Cookie Settings

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Other cookies are those that are being identified and have not been classified into any category as yet.

No cookies to display.

federated-users

Your Users, Your Way

Federated Identity

Overview

You have in place an existing Identity Provider. It may be based on Microsoft’s Active Directory, Google’s G Suite, LDAP, or other providers. But you may also have some applications that have a unique username & pasword. This is both a risk and an irritation. You may have data that you collaborate with different organisations. You may have loosely affiliated workers, contractors, temps. You may have people signing up for jobs that have not yet started. All of these are symptoms of needing to federate and simplify this identity. Allow users to login the way that is most natural. Enrich that with Authorisation.

a7afee77 identity flow

Backstory

New standards have emerged over the years to simplify the problem of ‘who’. OAUTH2, OpenID Connect, SAML They each solve more or less the same problem: are you who you say you are (and a little bit of information about you such as email address). Some are tempted to add more fields (e.g. groups, and then treat groups as authorisation in the applications). This is a mistake: it breaks your ability to use more than one identity provider. By allowing identity providers to do what they are best, asserting identity, we can federate them on this lowest common denominator. This allows using ‘User@company1″ and “User@company2” together, so we can collaborate.

Authorisation

Now, Authorisation. Many will try to build this in to each application. But that in turn creates the problems of:

  • Audit: Who has what permission
  • Group/Role based authorisation becomes impossible
  • Have to rework all applications
  • Applications all need to have their code audited
  • No single point of audit and reporting and logging

Solution

So, we introduce Authorisation as a discipline, distinct from the Identity Provider, and, distinct from the Application. An Identity-Aware Web Application Firewall implements, via the cryptographic strength of Zero Trust Networking, JWT, SPIFFE, a set of assertions, per flow, and, enforces it enroute.

By decoupling Authentication(Identity) from Authorisation, we can allow multiple parallel, peer identity providers. This in turn allows people to sign in with their own company’s Single Sign On, rather than creating shared accounts, or downwards-federating the identity providers. This allows for e.g. Joint Ventures, Contractors, etc.