How to future proof a national eID scheme where 13 registered commercial IdPs, 1 government IdP and several brokers operate?
This is a tale of taking the national eID from legacy frameworks to open standards and paper based OTPs to secure mobile apps. It's a complete mesh, but we made it work - come hear the lessons learned and how to use the tools we created.
|
I considered myself quite an experienced programmer and having some expertise in Identity management when I was hired by Swedbank to work as full time Identity engineer. Besides projects, I had assignment to describe an architecture of the IAM as a service from my manager. Honestly, I had no clue about how to envision it. I tried to assemble standards and squeeze something out from practices and papers. But these were not really all my ideas and I did not feel much confident. But something started to happen in few last years when we had a very hard time implementing our IAM project (believe or not, it was successful). We had to answer hundred times to questions "why", "what" and "how". And finally the blueprint of the architecture of IAM as a service appeared from the mist. It is not one and only, because same size does not fit for all. Still, I do not agree that there are indefinite number of possible solutions. I think similar enterprises and engineers may find this presentation useful to draw their own blueprints. |
|
IAM projects start usually from implementing baseline IAM processes - joiners, leavers, movers. Because this is what is usually most needed. But then you will get asked for more - identity data, events, other services. This is what makes up IAM as a service. |
You've spent years working to deliver true SSO and now your users have a single, simple authentication service to access any of their resources. That impressive UX curtain, however, hides behind it a multitude of distributed systems and platforms that each hold their own rules for providing access to their services. These systems are deployed both on-premises and in multiple cloud providers. They manage both coarse- and fined-grained authorization rules. They include modern tools but you’re still managing legacy systems as well. The situation is daunting. Your leadership wants metrics on system usage, HR needs reports to show that terminated users are removed everywhere, developers want to know how they should validate access, your auditors are asking how you are enforcing separation of duties, and the regulators are demanding that you provide proof that you are enforcing their framework policies. This session will provide you with practical solutions and implementation models to allow you to undo this Gordian knot of access points and centralize your policy management to provide standardization, visibility, security, and easier management of your access rules. You will come away with proven architectures and strategies that you can begin to implement within your own organization.
How to determine source systems for user and account profile data and configure them for real-time monitoring of lifecycle events
Configuring target systems and platforms for automated provisioning activities and identity relationship management within the ecosystem
Determining the proper decomposition of policy to govern lifecycle activities, automate access control functions, and ensure compliance to audit & regulatory requirements
