2020_USA20_IDY1-R07_01_Build-Your-Own-IDaaS-Lessons-from-Year-One

SESSION ID: IDY1-RO7 Build Your Own IDaaS: Lessons From Year One Sean Farrell Jon Lehtinen Lead Identity Engineer Thomson Reuters Director Identity Engineering Thomson Reuters @jonlehtinen #RSAC #RSAC The views and opinions expressed here are those of the presenters and do not necessarily represent those of Thomson Reuters, it’s subsidiaries, or any of its affiliates. #RSAC Build Your Own IDaaS – Why? Three Pillars of Perfect IDaaS Strong federation support – OAuth2, OpenID Connect, SAML2 – SCIM/SCIM2 Automation, low-effort ops – Patching, scaling, fail-over, DR Developer support for the last mile – Integration kits, shims, dev guides 4 #RSAC Three Four Pillars of Perfect IDaaS #RSAC Strong federation support – OAuth2, OpenID Connect, SAML2 – SCIM/SCIM2 Automation, low-effort ops – Patching, scaling, fail-over, DR Developer support for the last mile – Integration kits, shims, dev guides Photo by Fabian Blank on Unsplash 5 BYOIDaaS: Improve UX for Users & Devs Multiple usernames – – – – – t212360886 \domain\t212360886 jon.lehtinen 212360886 jon.lehtinen@tr.com Multiple logon experiences Proprietary authentication protocols 6 #RSAC #RSAC BYOIDaaS: Global Availability Photo by Aaron Burson on Unsplash 7 Photo by Ed Robertson on Unsplash Photo by Ashish Allam on Unsplash BYOIDaaS: Retain Customizability IDaaS heavily assumes SaaS footprint Business does not bring in Security until late in the process – Misalignment of Security strategy to Business fire drills Spin novel solutions to complex business challenges 8 #RSAC BYOIDaaS: Touchless/Automated 9 #RSAC Photo by Billy Pasco on Unsplash #RSAC BYOIDaaS: Compared to Other Options On-prem Cloud-hosted Customizable Strategic Globally available Operational effort Cost 10 IDaaS BYOIDaaS #RSAC BYOIDaaS: Compared to Other Options On-prem Cloud-hosted Customizable Strategic Globally available Operational effort Cost 11 IDaaS BYOIDaaS #RSAC Architecture #RSAC COTS in Containers + Cloud sso.tr.com CNAME= sso.int.tr.com CNAME= sso.int.tr.com CNAME= sso.int.tr.com CNAME= sso.amers.tr.com CNAME= sso.emea.tr.com CNAME= sso.aspac.tr.com AMERS EMEA ASPAC Containerization of COTS Apps #RSAC Base image FROM image:version OS prep RUN some commands && install –y things Work directory WORKDIR /opt COPY java.tar.gz /opt ADD cots_idp_binary.zip /opt Binaries RUN unzip cots_idp_binary.zip RUN tar –xf java.tar.gz Commands USER idpuser:idpuser User & Group ENTRYPOINT [“/usr/bin/startup.sh”] Process to Launch #RSAC Containerization of COTS Apps FROM image:version RUN some commands && install –y things Image Registry engineidp:latest WORKDIR /opt COPY java.tar.gz /opt ADD cots_idp_binary.zip /opt docker build docker push RUN unzip cots_idp_binary.zip RUN tar –xf java.tar.gz USER idpuser:idpuser ENTRYPOINT [“/usr/bin/startup.sh”] adminidp:latest engineidp:latest engine:qa #RSAC Multi-region Availability sso.tr.com CNAME= sso.int.tr.com CNAME= sso.int.tr.com CNAME= sso.int.tr.com CNAME= sso.amers.tr.com CNAME= sso.emea.tr.com CNAME= sso.aspac.tr.com AMERS EMEA ASPAC #RSAC Autoscaling sso.tr.com CNAME= sso.int.tr.com CNAME= sso.amers.tr.com CNAME= sso.int.tr.com CNAME= sso.emea.tr.com CNAME= sso.int.tr.com CNAME= sso.aspac.tr.com #RSAC Georouting sso.tr.com CNAME= sso.int.tr.com CNAME= sso.int.tr.com CNAME= sso.int.tr.com CNAME= sso.amers.tr.com CNAME= sso.emea.tr.com CNAME= sso.aspac.tr.com AMERS EMEA ASPAC #RSAC Failover, High-availability, & Disaster Recovery sso.tr.com CNAME= sso.int.tr.com CNAME= sso.int.tr.com CNAME= sso.int.tr.com CNAME= sso.amers.tr.com CNAME= sso.emea.tr.com CNAME= sso.aspac.tr.com AMERS EMEA ASPAC #RSAC Technical Challenges & Solutions