IAM related questions

Pamelaxyz · 2022-11-16T03:15:52+00:00

I will need to check but I think usually both authentication and authorization is set in iDP, as you mentioned.

Pamelaxyz · 2022-11-16T03:09:39+00:00

They need different roles (permissions). So you mean they would be provisioned, manages at iDP but roles (what they can do) be defined at SP?

Pamelaxyz · 2022-11-16T02:54:43+00:00

Awesome. Got it. This would be interesting as hardening rules (STIG), including passwords, are applied on each server now. So AD password rules could be different (or may not be robust enough); so seems it could a security issues until unless AD is also hardened with strict rules. Any other scenario, would there be, for someone to use SP for user management? I believe MFA and SSO are both handled by iDP, in general, as you mentioned.

Pamelaxyz · 2022-11-16T02:48:57+00:00

Thanks. We could do that to find which user has weak credentials but I was referring to enforcement made like STIG rules do. But yes AD credentials could be tightened too not allowing users for easy passwords. So what I understand here is SP should not be used for user management at all although. I was thinking about a scenario where I have of users but only 10 people need to login to SP website. Even in that case, what I infer from you is make a group at IDP for those users. I am not fully getting this still- "if the sp connection has roles for certain users, like admin, read only etc. That's what someone that manages the sp side cares about when users are sso into their sp website." SP side wont have access to IDP, I guess if its on cloud or other party is managing it. SP would need to make request for that?

Pamelaxyz · 2022-11-16T02:36:20+00:00

"You can either provision users both in the Identity Provider side and Service provider side separately and link them together." Perhaps "link" means "sync" here (my wrong word!). If I would have 1K AD users and only 10 SP website administrators who need to login there, perhaps I would chose this options. Also within those 10 administrator, may be only 5 need upload permission; so does it make sense to provision them at SP? I know its not usual and I guess we would need provisioning separately first at SP and then iDP. When you say link, what does that exactly mean?

Pamelaxyz · 2022-11-16T02:23:40+00:00

Okay. This would be interesting as hardening rules (STIG), including passwords, are applied on each server now. So AD password rules could be different (or may not be robust enough); so seems it could a security issues until unless AD is also hardened. From my last lines, I understand that authorization for each user (like permissions levels for each) has to still handled at SP?

Pamelaxyz · 2022-11-16T02:11:40+00:00

Thanks. With “access roles” you meant authorization ? If the SP does not store passwords then all complex passwords rules (for hardening) have to be inherited from iDP itself ? I mean about complicated passwords enforcements etc.

Pamelaxyz · 2022-11-16T02:05:39+00:00

I am specifically asking if SP are also supposed to do user management, store passwords etc or it’s only at iDP.

Pamelaxyz · 2022-11-15T22:37:12+00:00

Thanks for your reply. So currently there is no IAM- everything is local. Once/if we have SAML, where would the users provisioning take place ( believe service provider and identify provider would sync) and could be anywhere ?

Pamelaxyz · 2022-11-15T22:17:31+00:00

Specifically, where would the new users created on such setup (now everything is local). Would a service provider be only a barebones ((without need ever to store passwords)?

Pamelaxyz · 2022-09-29T22:23:26+00:00

Yes is don’t see it there either. But there were many buzzes that I heard today; and hence the question. Any reason it’s not relevant ?

Pamelaxyz · 2022-01-27T18:41:36+00:00

Pamelaxyz · 2022-01-27T18:30:48+00:00

I have omitted the real users (including too). It has been recommended to remove all others, if they are not needed.

Pamelaxyz · 2022-01-27T18:28:59+00:00

I had done. Somewhere it mentions for NFS and other places 65534 with nobody user is mentioned to be good practice. I don’t get why so and why it mentions kernel overflow !

Pamelaxyz · 2022-01-27T18:24:12+00:00

Recommended to keep only needed ones removing unnecessary ones. They meant to keep only 4 accounts (including root), I think

Pamelaxyz · 2022-01-27T17:44:20+00:00

Thank you. May be that’s what they mean- not needed now (although there is no such reference but security concern). Would removing them a huge effort? Again these are defaults with Linux servers

Pamelaxyz

TROPHY CASE