CCSK

  • 1.  IAM: Identity provider vs authoritative source?

    Posted Jun 15, 2021 11:49:00 AM
    Hi,

    In Module 5 Unit 6 of the CCSK training, they talk about IAM. I was wondering, what is the difference between the identity provider and the authoritative source?
    Would someone be able to help clarify this for me and perhaps give a real world example?

    Thanks :)


    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: IAM: Identity provider vs authoritative source?

    Posted Jun 16, 2021 07:13:00 AM
    This is how I keep it in my head: Your authoritative source is something like AD, while your IDP is interfacing between AD and the service it's authenticating to.

    ------------------------------
    Lee Neely CISSP, CISA,CRISC, CISM, GMOB, GPEN, GPYC, GAWN, G
    CSA BOI
    Boise ID
    ------------------------------



  • 3.  RE: IAM: Identity provider vs authoritative source?

    Posted Jun 16, 2021 07:30:00 AM
    Think of an identity provider as someone who has done some checking and provides an assertion that this person is over 21.
    Whereas the ONLY authoritative source in my case is the UK government who issued my birth certificate.
    Every other source of my age is secondary, or worse.

    So an IDP who uses my Driving Licence as its source is already two levels removed from authoritative. Same for passports.
    Use a source for identity with a less than stellar reputation for identity verification (say a Ugandan* passport) and then how much do you trust that assertion??

    The problems comes when an IDP checks my DoB using a dodgy foreign driving licence and yours via a (new strong) US driving licence.
    I then use that IDP to verify RUover21 and you get back a binary YES. I'd argue that it's of little use to you and you cant differentiate the quality of the original checking.

    This is the reason that most banks want to do KYC themselves, so they know the level of trust they can place in the "evidence" presented.

    It's also the reason that we as global citizens actually need to be able to assert "I am over 21" signed by the AUTHORITATIVE source.

    *used as example as both US & UK governments require a visa so they can do independent validation on the person applying.

    ------------------------------
    Paul Simmonds
    CSA UK Chapter & Global Editor for Guidance Section 12 (at version 3)
    ------------------------------



  • 4.  RE: IAM: Identity provider vs authoritative source?

    Posted Jun 16, 2021 09:47:00 AM
    Ah, I see. Thank you, this helps!

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------



  • 5.  RE: IAM: Identity provider vs authoritative source?

    Posted Jun 18, 2021 05:13:00 AM
    I don't remember the exact module and the context, but most commonly idp refers to a service which provides runtime identity assertion to integrated systems upon user login (ie provides sso to service providers via saml,oidc...). It can also map user profiles to the same integrated systems (user provisioning).
    It relies on authoritative source where the identity & entitlement data is maintained. Idp can integrate to it, but most identity services (idaas) would provide both functionalities.

    ------------------------------
    Ivan Djordjevic
    security & identity architect
    salesforce
    ------------------------------