all contents © 2007 burton group. all rights reserved. addressing interoperability challenges june...
TRANSCRIPT
![Page 1: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/1.jpg)
All Contents © 2007 Burton Group. All rights reserved.
Addressing Interoperability Challenges
June 12 & 13, 2007Gerry Gebel
VP & Service Director
![Page 2: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/2.jpg)
2Addressing Interoperability Challenges
Agenda
• Introduction• User-centric identity• XACML policy• Q&A
![Page 3: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/3.jpg)
3Addressing Interoperability Challenges
Agenda
• Introduction• User-centric identity• XACML policy• Q&A
![Page 4: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/4.jpg)
4Introduction
Why host interoperability demonstrations?
• Catalyst is a neutral forum for vendors and other technology providers to collaborate on interoperability
• It’s great to see competitors working toward common goals
• Interoperability demonstrations provide an indication of technology maturity
• Not as robust as formal interoperability and testing programs• Expose differences in interpretation of specifications• Challenge providers to address requirements of realistic scenarios
![Page 5: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/5.jpg)
5Introduction
Interop demonstrations for Catalyst 2007
• User-centric identity - June 27 6-9:30pm• Information cards, OpenID, etc• Johannes Ernst, NetMesh• Mike Jones, Microsoft• Paul Trevithick, Social Physics
• XACML - June 28 6-9:30pm• Extensible Access Control Markup Language• Managed by OASIS• Hal Lockhart, BEA• Rich Levinson, Oracle
• WS-I - June 28 6-9:30pm• Web services security profiles• Not discussed on the call today
![Page 6: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/6.jpg)
6Addressing Interoperability Challenges
Agenda
• Introduction• User-centric identity• XACML policy• Q&A
![Page 7: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/7.jpg)
7User-Centric Identity
Addressing some key questions
• Why is user-centric identity important?
• Why is interoperability important for user-centric identity?
• What impact does the Catalyst interoperability event have on the industry?
![Page 8: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/8.jpg)
8User-Centric Identity
The Big Idea:
• Identity “Self-Service” by the UserIdentity “Self-Service” by the User• Good for businesses:
• Reduced cost• More business through reduced friction with customer• Single view of the customer
• Good for the individual:• Perception of increased control (e.g. privacy)• Less hassle (one root credential for many sites)• Higher-value products / services
![Page 9: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/9.jpg)
9User-Centric Identity
Identifiers / URLs
• Example: http://netmesh.info/jernst
Key standards:
How it works
• Users sign up with an OpenID provider
• Issued URL becomes universal account name
• Diffie-Hellman-based
Identifiers / URLs
• Example: http://netmesh.info/jernst
Key standards:
How it works
• Users sign up with an OpenID provider
• Issued URL becomes universal account name
• Diffie-Hellman-based
Information Cards
• Example:
Key standards: WS-Trust
How it works
• User obtains card from business or provider
• “Identity Agent” installed on PC (e.g. Vista CardSpace) or hosted (e.g. Higgins H1)
Information Cards
• Example:
Key standards: WS-Trust
How it works
• User obtains card from business or provider
• “Identity Agent” installed on PC (e.g. Vista CardSpace) or hosted (e.g. Higgins H1)
![Page 10: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/10.jpg)
10User-Centric Identity
Participants and process
• A combination of vendors, open source projects, and individual contributors
• Microsoft, IBM, CA, BMC Software, Oracle, VeriSign, Ping Identity, Higgins, Bandit, NetMesh, WSO2, PamelaWare, XMLDAP.org, Internet2 Shibboleth Project, and Ian Brown
• OSIS Project (“Open-Source Identity System”)
• Process• Weekly conference calls• Face to face testing at recent IIW conference• Wiki used to collaborate and host documentation
• http://osis.netmesh.org/
![Page 11: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/11.jpg)
11User-Centric Identity
Expected Interop Outcomes
• Many vendors participating in interop
• Demonstrated multi-vendor interoperability
• Multiple protocols• Interop scenarios
Expected Interop Outcomes
• Many vendors participating in interop
• Demonstrated multi-vendor interoperability
• Multiple protocols• Interop scenarios
Why it matters
• User-Centric Identity is here to stay
• User-centric identity can be expected to work
• No more protocol fights• Glimpse of disruptive
business potential
Why it matters
• User-Centric Identity is here to stay
• User-centric identity can be expected to work
• No more protocol fights• Glimpse of disruptive
business potential
![Page 12: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/12.jpg)
12Addressing Interoperability Challenges
Agenda
• Introduction• User-centric identity• XACML policy• Q&A
![Page 13: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/13.jpg)
13XACML Policy
XACML 2.0 overview
• XML language for fine-grained access control• Extremely powerful evaluation logic• Ability to use any available information• Superset of permissions, ACLs, RBAC• Scales from Internet to PDA• Federated policy administration• OASIS and ITU-T Standard
![Page 14: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/14.jpg)
14XACML Policy
Burton Catalyst Conference
• San Francisco, June 28, 2007, 6-9:30 pmTentative participants
• BEA, CA, IBM, Jericho Systems, Oracle, Redhat, Securent, and Symlabs
Approach under discussion
• Two Use cases (Policy Exchange, Decision)• Four Stock Trading Scenarios
Weekly concalls
![Page 15: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/15.jpg)
15
PAP PDP
Repository
Policy Policy
PolicyPolicyPolicy
XACML Policy
Policy exchange scenario
![Page 16: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/16.jpg)
16
PEP PDP
XACML Policy
Decision request scenario
![Page 17: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/17.jpg)
17XACML Policy
Interop challenges
• Minimize extraneous components• Agree on items unspecified by XACML• Motivating business cases• Present understandable demo• Repeatable scenarios• Human error• Opportunity for ad hoc variants
![Page 18: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/18.jpg)
18XACML Policy
Use cases overview
• Use cases spec available through OASIS XACML TC Public Home Page.
• http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#announcements
• Authorization logic externalized from applications• Enables centralization of critical business rules in XACML
Policy Decision Point (PDP)• Vendor Interoperability achieved through:
• Common policy specification language • Use of common application-specific vocabulary• Common request and response for policy execution
![Page 19: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/19.jpg)
19XACML Policy
Use cases interop document
• Describes planning process for the Interop demo application and test framework
• Describes architectural approach and implementation options for building demo infrastructure.
• Contains detailed description of use cases and scenarios at data element and processing level.
• Shows xacml usage models at a depth that goes beyond xacml-core specs and in total application context.
• Can be used as sample for doing analysis for new applications
![Page 20: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/20.jpg)
20XACML Policy
Use case 1: Authorization Request - overview
• Hypothetical Customer high-value stock account application
• Account is “managed” by professional investment advisor• Customer can make trades within portfolio guidelines • If customer attempts trade outside programmed guidelines of trade
size and credit limits, automatic request for approval is generated for the account manager to review and approve
• Shows how xacml can be used to extract authorization logic from application using a custom vocabulary
• Shows how fine grained authorization can be centrally managed for uniform control of enterprise business policies
![Page 21: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/21.jpg)
21XACML Policy
Use case 1: Authorization Request - technical
• Shows how one vendor Policy Enforcement Point (PEP) can use other vendor PDP
• Demo has application acting as PEP that sends a XACMLAuthz-DecisionQuery Request to PDP
• XACML SAML 2.0 profile for PEP/PDP request/response• Shows variety of policy execution paths in PDP within Policy
hierarchy• Shows how Obligations can be used to direct subsequent steps taken
by PEP and application to initiate approval processes
![Page 22: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/22.jpg)
22XACML Policy
Use case 2: Policy Exchange
• Department administrators at vendor-specific Policy Administration Point (PAP) create or modify Policies using custom tools
• Policy can then be published into a centralized PDP and enforced by PEPs throughout the enterprise
• Shows how Policy from one vendor PAP(/PDP) can be used by other vendor PDP(/PAP)
• Create Policy at one vendor’s PAP and add to another vendor’s repository (or export Policy from PDP and add to repository)
• Import other vendor’s policy from repository to PDP for execution (or to PAP for editing)
![Page 23: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/23.jpg)
23Addressing Interoperability Challenges
Agenda
• Introduction• User-centric identity• XACML policy• Q&A
![Page 24: All Contents © 2007 Burton Group. All rights reserved. Addressing Interoperability Challenges June 12 & 13, 2007 Gerry Gebel VP & Service Director ggebel@burtongroup.com](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649e425503460f94b34a33/html5/thumbnails/24.jpg)
24Addressing Interoperability Challenges