4

My company has applications on cloud and intranet. Also, we have various roles such as employee, customers, partners etc. We would like ID federation between services hosted on public cloud and internal applications. Following scenarios are possible

  1. Employee accessing cloud services from intranet
  2. Employee, customers, partners accessing cloud services from internet
  3. Cloud hosted services accessing data services hosted internally on corporate network
  4. Employee, customers, partners accessing web applications/services hosted internally on corporate network from internet.
  5. Employee, customers, partners accessing web applications/services hosted internally on corporate network from intranet.

Whenever access is from internet to either internally hosted applications or cloud based applications, SSO should be created via multi-factor authentication, but if same applications are accessed from intranet, either userid-password is enough or if user is an employee, company SSO should be federated to cloud based services/applications.

We are debating if there are any pros or cons of having two Identity providers, one deployed in DMZ and other in internal network. The one in DMZ will enforce access going from intranet to cloud based services or users accessing cloud based services from internet will get federated to this IDP. Also, users from internet trying to acccess internal applications will get multi factor authenticated by this IDP in dmz. The IDP inside the internal network is used only for employees accessing intranet applications.

My question is that is the above kinda dual IDP a standard way to allow access? What is the harm of having only one IDP ?

techraf
  • 9,141
  • 11
  • 44
  • 62
Jimm
  • 141
  • 4

1 Answers1

1

The easiest way I think is to identify a single identity provider (authentication/authorization) as the "Authoritative Source". This will store all of your identity information across all of your applications and services.

This will provide the master record by which you would be able to provide authentication and authorization for any and all users. This single authoritative source, should then be able to feed data into the DMZ zone to provide the information to the other applications that are out on the cloud. This ensures that accounts cannot be reanimated due to someone enabling an account within the DMZ.

This also helps a lot when you are provisioning and deprovisioning identities as you will only have to remove the user from one record rather then disabling them across two or three different sources. (Creates desperate processes and causes weaknesses in your IdM process.)

|   Cloud Infrastructure  |
---------------------------
|          Internet    ^  |
|                      |  |
---------------------------
|    DMZ               |  | <= External copy of authoritative source (read only from external)
|                      |  |
--------------------------|
| Internal - Authoritative| <= Authoritative Source (HR records/etc) reside here.
m3r1n
  • 171
  • 4