The Thing about Federated Provisioning

Ian Glazer recently blogged about federated provisioning, saying "Federated provisioning should not exist; there is only provisioning.". Well, I think he's both right and wrong about this. Let me explain.

Suppose two companies, Acme and Omega enter into a federation agreement, whereby employees of Acme will be able to access a service at Omega using their Acme credentials. There are two scenarios here for federated provisioning.

Scenario 1: Advance Provisioning

Acme decides that they will decide beforehand which employees are allowed to access Omegas service (based on business rules or approved requests). They will therefore do some advance work sending provisioning requests to Omega for those employees that are to have access, allowing Omega to set up federated accounts (with the appropriate mappings) for those employees. A lot of times today, this is done in the form of a batch file/spreadsheet/LDIF file containing all the users that should have access going from Acme to Omega. In an ideal situation, this would be handled by Acme's provisioning engine sending SPML-based provisioning requests to Omegas provisioning engine.

This is the scenario that Ian is referring to when he says that federated provisioning is no different than regular provisioning, and he's right. As a provisioning target, Omegas service is no different from a sensitive target within Acmes own boundary (the logistics of setting up the trust may be a little harder). And whether or not the service is SPML-enabled or not really doesn't change the problem statement.

However, there is another scenario that changes the discussion a bit.

Scenario 2: Just-In-Time Provisioning

Acme decides that they are not going to decide beforehand which employees are allowed to access Omegas service. Instead, a link to the service is available on Acmes intranet, and whenever a user decides to go to the service, they should be given an account. In this case, no pre-provisioning is taking place. Instead, the provisioning has to occur in real-time, when the user accesses the service via the intranet link for the very first time.

The idea here is that when Omegas federation server encounters the incoming SAML token for a new user, it would recognize that the user does not have a federated account, and send the SAML token to Omegas provisioning server. The provisioning server would create the account right then and there, and return the necessary result back to the federation server so that the federation server can proceed to grant the user access.

This scenario is much more complicated than scenario 1 because of multiple dimensions. First off, the interaction between the federation server and the provisioning server has to be responsive and well-defined (and to prevent vendor lock-in, standards-based). An added wrinkle may be that the federation server may need to collect additional user information not available from the SAML token, in order to provide the complete set of information necessary to provision an account to the provisioning server (an alternative could involve a handoff to the provisioning servers self-registration screens to do the same). And the provisioning server needs to be able to understand the needs of the federation server with respect to provisioning and responses. I won't even go into the need for cache invalidation, etc.

This is where federated provisioning is not like regular provisioning (as we know it today). There are a number of things needed here that regular provisioning isn't set up for. The standards-based interaction between the federation server and the provisioning server isn't defined today, and SPML is not set up to accept SAML tokens as data inputs, or handle the just-in-time nature of this scenario. This is where a lot of work still needs to be done.

I would be interested in hearing if anyone has done anything to do with scenario 2. And, of course, any dissenting opinions on the matter (Ian?).


Seems to me that your "Scenario 2: Just-In-Time Provisioning" is the default OpenID scenario? Given that this works on the open internet today, is it really so complicated? Does it have to be?

Posted by Johannes Ernst on February 03, 2009 at 07:23 AM EST #

Nishant, as SAML and SPML do not integrate today in the standards and the integration could be "complex" and not standard, why can't we simplify the scenario 2. The idean would be that the federation service creates automatically the non-existing user at the SP side using standards like LDAP or JDBC depending what is the user repository? After all, the SAML profile would have all the necessary attributes info about the user ID. Would that break the SAML or Liberty standard ?

Posted by Chris Winteregg on February 03, 2009 at 08:29 AM EST #

SAML-based federated SSO exists as an authentication token, not authorization, and not as a global record transmission and relay technology. The entire concept of federation is to pass enough information to create the new session in the service provider's environment. That may mean a 1:1 mapping or an N:1 mapping. If the mapping does not exist, this is where people have decided "well, if it doesn't exist, create it!" And this has some risks associated with it that should be carefully considered. If we want to engage in "Federated Provisioning", it becomes necessary to modify the basic exchanges of the SAML messages to trap a "user not found / failed user mapping" event to initiate some provisioning event. In environments that want to look at Federated Provisioning, I frequently hear "just pull the information you need to create the user from the SAML assertion and create them." Here's where we start to see the bad idea. The SAML assertion should contain the MINIMUM information for moving the session from the IdP to the SP. If we instead send a full payload of data needed by the SP, we're likely transmitting FAR more information that would be advisable (recall that the first steps taken by Liberty and embraced in SAML 2.0 are opaque identifiers to further remove personal information from the exchange in order to provide better security because of the risks of misuse and replay.) Also, this means that the SP would have to expose sufficient information about what their business requires to the IdP, or build the business logic and dependencies into the federation processing. Neither is a very good idea. Next, if we have opted to transmit the entire record payload from the IdP to the SP (and violated some very good security practices), modified the SAML exchange to add our provisioning process as an in-sequence requirement to federation, and created a new record with all the required data, we must now re-use the original assertion to create the user federation record. At worst, this means we're reusing what should be a short-lifetime SAML assertion to create a session. At best, we've degraded the performance of the federation exchange and mapping to add all the overhead for the provisioning process (including performance of all back-end servers in the provisioning process), and removed the value of any caching the provisioning server was using against the user repository (since we first looked and the record did not exist, so we created one, looked again and found the new record, we've got either a small or no cache.) If we instead extend the SAML exchange for federation as a standard to allow a hook for provisioning as an option, with methods to notify the providers, then it may make sense to create 'Federated Provisioning'. Without that type of alteration, injecting the provisioning process should be an option that is implemented cautiously on a case-by-case basis at deployments. If the organizations involved in a federated exchange have no prior negotiation for the user mappings, they probably should reconsider their federation agreement and examine their security practice for exchanging security for adminsitrative ease.

Posted by Karl Miller on February 04, 2009 at 03:31 AM EST #

Johannes, You are right in that scenario 2 is sort-of like the OpenID/CardSpace interactions. But my context is enterprise federations, where there are far more complicated datasets and business policies (like approvals) involved. The OpenID interaction is much simpler due to the nature of internet transactions.

Posted by Nishant Kaushik on February 04, 2009 at 04:30 AM EST #

Karl, Excellent dissection of scenario 2. Really expands on what I meant when I stated "the interaction between the federation server and the provisioning server has to be ... well-defined". It is because of all the reasons you have stated that I say scenario 2 is not like regular provisioning, in that it requires we enhance the SAML/SPML standards to accommodate the special needs you have defined, and also enhance the interaction between the federation servers and the provisioning engines.

Posted by Nishant Kaushik on February 04, 2009 at 04:36 AM EST #

Nishant, I know of multiple instances similar to what you have described in scenario #1, and at least one where SPML is used to seed the identity information to the federated partner. (I'm sure there are more) I agree with some of the comments that the JIT scenario can be accomplished (and is on the Internet) with OpenID, but in most cases where I personally have used OpenID, the SP, directs me through a create process and gathers more information about me prior to final "provisioning." For the enterprise space, it is likely that the data and process for creating accounts at Omega will reside within the walls of Acme, and possibly additional processes (like approvals) reside within Omega. For these situations, I see two options: 1. As you presented, creating a "... standards-based interaction between the federation server and the provisioning server", thereby allowing Omega to initiate their provisioning process upon federation request. (assuming completed or non-existent provisioning processes at Acme) 2. Recognition of attempted access to Omega by Acme services followed by provisioning to Omega via the Acme provisioning server. This could be all programmatic, or manual where the user is redirected to the Acme provisioning server interface to complete the Acme to Omega provisioning process. ...and it could all be synchronous with final redirects to Omega, or asynchronous with a notification to the user when access is available.

Posted by Mat Hamlin on February 04, 2009 at 05:49 AM EST #

Hi Nishant - here's one approach to scenario #2.

Posted by Pat Patterson on February 14, 2009 at 03:20 AM EST #

Post a Comment:
  • HTML Syntax: NOT allowed



« April 2014