we still know the user is still entitled so for the next
next usage we can we can still work with that.
And now gets to this part with multi lateral identities because that's brings just another
level of complexity because with multi lateral identities we are expecting that a single user
can have multiple identities and we can even combine them because we can say okay one identity
for example the state identity brings your account to the higher level of assurance we
are know this account was vetted then you can have some social accounts saying okay this is your
social ID and we can connect with some with some system with some social systems and we can
integration because we know this ID because we know this ID if we have some academic scenario
we know the person is a student or employee of given university or even more universities
you can combine it all together. Tough part is how to correlate these identities because
there is no common identifier nothing that we can automate it. In midpoint we support
two way we call it smart correlation and it enables you to configure how the individual
accounts could be correlated and you can you can base it on the source so if in the source you know
this is the email which was verified and I'm happy to correlate with existing accounts based on
this email you can set up this rule you can set up some fuzzy rule like matching on name or even
even have fuzzy matching counting with typos and some something like that but this probably you
want to fully automate because there is some risk if it's really the real person so you can also
define what match should be like processed in an automatic way and just connect these identities
together and what rules need some human interactions and there are two ways how to do it. If you want
strict control it can be done by some administrator or some other delegated responsible person
basically manually whatever process you need you will just see okay this is attributes you have
this is the new identity you have to decide here are some potential matches decide if one of the
matches is real or if you want to create a new account for this user. Second option might be to
again use the access management part because basically the user in principle own all these
identities and can use any of them to sign in so let's just the user sign in with first one then
the second one in the same session and then we know for sure that the user's own both identities
and can be connected together. Also what is nice here you can combine all these external identities
like state, social, academic with local one if I have deployed IGN and usually I have within a
single institution I have some local accounts managed by HR department so even combination of
these local accounts and this like remote identities is possible using the same principle
there's nothing really different there and what I can do with that is build some kind of unified
profile so take all these attributes that I'm getting from different sources and then usually
I want to build a single user profile I don't want to work with users who has six names from
six sources and most of them are exactly the same the value is the same maybe sometimes if you have
like your name from the social network maybe you have different biospelling because you like it or
something like that so we can just gather this data and then put a formula how to build single user
profile how to select which name is the one how to select which email is the one that should be used
or if we need it we can just build this like one profile which is always handy to have if you
don't have any special requirements but then we can also have some extension of this profile for
example we can have like official email within the institution and then like a personalized
preferred email and then we can decide based on the target application which one of the emails
should be used which one should be provisioned and this is basically or possible with midpoint
just put all the rules in how it should be processed of course the most difficult part is how to
decide it because we want to have it simple so people can understand and also give an option to
select for example they prefer the email or preferant address at least for the system when this
this is not that important and what we can also do it thinking about these rules and how to
combine all this data together how to put some organization policies in because it's really
nice to have if you use this freedom to select their mail or they prefer preferred name or
preferred email but sometimes we have some systems that we really want to enforce strict rules
because this is something that I don't know is sent to send to authorities for for some validation
or I don't know it's it's might be tied to to your payroll and you want to have real data there
but then you can have like a company social network and let user give them the freedom
so when constructing these rules we can combine like organization policy with some user preferences
and even based on the target system decide it what results should be used and where
sounds complicated it is but it's all about programming and how to put it together for your
organization and again with the end goal to have fully automated processing at the end with some
middle user inputs user preferences and so on it's not complete there are still some missing pieces
we were we were experimenting with running some demos improving midpoint as a product to support
this better but for sure it's not fully complex the biggest issue is user experience because yeah
a lot of these options especially dealing with external identities when users needs to sign
sign in actively work with them it's hard and this will be hard for a while but it's getting better
how how how people are getting more and more used to work with work with their identities and use
the identity to sign with completely other system now we've pushed for european evils and so on
again people will be getting more getting used to this principle and it will get easier
also the interface between access management and aga is not well defined now we are just writing
custom integrations on both sides dependent on the on the needs for sure it will be better to have
some like prepared interface that we can use and we can connect our product midpoint to
existing access management systems that would be really really handy also life cycles of the
individual identities because we are combining different identities to a single profile and also
we should think about life cycle of the individual identities some of them are pretty
persistent like the state ones but other like if i if i know that someone is a student probably i
should verify this this this statement once in a while and i can put some policies or condition
it would be nice if the protocols where we're going to support this so we can for example query
each day but with other protocols like samble basically until the user didn't sign in you
don't know the current state of the information so have some maybe some explorations some renewables
here as well would be really nice also the whole assurance and trust model in this might be very
complex again working with different sources of information which are trustworthy which are not
how we can process them how we can use it what's our assurance on this information
it's difficult to even decide what we want to do and we are and when we are when we are have this
decision is an essential thing is how to process it we experiment with some kind of small project
which we called mid privacy and it was about putting metadata to each value that we are storing at
the metadata source of the identity the assurance level and also for example how we can be used
within the gdpr framework so having this all tied up and again automated so we can use it for
automated processing and provisioning rules would be really nice we started as an experiment just to
get some feeling for it it's fully available to people but as far as i know nobody tried to put
it in practice yet which is which is a bit pity and again there is a link if you want to read more
about it so just to conclude and hope to leave some time for the questions it is it is really
possible to combine these worlds and really tightly connect identity governance system
with access management and basically unlocks new potential for new features
and nowadays there is a lot of identities that people can use to sign in to our systems
state banks and i'm expecting there will be more and more of them and people will get
think more and more custom to use them especially with these eids on the european level so this
is something that we should be prepared for and i ga even though and i think about i ga is mostly
within a single institution to make sure everything is tied everything is well well ordered everything
is automated it can be audited it can work very nice in this world of multilateral identities and
bring these same conditions and the same the same benefits from the i ga to this world as well
but having a full implementation covering order english is complex and it will take probably
some time when we all get it there midpoint is kind of halfway through and that doesn't mean halfway
exactly we have something now that can be used it can be experimented with but if you want to
reach maximum potential it will need to improve the product as well and because everything is open
source and available all the contributions are always welcome so thank you for your attention
and we have a few minutes to get some questions
yes
the question was if we have some machine learning on our roadmap
we have we are already experimenting with that not for this particular problem we decided to
first start with role mining so if you are importing roles usually within the existing
role that you already have how to mine some business roles out of it because if you have if you are
migrating towards i ga you have a lot of roles manually manage and it's good to build some business
roles that can be easily managed and we are using machine learning principles for that
it could be good to use it for example for this identity matching but so far we were happy with
some customers yes so this identity of management is only one side of the picture because if i have
a user he might be a suicide man or whatever he's leaving traces in the application you grant access
to okay so if this is now leaving the company the institute the university how do you deal with the
traces do you have a mechanism like maybe scramble the username and change the username in the
application so if it's reused that yeah re-usage of usernames in the target application might
be a big problem yes so so the question was we have all this in place and what we what we can do
when user is leaving the organization with his or her data scramble them remove them somehow
something with that and this is a tough question because one part is the application itself and
when you have this automated identity management identity governance system in place usually you
can deprovision the data completely out of the application but then you have this central point
of the identity governance and the question here how long you want to keep the data for
security incidents for example and that's valid and probably you want to have them unscramble
for year two depending on your policy and then you should again automate the process how to
either scramble the data or just completely get rid of it i would say accept identifiers because
especially if you are talking about usernames you probably don't want to reuse that or at least
not within a central period of time so i would recommend to keep that yeah but it's a bit more
than that like in the talk before we had the wasuo what we have some web application and
some person is creating a dashboard so within the application it belongs to that person and
everyone else is using it so i kind of delete it but the the creator is done so it's more complex
than this yes yes so the so the comment was if the user is creating something like a dashboard in
web application that others are using if the original owner leaves can we delete it or not
and if you are within an organization when you have complete control over your users
you need some process to pass this work to someone else and i would say you have to i
process for levers in the same way you are returning your keys to your office you should
also return all your digital systems or transfer this to someone else but what you can at least
automate in this case if you have this like a dashboard something have a process that
before the deletion will send the notification or let someone approve it and that could help to
automate it okay time is up thank you and we can continue this question later