liberty alliance approach to idm - cosic · 2005-11-16 · indeed the person to which credentials...

Liberty Alliance Approach to IDM

Brett McDowell, Liberty AllianceModinis Workshop #2, Brussels

2005-11-15

Agenda

1. Liberty Alliance overview2. Recent Activities3. Liberty Federation4. Liberty Authentication5. Liberty Web Services6. State of Adoption7. The Future

The Liberty Alliance is the only global bodyworking to define and drive open technology

standards, privacy and business guidelines fordigital identity management

What is the Liberty Alliance?

Vision:A networked world in which individuals and businesses canmore easily interact with one another while respecting theprivacy and security of shared identity information.

Mission:To serve as the premier open Alliance for federated networkidentity management & services by ensuring interoperability,supporting privacy and promoting adoption of its specifications,guidelines and best practices.

NOT just about technology:Addressing the “whole issue” of identity with policy, business, &

technology frameworks and certified implementationsStrong “demand side” membership driving Use Cases

Purpose: Solve Members’ Identity Problems

4. Business practices to manage risk,enforce security/privacy, provideauditability. User, customer preferences,history, personalized services,

3. Determination of access rights tosystems, applications and information:Match credentials against profiles, ACLs,policy2. Log on with a UID/PW, token, certificate,biometrics etc. A process that demands theprove that the person presenting them isindeed the person to which credentials wereoriginally issued. accept or reject

1. User, customer, device “facts”, e.g.,name, address, ID, DNA, keys; credentials,certificates that were issued e. g. by aCertification authority

Policy

Authorization

Authentication

Identity

Secu

rity

Man

agem

ent

Iden

tity

Man

agem

ent

The Problem is Trust in the digital world

Liberty Alliance delivers real world solutions to solvereal world identity problems

Liberty helps organizations build a foundation for trust -- critical forthe overall success of identity-based services and efficiencies

Liberty Alliance in a Nutshell

An Ecosystem ofInteroperable Products &

Services

Business and PrivacyGuidelines

Technology Standardsand Guidelines

Trust

Who Believes in Federation Trust Model…“Federation is the lynchpin ofdigital convergence andprobably one of the mostimportant technologies of themodern era. Soon, we willbegin to swim in digitaltelevision, multifunctionalphones, devices of all kinds,and at the core of making allthese things work togetherwith our computer networksand the Internet lies identitymanagement. At the core ofidentity management liesfederation.”

Tom Adelstein, Linux Journal,July 5, 2005

CELL

8

… Full Participant Members (Sponsors)

… Liberty Associates (9/2005)

ActivCard Adobe Systems Al-Elm Information Security BEA Systems, Inc. Bell Canada Bluewin AG CDC Mercure ChoicePoint Citigroup Convergys Courion Corporation Deloitte & Touche LLP Deny All EarthLink Inc. Entr'ouvert Evidian

Fidelity National Financial Fischer International Fujitsu Invia Gamefederation Giesecke & Devrient GMBH Hewitt Associates LLC Imprivata, Inc. KDDI Corporation Lockheed Martin Corp. M-Tech Information Technology Merck & Co., Inc. Methics Oy Minnesota Mutual Companies Nationwide News Interactive Pty Ltd. Nextel Communications NRI Pacific, Inc. Oberthur Card Systems

OmniBranch, Inc. OpenwaveSystems, Inc.Passlogix, Inc. PhoenixTechnologies, Ltd.Ping Identity CorporationSiemens AGSoftware AGSony CorporationSprint PCSStudio Notarile Genghini-SNGSwedbankSystex CorporationT-Online International AGTelewest BroadbandTeliaSonera ABThe Boeing CompanyWave SystemsWorkscape, Inc.

… Liberty Affiliates (9/2005)

AdettiBUPACanada Post CorporationCenter for Democracy and TechnologyChief Information Office AustriaChina Internet Network Information Center (CNNIC)Computer & Communications Industry AssociationElectronics and Telecommunications Research InstituteEngineering Partnership in LancashireEnterprise Java Victoria Inc.Financial Services Technology ConsortiumFraunhofer Institute for Integrated Circuits IISFraunhofer-GesellschaftHealthcare Financial Management Association (HFMA)Helsinki Institute of PhysicsHong Kong PostInstitut Experimentelles Software Engineering (IESE)Universitat St.GallenInternet2Interoperability Clearinghouse (ICH)Java Wireless Competency Centre (JWCC)

Kuratorium OFFIS e.V.National Institute for Urban Search & Rescue IncNetwork Applications Consortium (NAC)Newspaper Association of AmericaOrganization Internationale Pour La Securite des

Transactions ElectroniquePAM ForumRadicchio Ltd.Singapore Institute of Manufacturing TechnologySoftware&Information Industry AssociationTechnische Universitat BerlinTeleTrusTThe Financial Services Roundtable/BITSThe Open GroupThe University of Chicago as Operator of Argonne

National LaboratoryTRUSTeU.S. Department of DefenseUniversidad Politecnica de MadridUniversity of BirminghamUniversity of North Carolina at CharlotteWeb Services Competence Center (WSCC)

Balanced Representation

Large Data Custodians / Users of Federation Large Technology Vendors

Government Agencies

Universities and Non-Profit Organizations Small Businesses

Over 50% of Liberty Membership is either Non-Profit or a company with less than 100 employees

2. What have we done… recently?

Technology: Liberty’s Architecture

Liberty Identity Services Interface Specifications (ID-SIS)Liberty

FederationFramework

(ID-FF and SAML 2.0)

Liberty Web Services Framework (ID-WSF)

Enables identity federationand management through

features such asidentity/account linkage,simplified sign on, and

simple sessionmanagement

Enables interoperable identity services such as personalidentity profile service, contact book service, geo-location

service, presence service and so on.

Provides the framework for building interoperableidentity services, permission based attribute sharing,

identity service description and discovery, and theassociated security profiles

Liberty specifications build on existing standards (SAML, SOAP, WS-Addressing, WS-Security, XML, etc.)

2005 – Liberty Alliance

FebruarySecond Version of WebServices FrameworkSpecifications

AprilInterface Specifications forIdentity-based Web Services

JuneFormation of MessagingService InterfaceSpecifications Group

FebruaryNew Mobile BusinessGuidelines

AprilLegal Framework for Circles ofTrust to Comply with EuropeanUnion Data Protection andPrivacy Laws

OctoberDeployment Gudelines forplanning Circles of Trust

AprilLiberty Extends InteroperableTesting Program to IncludeSAML 2.0

MayInteroperable CertificationAwarded to Eight Companies

AugustFirst Companies Pass SAML2.0 Interoperability Testing

Identity Theft Prevention -- Strong Authentication -- e-Health -- Japanese SIG




Services

• Leverages Liberty’s diversemembership, structure andtechnical specifications tohelp address identity theftchallenges and speeddevelopment of solutions

• Group formed in June2005

• Chaired by AMEX andFidelity Investments

• 87 members participating

• Concentrates oninteroperability andauthentication in thehealthcare industry includinginformation sharing andauthentication for patients,providers and payers


• Chaired by VeriSign

• 125 Liberty membersparticipating

• Focuses on identity issuesat a geographic level todrive understanding ofJapanese issues intobroader Libertymembership, and organizesactivities to localize Libertydocuments for Japaneseaudience


• 20 companiesparticipating

2005 - Expand Scope Vertically

Identity TheftPrevention

eHealthcare Japan

3. Liberty Federation

A Grand Convergence

SAML V1.1

ID-FF V1.1

Shib V1.x

SAML V2.0SAML V1.0

Phase 1 ID-FF V1.2 SAML V2.0adoption/testing

OASISSSTC

LibertyAlliance

Internet2Shibboleth

Jul 2002 Jan 2003 Nov 2003 Apr 2005

Nov 2002 Mar 2005

Jul/Aug 2003

Shib V1.2Apr 2004

OASISContribution

OASISParticipation

Sep 2003

Liberty ID-FF / SAML 2

SP

Jane using abrowser

IdP

It’s Jane

ID-FF/SAML2

ID-FF: The SP interactswith the IdP through Jane’s

browser to obtain theidentity credential for Jane.

ProfilesCombinations of assertions, protocols, and bindingsto support interoperability for particular use cases

BindingsMappings of SAML protocols onto standardmessaging and communication protocols

ProtocolsRequest/response message pairs for

obtaining assertions and doing identitymanagement

SAML Components

AssertionsAuthentication, attribute,

and entitlement information

Authenticationcontext

Detailed data on typesand strengths ofauthentication

MetadataConfiguration data

for assertion-exchanging

parties

Liberty Federation

• Well defined

• Testedinteroperable

• Certified GAproducts

• Cross-domainSimplified Sign-on

• Global Log-out

• Foundation for“Circles of Trust”

Liberty Federation

(ID-FF and SAML 2.0)

Technology frameworks

Federation technology

in place!

Federation - Interoperability Program

Key Liberty Alliancedifferentiator for advancingfederation deployments

Designed to validate coreLiberty Alliance functionality

Over 60 product tests sinceLiberty launched the programin 2003

Next SAML 2.0 testingevent November in Tokyo

Eight vendors passed Liberty’s firstSAML 2.0 interoperability testing

event held in July 2005


Services

NEWS! In October LibertyAlliance released businessguidelines for organizationslooking to develop Circles ofTrust as they deployfederated solutions

Developed for policy-decisionmakers, Liberty’s guidelineswill help organizationsmanage the business, legaland privacy issues associatedwith developing anddeploying Circles of Trust

Q) What are each of the members' data practices,including collection, use, transfer and retention?

Q) Have the members and the CoT taken allreasonable steps to avoid wholesale data theft orindividual identity theft?

Q) What data consent, collection, use, retention andstorage activities are necessary to meet the CoT'sgoals?

Developed basedon the experience

of Libertymembers

working ondeploying CoTs


Federation – Deployment Guidelines

• Educational workshops staffed byLiberty members who have developedand deployed federated solutions basedon Liberty specifications

• Held quarterly around the globe withthe last event held in Chicago, withattendees from more than 50 non-member organizations

• Demonstrations, Q & A’s and review ofcase studies --- what was hard, whatwas easy, benefits, ROI and roadmapsfor next steps

• NEXT EVENT: 7 December, Paris

Federation – Deployment Workshops

Logos represent member organizations taking part indeployment workshops worldwide

We federated…

you can too!

4. Liberty Authentication

Need for Stronger Authentication

PasswordSniffers

Phishing

IdentityTheft

RemoteWorkers

On-lineCommerce

ID Theft costsusers $500

and 30 hoursper incident

(US FTC, 2003)

Wireless LAN’sand VPN’s

eliminate thesecurity

perimeter

Crack once, spoofeverywhere (my

bank password isalso my Yahoo!Mail password) Phishing successful

5-10% of the time

$3B in remotepayment fraud

Demonize-T TrojanHorse forwards

password keystrokesto hacker websites

In 2005, liabilitycan be shifted toissuing banks…

how will they pass-on the losses?

70% of users would tradetheir password for

chocolate

On-line Commercefastest growing

method and twicethe cost of in-

person payment

As we begin to rely on shared credentials, the need for strong authentication will become even more important

Liberty Federation and Strong Authentication

“Strong auth won't be successful unless it's made easy and user friendly.Federation is that solution, making it applicable to the larger market.” –Alex Popowycz, Vice President, Fidelity Investments, August 2005

NEWS! Q4 ’05 - Liberty forms Strong Authentication Expert Group to define ID-SAFe(IdM Strong Authentication Framework) - moving from requirements stage to development

274728428

TOKEN

Company A Company A

IDP

SecureAuthentication

ServerServiceProvider

ServiceProvider

ServiceProvider

… the Crossroads of IdentityMobile / Telephony

FinancialGovernment & Consumer

Access Control / Corporate

5. Liberty Web Services

Liberty Web ServicesLiberty Identity Services Interface

Specifications (ID-SIS)

Liberty Identity Web ServicesFramework

(ID-WSF)

Enables interoperable identity services such aspersonal identity profile service, contact book

service, geo-location service, presence serviceand so on.

Provides the framework for buildinginteroperable identity services, permission

based attribute sharing, identity servicedescription and discovery, and the associated

security profiles

Liberty specifications build on existingstandards (SAML, SOAP, WS-Addressing

WS-Security, XML, etc.)

Identity-based Web services: Are associated with a Principal's

Identity (e.g. My Calendar Service) Can be invoked using a Principal’s

identity

Permissions-based Attribute Sharing: Invoking Services under control of

user Service Requestor doing so on behalf

(either directly or indirectly) of user

Discovery: Credentials to use when accessing

information Appropriately mapped identifiers for

any principals involved (so that theirpseudonyms can be protected)

•SOAs must incorporate identity

•ID-WSF components ready todeploy in SOA environment

•Cross-industry applications forjump-starting SOAimplementations

•Available to any organizationlooking to implement responsive,flexible and secure SOAs

•Provide security and trust at theapplication level

•SOA security, identity andprivacy enabled “out of the box”

Liberty Web Services - SOA Ready

Discovery service Interaction service Authentication service Security Mechanisms SOAP Binding

Driving highfunctionality into Web

services standards

Liberty Web Services

"Sun is heavily invested in the ID-WSF 2.0 specificationbecause it hits a sweetspot for defining highly-secure,identity-based Web services." - Joe Keller, Vice Presidentof Marketing, Advanced Development Platforms, SunMicrosystems Inc.

"HP has long been committed to supporting and drivingopen standards including the recent work with the LibertyAlliance for ID-WSF version 2.0." - Todd DeLaughter, VicePresident and General Manager, Management SoftwareBusiness, Hewlett-Packard

"By adding the ability to leverage the SAML 2.0 protocol forsingle sign-on, ID-WSF version 2.0 has emerged as theleading standard for adding identity federation to Webservices that span multiple domains.“ - Greg Whitehead,CTO, Trustgenix

Logos represent member organizationspassing ID-WSF interoperability testing


Services

WS-* and Liberty Web Services

Need for profiles complicatesdeployment process

Tight profiles help simplifydeployment

UnknownPrivacy features built-in andbased on a combination oftechnology and guidelines

Requires significant profilingComplete profiles

UnknownTested interoperable

Some components aredeployed; status of othersare unknown

Deployed

By invitationCompletely open

WS-*Liberty WebServices

Convergencevs Interoperability…

there are currentrealities that need to

be addressed

Liberty ID-FF & ID-WSF

SP/WSC

Jane using abrowser

IdP DS

WSP

It’s Jane

ID-FF/SAML2 ID-WSF

WSP

ID-FF: The SP interactswith the IdP through Jane’s

browser to obtain theidentity credential for Jane.

ID-WSF: The SP (acting asa WSC) interacts with theDS and Jane’s WSPs in

order to invoke services atthe WSPs on Jane’s

behalf..

6. Marketplace Traction

Liberty – Adoption – 2004

• 400M Liberty-enabled identities and devices in 2004• Well-publicized federated Liberty deployments at GM,Orange, France Telecom, Fidelity, AOL and Nokia• Early adopters set an excellent pace, uncovering newbusiness opportunities as well as challenges to solve

Federationtechnologyin place and

adoptiongrowing

Adoption – Growing Momentum

• Accelerated adoption in multiple verticals (mobile, eGovernment,financial services, transportation) and in application areas(HR/benefits and supply chain)• Virtually 100 percent of off-the-shelf SSO vendors using orplanning support for Liberty specs by 2006• Standards organizations are adopting Liberty within their specs

• Emergence of a true digital ecosystem:• Mobile—well established and growing• Finance—greater traction and growing rollouts• Transportation—greater traction and major rollouts• Government—growing interest at all levels• Healthcare—emerging—watch in ’06/’07

Adoption Snapshots

American Express• Intranet and Internet enabled for SSO• Production federations with AEFA• Partner federations with Intel and AON in the works• Hundreds of implementations planned for corporatetravel partners

Elios• Mobile tech provider• Mobile deployment could impact 196M customers

Edumart• Japanese educational project using Liberty specs at40,000 schools

報道資料

Adoption Snapshots (cont)

BIPAC• Lobbying organization• 10 additional Liberty deployments reaching 500,000individuals by end of 2006

French Government• eGov initiative recommends that all French agenciesuse LAP specs• French tech providers (Entrouvert, Elios,FranceTelecom, Orange and others) are rolling outprojects today• Potential to serve millions of French citizens


JAL ONLINE• B2B services solution for JAL, Japan's premierairline•Provides ticketing, scheduling and other servicesto more than 12,500 companies•LAP spec adopted as standard technology

Star Alliance• A group of 17 airlines including Air Canada,Lufthansa and United, serving 382 millioncustomers in 139 countries• When a user becomes SA member he isfederated, gaining SSO with any airline• Additionally, through LAP specs, each airline canaccess a common set of passenger info, such asseat preference, etc.


• Hundreds of enterprise customersdeploying Liberty-enabled devices

• Single deployments are reachingthousands (HR projects, supply chain,to millions of individuals, mobile,government, financial services,healthcare)

• Vertical leaders are setting the pacefor others to follow or be left behind

Liberty Adoption

More than one billion Liberty-enabled identitiesand devices by the end of 2006…and that’s just

what we know about

7. What’s Next?

Enhanced functionality and new capabilities in open identitymanagement, extending complete framework to the client

Liberty Alliance Web Services – What’s Next

Robust

Client

Strong

AuthenticationProvisioning

• Serves as powerful andtrusted client, providingexceptional user andconsumer functionality

• Interoperability priorityone, with overall goal ofdriving worldwide massadoption of strongauthenticationtechnologies

• Designed to expeditebulk federation/de-federation and definehow to provision intoLiberty clients (esp.insupport of Strong Auth,Robust, etc.)

Liberty on the Client Side

iClient• New capabilities at the

client level withTrusted Modules (TM)for managing client-resident identityinformation andallowing the client tomove easily on- andoff-line

• Sharing an IntelligentClient’s TM’s toadvance verticalmarket interoperabilityand reducedeployment costs

Liberty Federation and Liberty Web Services....A Continuing Supporting Infrastructure

Authentication

AuthenticationLocal Attribute

AuthenticationConnectivity Variances

Local Attribute

Liberty Federation

andLiberty

WebServices

Authentication

Provisioning

Robust Client

iClie

nt

The Liberty Client

Use cases:• Sharing contact information (dating & business)• Patient-doctor medical records• Family credit card• Family browsing• Corporate mobility• Rights management• Sharing a pre-pay account• Exchanging game characters

Robust Client• Completes Liberty’s

framework extension tothe client by building onthe requirements for, andthe architectures of,iClient

• Serves as a powerfuland trusted client,supporting advancedfunctionality for usersand consumers

• The industry’s only fullycapable and active clientthat provides, delegatesand introduces identityinformation

Liberty Federation

andLiberty

WebServices

Robust ClientiClient

ID-SAFE

Strong Authentication Expert Group (SAEG)will be responsible for defining a standardindustry framework that enablesinteroperability of multiple authenticationmechanisms in Federated and/or Webservices and/or stand-alone digital identityarchitectures/environments. A working titlefor this deliverable is ID-SAFE (IdentityStrong Authentication FramEwork).

• Completion of ID-WSF 2.0 and continuing work on newspecifications and services (Mobile Payment, BreechNotification, Directory Access Protocol, others discussed)

• Further demonstration of Liberty’s commitment to convergencethrough profiling of WS-Trust & WS-Policy, etc.

• ID-SAFe 1.0 to enable strong authentication interoperability

• New business, legal and policy guidelines and deploymentworkshops to help speed deployments

• ID-SAFe business and privacy guidelines• Programs and services focused on the enterprise• Release of identity theft prevention collateral and portal

• Web services deployments increasing and enhancementsreleased

• Further enhancement of the certification program• Focus on driving Liberty to the client – Liberty everywhere• Continued traction in interoperable strong authentication• Vertical focus to capture experience & new requirements

What you’ll see in 2006



An Ecosystem ofInteroperable Products

& Services

Liberty - Solving Members’ Problem

Liberty is all things identity

Committed to facilitating solutions of all needs—technical,business and policy

Long-term stewardship for all activities related to success ofour members

Many new initiatives and programs being proposed regularlyto address further aspects of identity

Members see Liberty as a natural place to centralize andmaximize their standards investments

Take advantage of the open membership structure tomaximize your investments in “identity” management

Next Steps… Work Together?

Modinis Good Practices Modinis Workshops guIDe architecture Fidelity CoT OpenSC/e-Forum WG OpenSC Digital Austria guIDe offline use cases guIDe Biz Data

Liberty Case Studies Deployment Workshops Liberty Architecture New Requirements ID-SAFe interoperability Active Client & Privacy Trust interoperability Liberty Client ID-SIS-Business Profile

Liberty European eGov IDM Special Interest Group?

Thank You… Any Questions?

liberty alliance approach to idm - cosic · 2005-11-16 · indeed the person to which credentials...

Documents