federating identity management: standards, technologies and industry trends november 20, 2003
DESCRIPTION
Federating Identity Management: Standards, Technologies and Industry Trends November 20, 2003. Daniel Blum Senior VP, Research Director [email protected] www.burtongroup.com. Federated Identity Management. Thesis - PowerPoint PPT PresentationTRANSCRIPT
All Contents © 2003 Burton Group. All rights reserved.
Federating Identity Management: Standards, Technologies and Industry Trends
November 20, 2003
Daniel BlumSenior VP, Research Director
2Federated Identity Management
Thesis
• What? Parallel efforts from OASIS, Liberty Alliance, Web access management vendors, and platform vendors are gaining momentum and will ultimately converge
• Perhaps not without some pain• “Identity networks” are needed to scale ubiquitous operation
• Why? By meeting business requirements for loosely coupled security between autonomous domains, federated identity extends identity management
• When? Now. Federated identity has many early adopters across multiple industries; products and tools are available; ROI and competitive advantage are in sight
3Identity Management and Federation
Agenda
• Federated Identity Concepts• Industry Trends• Recommendations
4Identity Management and Federation
Agenda
• Federated Identity Concepts• Industry Trends• Recommendations
5Federated Identity Concepts
The challenge: Managing many identities
InternalSystems& Data
Less-knownPartner or xSP
Loosely-coupled,Federated exterior systems
Customers
Tightly-coupled or loosely coupled, Integrated or federated interior systems
Employees Unknown
Extranets
The Internet
6Federated Identity Concepts
What is federated identity management?
• Agreements, standards, technologies that make identity and entitlements portable across autonomous domains
• Authentication assertions (federated sign on)• Authorization assertions• Attribute assertions• Identity linking procedures• Trust relationships• Business, legal agreements
7Federated Identity Concepts
Federated authentication between domains
Company A:Identity Provider
(IDP)access point
Company AIdentity
repository
1) Userauthenticates
Company B:Service Provider
(SP) access point
2) Check User’s id/credential
Company Bresource
3) User requests resource
5) Co. B requests identity assertion for User
6) Co. A sends identity assertion
7) User gets access!
User
Internet
4) Check policy
8Federated Identity Concepts
Federation conceptsFederated sign on
• Authentication requests, assertions
• Session managementFederated identity mapping
• Account linking• Privacy protections
• Link account to role (or persistent policy)
Federated identity information
• Attribute requests, assertions• Privacy protections
Federated authorization
• Authorization requests, assertions
Management
• Business, legal agreements• Trust relationships• Audit services
9Federated Identity Concepts
Risks
• Federated identity creates new risks• Relying on external party for identity assertions• Forensics and record retention must span boundaries• Slippery slope of transitive trust - trust failures could propagate,
cross-over attacks are possible
• …but reduces other risks• Pushes IdM and accountability to most responsible party• High security domains can be autonomous, but still interoperate• Lessens reliance on a large scale, centralized security
infrastructure (shifts complexity)
10Identity Management and Federation
Agenda
• Federated Identity Concepts• Industry Trends• Recommendations
11Industry Trends
What infrastructure is needed for federated identity?
Identity Networks
Federated Identity Standards
Base Security Capabilities(Mostly) Used
Within Domains
Used betweenOr within Products/
Domains
Public identity services, or other
communities
Ping Id
. NET PassportVerifiedBy Visa
Shibboleth
Others
SAML
Liberty
WS-Security
OthersXACML
WS-Federation
KerberosX.509
LDAPOthers
ID /PwdToken
12Industry Trends
Security Assertion Markup Language (SAML)
• SAML provides authentication, authorization, and attribute assertions between loosely coupled domains
• Meant to be complemented by XACML and other specs• SAML 2.0 will converge with donated Liberty Alliance Phase I work,
add user to role mapping, better session management, perhaps credentials collection
SAML
AuthenticationAssertion
AttributeAssertion
AuthorizationDecisionAssertion
CredentialsCollector
SystemEntity
ApplicationRequest
AuthenticationAuthority
AttributeAuthority
Policy DecisionPoint
Policy EnforcementPoint
DomainA
DomainB
13Industry Trends
Liberty Alliance
• Consortium of over 160 organizations: enterprises, service providers, and vendors
• In 2002, developed Identity Federation Framework (ID-FF) using opt in account linking on top of SAML
• In 2003, developing Identity Web Services Framework (ID-WSF), permission based attribute sharing and additional capabilities User
Linked account
Domain A(IDP)
Domain B(SP)
SAML Assertion
Linked account
Browser redirectOr Web service
Circle ofTrust
14Industry Trends
Federated identity products and adoption
• SAML early adoption gaining momentum• Multiple Web access management and other security products in
various stages of release or development• Open source solutions and toolkits available• Growing customer adoption across multiple industries
• Liberty entering early adoption• Head start by encouraging end user membership, adopting SAML,
and putting Liberty Phase I into OASIS• Products and early implementations underway• But some Web access management vendors are not yet
implementing Liberty standards
15Industry Trends
Federated identity: A growing stack of converging standards with common foundations
WS-Policy WS-Trust
WS-SecureConversation
WS-Federation
WS-Authorization,
WS-Privacy
SAML
Liberty ID-FFFederated Sign on
Liberty Alliance –Ph 2 (ID-WSF, ID-SIS)
Liberty Phase 2: Permission based attribute sharing
Foundation Web Standards: WSDL, SOAP, XML, HTTP, HTML
WS-Security
Microsoft, IBM, etc. unpublished
OASIS - publishedLiberty Alliance –Phase 1 (ID-FF)
Microsoft, IBM, etc.published
OASIS - new workKEY
XML Signature, XML Encryption, XML Key Management Services (XKMS)
SPML
XrMLXACML
16Industry Trends
SAML, Liberty Alliance, and WS-*
• Where they agree• WS-Security and WS-* carry SAML and Liberty assertions• OASIS, Liberty Alliance developing WS-Security bindings• Microsoft says it will support SAML in Authorization
Manager; IBM supports SAML, says it will support Liberty• WAM vendors will support both
• Where they disagree• Microsoft, IBM won’t join Liberty Alliance• WS-Federation has a different profile for browser based
users than SAML and Liberty• Microsoft promoting XrML, not SAML and XACML
17Industry Trends
SAML, Liberty Alliance, and WS-* : What to expect
• A standards race of “The Tortoise and the Hare”• SAML and/or Liberty “hare” racing ahead with federated
identity specific initiatives, well into early adoption• WS-* “tortoise” will need a few years to be fully
standardized, built, and broadly deployed• But Microsoft, IBM and partners can push a lot of
software into the channel• SAML and Liberty Alliance likely to converge with WS-*
over the next 5 years for a relatively comfortable coexistence
18
Industry Trends
Technology availability and adoption waves
2003 2004 2005 2006 2007
SAML
Liberty ID-FF
WS-Security
WS-*, New Liberty specs, SAML 2.0
Components, timing variable subject to standardization and convergence
19Industry Trends
Identity networks today
• Centralized• .NET Passport and AOL Screen Name Service
• Industry-based, proprietary• SecuritiesHub, Verified by Visa, others
• SAML-powered• Shibboleth, multiple corporate networks
• Liberty-powered• Corporate B2E projects underway• PingID and Neustar (eRX Land Records Exchange Network)• Financial networks (SecuritiesHub, others)• Mobile communications networks
20Identity Networks
Federation implies a poly-centric environment
• Many islands will emerge• Industry-specific solutions are likely• How will they converge?• Identity networks could emerge to
link the islands• Identity networks may be centralized
(like Passport), member-owned (as in the ATM, credit-card worlds), provide common governance and policy frameworks, or other models
Identity Network A
Identity Network B
Identity domainsIdentity peering
21
Identity Networks
Federated Identity and Web services network types
2003 2004 2005 2006 2007
Pair-wise, internal federation
Trusted third party enabled federation
Communities (hub optional)
Identity Networks
22Identity Management and Federation
Agenda
• Federated Identity Concepts• Industry Trends• Recommendations
23Recommendations
Early adopter lessons learned
• If you build it, they will come• Partner interest cascades…
• Return on investment (ROI) is out there • Federated identity is flexible, it works, and its reliable• But
• You have to pay to play• SAML protocol has some gaps• Browsing issues and performance bottlenecks arise• The infrastructure must be secure• Users will always surprise you
24Recommendations
Lessons learned from early deployments
• Technical issues not so difficult• Web developers prefer standards based SAML or Liberty approach to
point integration solutions• Some enterprises have written their own XML based federation layer• Others purchasing Web access management (WAM) support for IDP
operations, WAM or toolkit to accept assertions as SP
• Business issues more complicated than technical ones• Build in time to get business application owners on board, and work
through arrangements with partners• Some enterprises mandating federated IdM for suppliers• Create “workbooks” or other collaterals that help early partners
understand federated IdM (trading “hubs” can drive adoption)• Leverage existing industry associations, identity networks
25Recommendations
Today: Implement SAML, Liberty, and conventional IdM at appropriate architecture tiers
Future: Integrate federated identity with secure Web services
Enterprise Identity:Use a balance of consolidation, integration
and federation approaches internally
B2B Identity: Use SAML and/or a directory with delegated and
self service administration
Public Identity:Use identity networks, Liberty Alliance circles of trust,
and/or a directory with self service registration
26Recommendations
Deployment considerations
• Use consolidation, integration to build base camp to federate from (continue cleaning the identity house)
• Consider SAML and/or Liberty for current projects, augmenting conventional IdM
• Monitor WS-* for future opportunity to deploy secure, Web services solutions; seek convergent solutions
• Prepare for breaches on either side of your federations by adding business agreements for cooperative risk management and dispute resolution
• Brief the purchasing department, security department, and legal department to get their buyoff
27Conclusion
Conclusion
• Federated identity management is a strategic capability that will solve real problems
• SAML and Liberty provide federated identity to the current generation of Web-enabled computing
• Next generation of Web services computing taking shape, will include federated identity
• In the long run, federated identity will converge across both generations of computing
• Identity networks will link partners - internal and external, large and small