Use Case C: Collaboration: Federated-ID Access#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

Scenario C-1: Full resource access using an enterprise endpoint#

This scenario deals with a request using a successfully authenticated Federated-ID accessing an enterprise-controlled resource. In this scenario, the maximum access configuration of the requester for the enterprise-managed resource is set to full access.

Pre-Condition: The requestor is identified and authenticated. Per configuration, the requestor is authorized with full access to the resource.

Demonstration: The requestor using a Federated-ID will attempt to access an enterprise resource using an enterprise-owned endpoint.

Purpose and Outcome: This demonstration focuses on the endpoint location with endpoint/resource compliance (Compl).

Table 1 - Scenario C-1 Demonstrations

Demo ID

Req EP Compl

Req Loc

RSS EP Compl

RSS Loc

Desired Outcome

C-1.1

a

Y

On-Prem

Y

On-Prem

Access Successful

C-1.1

b

N

On-Prem

Y

On-Prem

Access Not Successful

C-1.1

c

Y

On-Prem

N

On-Prem

Access Limited

C-1.1

d

N

On-Prem

N

On-Prem

Access Not Successful

Comment: In this set of demonstrations, the desired outcome will be to deny access to the resource in case the endpoint is not compliant. If the endpoint is compliant but the resource is not compliant, the access is restricted.

C-1.2

a

Y

Branch

Y

On-Prem

Access Successful

C-1.2

b

N

Branch

Y

On-Prem

Access Not Successful

C-1.3

a

Y

Remote

Y

On-Prem

Access Successful

C-1.3

b

N

Remote

Y

On-Prem

Access Not Successful

C-1.4

a

Y

On-Prem

Y

Cloud

Access Successful

C-1.4

b

N

On-Prem

Y

Cloud

Access Not Successful

C-1.4

c

Y

On-Prem

N

Cloud

Access Limited

C-1.4

d

N

On-Prem

N

Cloud

Access Not Successful

C-1.5

a

Y

Branch

Y

Cloud

Access Successful

C-1.5

b

N

Branch

Y

Cloud

Access Not Successful

C-1.6

a

Y

Remote

Y

Cloud

Access Successful

C-1.6

b

N

Remote

Y

Cloud

Access Not Successful

Scenario C-2: Limited resource access using an enterprise endpoint#

This scenario deals with a request using a successfully authenticated Federated-ID accessing an enterprise-controlled resource. In this scenario, the maximum access configuration of the requester for the enterprise-managed resource is set to limited access.

Pre-Condition: The requestor is identified and authenticated. Per configuration, the requestor is authorized with limited access to the resource.

Demonstration: The requestor using a Federated-ID will attempt to access an enterprise resource using an enterprise-owned endpoint.

Purpose and Outcome: This demonstration focuses on the endpoint location with endpoint/resource compliance (Compl).

Table 2 - Scenario C-2 Demonstrations

Demo ID

Req EP Compl

Req Loc

RSS EP Compl

RSS Loc

Desired Outcome

C-2.1

a

Y

On-Prem

Y

On-Prem

Access Limited

C-2.1

b

N

On-Prem

Y

On-Prem

Access Not Successful

C-2.1

c

Y

On-Prem

N

On-Prem

Access Limited

C-2.1

d

N

On-Prem

N

On-Prem

Access Not Successful

Comment: In this set of demonstrations, the desired outcome will be to deny access to the resource in case the endpoint is not compliant. If the endpoint is compliant but the resource is not compliant, the access is restricted.

C-2.2

a

Y

Branch

Y

On-Prem

Access Limited

C-2.2

b

N

Branch

Y

On-Prem

Access Not Successful

C-2.3

a

Y

Remote

Y

On-Prem

Access Limited

C-2.3

b

N

Remote

Y

On-Prem

Access Not Successful

C-2.4

a

Y

On-Prem

On-Prem

Y

Cloud

Access Limited

C-2.4

b

N

Y

Cloud

Access Not Successful

C-2.4

c

Y

On-Prem

N

Cloud

Access Limited

C-2.4

d

N

On-Prem

N

Cloud

Access Not Successful

C-2.5

a

Y

Branch

Y

Cloud

Access Limited

C-2.5

b

N

Branch

Y

Cloud

Access Not Successful

C-2.6

a

Y

Remote

Y

Cloud

Access Limited

C-2.6

b

N

Remote

Y

Cloud

Access Not Successful

Scenario C-3: Limited internet access using an enterprise endpoint#

This scenario deals with a request using a successfully authenticated Federated-ID accessing a non-enterprise-controlled resource in the public internet using an enterprise-owned endpoint device with limited internet access.

Pre-Condition: The requestor is identified and authenticated. Per configuration, the requestor is authorized with limited access to the Internet.

Demonstration: The requestor using a Federated-ID will attempt to access two resources located in the public Internet. The resources are not controlled by the enterprise. One resource is allowed, the other one is blocked.

Purpose and Outcome: This demonstration focuses on the endpoint resource compliance with access of non-enterprise-controlled resources on the internet by a requester with internet access using an enterprise-controlled resource.

Table 3 - Scenario C-3 Demonstrations

Demo ID

Req EP Compl

Req Loc

RSS Access Policy

RSS Loc

Desired Outcome

C-3.1

a

Y

On-Prem

Allowed RSS 1

Internet

Access Successful

C-3.1

b

N

On-Prem

Allowed RSS 1

Internet

Access Not Successful

C-3.1

c

Y

On-Prem

Blocked RSS 2

Internet

Access Not Successful

C-3.1

d

N

On-Prem

Blocked RSS 2

Internet

Access Not Successful

C-3.2

a

Y

Branch

Allowed RSS 1

Internet

Access Successful

C-3.2

b

N

Branch

Allowed RSS 1

Internet

Access Not Successful

C-3.2

c

Y

Branch

Blocked RSS 2

Internet

Access Not Successful

C-3.2

d

N

Branch

Blocked RSS 2

Internet

Access Not Successful

C-3.3

a

Y

Remote

Allowed RSS 1

Internet

Access Successful

C-3.3

b

N

Remote

Allowed RSS 1

Internet

Access Not Successful

C-3.3

c

Y

Remote

Blocked RSS 2

Internet

Access Not Successful

C-3.3

d

N

Remote

Blocked RSS 2

Internet

Access Not Successful

Scenario C-4: No internet access using enterprise owned endpoint#

This scenario deals with a request using a successfully authenticated Federated-ID accessing a non-enterprise-controlled resource in the public internet using a enterprise-owned endpoint device with internet access disabled. In this scenario, the Enterprise-ID may be allowed to access certain public internet resources but there is a separate policy for the endpoint which is not allowed any public internet access. The endpoint policy overrides the user identity policy and no requests for internet based resources are allowed.

Pre-Condition: The requestor is identified and authenticated. Per configuration, the requestor ID is authorized with limited access to the public Internet but not when coming from a particular enterprise owned endpoint that is not allowed to access the public internet.

Demonstration: The requestor using a Federated-ID will attempt to access two resources both located in the public Internet. The resources are not controlled by the enterprise. When using an endpoint that is denied all internet access, the endpoint policy overrides the identity policy and all internet access requests are denied.

Purpose and Outcome: This demonstration focuses on the endpoint access policies of non-enterprise-controlled resources on the internet by an endpoint that is not permitted internet access.

Table 4 - Scenario C-4 Demonstrations

Demo ID

Req EP Compl

Req Loc

RSS Access Policy

RSS Loc

Desired Outcome

C-4.1

a

Y

On-Prem

Allowed RSS 1

Internet

Access Not Successful

C-4.1

b

N

On-Prem

Allowed RSS 1

Internet

Access Not Successful

C-4.1

c

Y

On-Prem

Blocked RSS 2

Internet

Access Not Successful

C-4.1

d

N

On-Prem

Blocked RSS 2

Internet

Access Not Successful

C-4.2

a

Y

Branch

Allowed RSS 1

Internet

Access Not Successful

C-4.2

b

N

Branch

Allowed RSS 1

Internet

Access Not Successful

C-4.2

c

Y

Branch

Blocked RSS 2

Internet

Access Not Successful

C-4.2

d

N

Branch

Blocked RSS 2

Internet

Access Not Successful

C-4.3

a

Y

Remote

Allowed RSS 1

Internet

Access Not Successful

C-4.3

b

N

Remote

Allowed RSS 1

Internet

Access Not Successful

C-4.3

c

Y

Remote

Blocked RSS 2

Internet

Access Not Successful

C-4.3

d

N

Remote

Blocked RSS 2

Internet

Access Not Successful

Scenario C-5: Internet access using BYOD#

This scenario deals with a request using a successfully authenticated Federated-ID accessing a resource on the Internet using privately owned devices. For this scenario, additional testing of the endpoint is unnecessary because the access is restricted by policy due to the device being BYOD.

Pre-Condition: The requestor is identified and authenticated. Per configuration, the requestor is authorized with limited access to the Internet. Both resources RSS1 and RSS2 are not managed by the enterprise. For example, RSS1 could be a gambling site and RSS2 could be a search engine. Endpoint compliance may not be fully determined in these scenarios.

Demonstration: The requestor using a Federated-ID will attempt to access two resources both located in the public Internet. The resources are not controlled by the enterprise. One resource is allowed, the other one is blocked. The endpoint itself is of type BYOD.

Purpose and Outcome: This demonstration focuses on BYOD endpoint compliance with access of non-enterprise-controlled resources on the internet by a requester with limited internet access.

Table 5 - Scenario C-5 Demonstrations

Demo ID

Req EP Compl

Req Loc

RSS Access Policy

RSS Loc

Desired Outcome

C-5.1

a

Y

On-Prem

Allowed RSS 1

Internet

Access Successful

C-5.1

b

N

On-Prem

Allowed RSS 1

Internet

Access Not Successful/Limited

C-5.1

c

Y

On-Prem

Blocked RSS 2

Internet

Access Not Successful

C-5.1

d

N

On-Prem

Blocked RSS 2

Internet

Access Not Successful

C-5.2

a

Y

Branch

Allowed RSS 1

Internet

Access Successful

C-5.2

b

N

Branch

Allowed RSS 1

Internet

Access Not Successful/Limited

C-5.2

c

Y

Branch

Blocked RSS 2

Internet

Access Not Successful

C-5.2

d

N

Branch

Blocked RSS 2

Internet

Access Not Successful

C-5.3

a

Y

Remote

Allowed RSS 1

Internet

Access Successful

C-5.3

b

N

Remote

Allowed RSS 1

Internet

Access Not Successful/Limited

C-5.3

c

Y

Remote

Blocked RSS 2

Internet

Access Not Successful

C-5.3

d

N

Remote

Blocked RSS 2

Internet

Access Not Successful

Scenario C-6: Access resources using BYOD#

This scenario deals with a request using a successfully authenticated federated ID accessing an enterprise-controlled resource using privately owned devices. For this scenario, additional testing for the endpoint is not necessary because the access is restricted by policy due to the device being BYOD.

Pre-Condition: The requestor is identified and authenticated. Per configuration, the requestor is authorized with full access to the resource. The system setup must lower the access level to the resource into a restricted access mode due to the usage of BYOD.

Demonstration: The requestor using a federated ID will attempt to access an enterprise resource using a privately owned device.

Purpose and Outcome: This demonstration focuses on the endpoint device (BYOD), lowering access level rights, and endpoint compliance and location.

Table 6 - Scenario C-6 Demonstrations

Demo ID

Req. EP Compl

Req. Loc

RSS EP Compl

RSS Loc

Desired Outcome

C-6.1

a

Y

On-Prem

Y

On-Prem

Access Limited

C-6.1

b

N

Y

Access Not Successful

C-6.1

c

Y

N

Access Limited/Restricted

C-6.1

d

N

N

Access Not Successful

Comment: In this set of demonstrations, the desired outcome will be to deny access to the resource in case the endpoint is not compliant. If the endpoint is compliant, but the resource is not compliant, access is restricted.

C-6.2

a

Y

Branch

Y

On-Prem

Access Limited

C-6.2

b

N

Branch

Y

On-Prem

Access Not Successful

C-6.3

a

Y

Remote

Y

On-Prem

Access Limited

C-6.3

b

N

Remote

Y

On-Prem

Access Not Successful

C-6.4

a

Y

On-Prem

Y

Cloud

Access Limited

C-6.4

b

N

On-Prem

Y

Cloud

Access Not Successful

C-6.4

c

Y

On-Prem

N

Cloud

Access Limited/Restricted

C-6.4

d

N

On-Prem

N

Cloud

Access Not Successful

C-6.5

a

Y

Branch

Y

Cloud

Access Limited

C-6.5

b

N

Branch

Y

Cloud

Access Not Successful

C-6.6

a

Y

Remote

Y

Cloud

Access Limited

C-6.6

b

N

Remote

Y

Cloud

Access Not Successful

Scenario C-7: Stolen credential using an enterprise endpoint#

This scenario deals with a request using a stolen credential employing an enterprise endpoint.

Pre-Condition: The requestor’s credential is stolen and is used to attempt accessing an enterprise resource using an enterprise endpoint that may or may not also be stolen (e.g., laptop that still has a smart token/smart card inserted). When the requester’s credentials is marked “Flagged Stolen”, MFA should fail.

Demonstration: The requestor, using a stolen federated ID, will attempt to access an enterprise resource using an enterprise endpoint; the enterprise endpoint may be stolen as well.

Purpose and Outcome: This demonstration focuses on the requester’s federated ID as well as the status of the user’s credentials (e.g., smartcard, hardware token, or endpoint device) as either reported stolen or not reported stolen.

Table 7 - Scenario C-7 Demonstrations

Demo ID

Req Credential

Req Loc

Req EP

RSS Loc

Desired Outcome

C-7.1

a

Active

On-Prem

Active

On-Prem

Access Successful

C-7.1

b

Active

On-Prem

Flagged Stolen

On-Prem

Access Not Successful

C-7.1

c

Flagged Stolen

On-Prem

Active

On-Prem

Access Not Successful

C-7.1

d

Flagged Stolen

On-Prem

Flagged Stolen

On-Prem

Access Not Successful

C-7.2

a

Active

Branch

Active

On-Prem

Access Successful

C-7.2

b

Active

Branch

Flagged Stolen

On-Prem

Access Not Successful

C-7.2

c

Flagged Stolen

Branch

Active

On-Prem

Access Not Successful

C-7.2

d

Flagged Stolen

Branch

Flagged Stolen

On-Prem

Access Not Successful

C-7.3

a

Active

Remote

Active

On-Prem

Access Successful

C-7.3

b

Active

Remote

Flagged Stolen

On-Prem

Access Not Successful

C-7.3

c

Flagged Stolen

Remote

Active

On-Prem

Access Not Successful

C-7.3

d

Flagged Stolen

Remote

Flagged Stolen

On-Prem

Access Not Successful

C-7.4

a

Active

On-Prem

Active

Cloud

Access Successful

C-7.4

b

Active

On-Prem

Flagged Stolen

Cloud

Access Not Successful

C-7.4

c

Flagged Stolen

On-Prem

Active

Cloud

Access Not Successful

C-7.4

d

Flagged Stolen

On-Prem

Flagged Stolen

Cloud

Access Not Successful

C-7.5

a

Active

Branch

Active

Cloud

Access Successful

C-7.5

b

Active

Branch

Flagged Stolen

Cloud

Access Not Successful

C-7.5

c

Flagged Stolen

Branch

Active

Cloud

Access Not Successful

C-7.5

d

Flagged Stolen

Branch

Flagged Stolen

Cloud

Access Not Successful

C-7.6

a

Active

Remote

Active

Cloud

Access Successful

C-7.6

b

Active

Remote

Flagged Stolen

Cloud

Access Not Successful

C-7.6

c

Flagged Stolen

Remote

Active

Cloud

Access Not Successful

C-7.6

d

Flagged Stolen

Remote

Flagged Stolen

Cloud

Access Not Successful

Scenario C-8: Stolen credential using BYOD#

This scenario deals with a request using a stolen credential employing a BYOD endpoint.

Pre-Condition: The requestor’s credential is stolen and is used to attempt accessing an enterprise resource using a privately owned device (BYOD). For scenarios where the requester’s credentials is marked “Flagged Stolen”, MFA should fail. For BOYD devices determined to be out of compliance with the enterprise security policy would not be granted access regardless of subject authentication results (see C-5/6).

Demonstration: The requestor using a stolen federated ID will attempt to access an enterprise resource using a BYOD endpoint.

Purpose and Outcome: This demonstration focuses on the requester’s ID credentials (e.g., smartcard, hardware token, or endpoint device) as either reported stolen or not reported stolen.

Table 8 - Scenario C-8 Demonstrations

Demo ID

Req Credential

Req Loc

Req EP Compliance

RSS Loc

Desired Outcome

C-8.1

a

Active

On-Prem

Y

On-Prem

Access Successful

C-8.1

b

Flagged Stolen

On-Prem

Y

On-Prem

Access Not Successful

C-8.2

a

Active

Branch

Y

On-Prem

Access Successful

C-8.2

b

Flagged Stolen

Branch

Y

On-Prem

Access Not Successful

C-8.3

a

Active

Remote

Y

On-Prem

Access Successful

C-8.3

b

Flagged Stolen

Remote

Y

On-Prem

Access Not Successful

C-8.4

a

Active

On-Prem

Y

Cloud

Access Successful

C-8.4

b

Flagged Stolen

On-Prem

Y

Cloud

Access Not Successful

C-8.5

a

Active

Branch

Y

Cloud

Access Successful

C-8.5

b

Flagged Stolen

Branch

Y

Cloud

Access Not Successful

C-8.6

a

Active

Remote

Y

Cloud

Access Successful

C-8.6

b

Flagged Stolen

Remote

Y

Cloud

Access Not Successful