SYS-CON MEDIA Authors: Jason Bloomberg, Elizabeth White, Zakia Bouachraoui, Andy Thurai, Liz McMillan

Blog Feed Post

Providing fine grained access to SalesForce and Google Apps

Companies that move to Cloud Providers like Salesforce and Google apps quickly discover that part of the migration involves revisiting their security model. Authentication, authorization, account management, and federation are on the menu of activities for most organizations as they strive to garner the cost savings and distribution of the Cloud and retain some level of control of users and assets.

Cloud consumers can insulate their implementations from the vagaries of proprietary identity implementations through using standards. In most cases, SAML represents a logical starting point for conveying identity information from the Cloud Consumer to the Cloud Provider. SAML is a well adopted industry standard that is available in many commercial and open source implementations. SAML is referenced by many industry groups such as the Cloud Security Alliance.

SAML’s architecture lends itself to Cloud scenarios, because the Cloud Consumer (enterprise) and Cloud Provider fit naturally into the core SAML roles. The primary roles in a SAML architecture are the Identity Provider (IdP) who asserts information about a user, and Relying Party (RP), who acts on the information for the service provider, such as the Cloud Provider. Because SAML was designed with this separation of roles in mind, it maps cleanly onto Cloud Deployment models.

Cloud consumers get three main benefits from this architecture:

‘ Cloud consumers retain management and provisioningof user accounts, providing the Cloud applications with the freshest and most accurate data on users

‘ Applications are built using peer reviewed access control protocols instead of home grown or proprietary access controls

‘ Cloud consumers implement a standards-based identity interface which simplifies integration to other vendors

Both Google and Salesforce support SAML to communicate identity information from the Cloud Consumer to the Cloud Provider, so the Cloud Consumer can leverage their existing on-premise enterprise directory and SAML IDentity Provider to serve identity information to two different Cloud providers.

Access Control Model SAML provides a standards-based means to get identity information to the Cloud provider in a reliable way, but the Cloud applications’ business logic and data will determine what the proper access control and authorization rules should be.

The basic algebra of authorization is pretty straightforward: authorization rules govern the interaction between a subject (such as a user), and an object (such as web service or database), based on the action requested, in a certain context (sometimes called scope). These four primitives – Subject, Object, Action, and Context – are evaluated against conditions and chains of responsibilities.

Where the difficult decisions lie for the security architect is to identify the level of granularity to apply the authorization rules. To simply grant or deny access to anyone in the enterprise directory to access the Cloud Provider is very likely too coarsely grained. In most cases authorization rules are more context specific. This means that SAML and other identity standards perform the crucial function of moving the identity data to the authorization logic, but the application must still assemble the request, and map the request against the target’s authorization rules. Many applications use Role Based Access Control (RBAC) for this mapping, and SAML and identity providers do not replace this.

Integration Concerns The two basic roles Identity Provider and Relying Party use SAML to communicate, so their conversation is supported via that standard. There are two areas that require additional work for an integrated solution. Note for an extended demo of these concepts in practice, please see Cloud Access 360 demo

The Identity Provider issues the SAML assertion based on the session and use profile in the enterprise directory. The Relying Party validates the SAML assertion and initiates a session on the Cloud Provider application. This means that integration work is required to ensure the Identity Provider is integrated to the enterprise directory; and the Relying Party is integrated to the Cloud Provider. In the latter case, Cloud Providers like Google and have done the integration work to ensure that their applications are integrated, but this still leaves Cloud consumers with an integration effort towards ensuring that the Identity Provider can communicate with the Enterprise directory.

The next Integration concern is to get the proper information to the Relying Party to make its authorization decision. This is likely to be application-specific, but one thing is for sure, simply being logged on to the Cloud Consumer’s enterprise directory is likely to be insufficient to access Cloud Provider applications, so the SAML assertion must be enriched with additional information from the enterprise directory such as Group, Role and other attributes.

To accomplish this, the Identity Provider and Relying Party must agree upon a schema for communicating the attributes needed to make the authorization decision. In some cases, the Cloud Provider can act simply on the Group and Role information, however increasingly authorization is more subtle and specific, and additional attributes are needed to convey permissions such as allowable Create, Read, Update and Delete on objects.

Once the mapping of the Group, Role and/or attributes in the enterprise directory to the Cloud Provider permissions is completed, these must be exchanged and typically issued in a way that supports Single Sign On. One way to accomplish this in is to exchange the grant_type Assertion via SAML for the access token. The next step is to ensure the mapping extends to the permission grants, these typically include permissions such as Manage Billing, Manage Call Centers, Manage Users, Transfer Record, and Weekly Export Data. What the Cloud Consumer gains in this case is to retain the user management on premises via the enterprise directory and gain the capabilities of the Salesforce Cloud.


In the case of Google Apps, there are a variety of token types supported, the SAML token is likely to be exchanged for an oauth token. The oauth token uses the consumer key to convey the authorized users’ information to the Google Cloud Provider. The token maps to the Google permission model, for example to show if a given user is able to Read a Calendar, Update a Calendar, or Read Calendar details.


The combination of SAML roles such as Identity provider and Relying party provide the separation of duties that works well in Cloud Environments. The Cloud Consumers retain user management and convey this information to the Cloud Provider via interoperable, open standards. There are two areas of integration in the Identity provider and Relying party which require integration to the enterprise directory and Cloud Provider respectively.

Companies must also integrate the Roles, Group and attribute information from their user accounts in the enterprise directory to the Cloud Provider access models. This requires some additional review of business processes and use cases to complete, but the end result allows the Cloud consumer a level of user control that drives the authorization decisions made in the Cloud

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and federal/Gov systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He blogs at

Read the original blog entry...

More Stories By Cloud Access Security

This blog has some of our best blog posts about how Intel is enabling trusted client to cloud access.

Latest Stories
While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
"We were founded in 2003 and the way we were founded was about good backup and good disaster recovery for our clients, and for the last 20 years we've been pretty consistent with that," noted Marc Malafronte, Territory Manager at StorageCraft, in this interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Historically, some banking activities such as trading have been relying heavily on analytics and cutting edge algorithmic tools. The coming of age of powerful data analytics solutions combined with the development of intelligent algorithms have created new opportunities for financial institutions. In his session at 20th Cloud Expo, Sebastien Meunier, Head of Digital for North America at Chappuis Halder & Co., discussed how these tools can be leveraged to develop a lasting competitive advantage ...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settl...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lav...
@CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in ...
According to the IDC InfoBrief, Sponsored by Nutanix, “Surviving and Thriving in a Multi-cloud World,” multicloud deployments are now the norm for enterprise organizations – less than 30% of customers report using single cloud environments. Most customers leverage different cloud platforms across multiple service providers. The interoperability of data and applications between these varied cloud environments is growing in importance and yet access to hybrid cloud capabilities where a single appl...
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
In today's always-on world, customer expectations have changed. Competitive differentiation is delivered through rapid software innovations, the ability to respond to issues quickly and by releasing high-quality code with minimal interruptions. DevOps isn't some far off goal; it's methodologies and practices are a response to this demand. The demand to go faster. The demand for more uptime. The demand to innovate. In this keynote, we will cover the Nutanix Developer Stack. Built from the foundat...
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Sold by Nutanix, Nutanix Mine with Veeam can be deployed in minutes and simplifies the full lifecycle of data backup operations, including on-going management, scaling and troubleshooting. The offering combines highly-efficient storage working in concert with Veeam Backup and Replication, helping customers achieve comprehensive data protection for all their workloads — virtual, physical and private cloud —to meet increasing business demands for uptime and productivity.
"Cloud computing is certainly changing how people consume storage, how they use it, and what they use it for. It's also making people rethink how they architect their environment," stated Brad Winett, Senior Technologist for DDN Storage, in this interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
A look across the tech landscape at the disruptive technologies that are increasing in prominence and speculate as to which will be most impactful for communications – namely, AI and Cloud Computing. In his session at 20th Cloud Expo, Curtis Peterson, VP of Operations at RingCentral, highlighted the current challenges of these transformative technologies and shared strategies for preparing your organization for these changes. This “view from the top” outlined the latest trends and developments i...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...