liberty alliance approach to idm - cosic · 2005-11-16 · indeed the person to which credentials...
TRANSCRIPT
Liberty Alliance Approach to IDM
Brett McDowell, Liberty AllianceModinis Workshop #2, Brussels
2005-11-15
Agenda
1. Liberty Alliance overview2. Recent Activities3. Liberty Federation4. Liberty Authentication5. Liberty Web Services6. State of Adoption7. The Future
The Liberty Alliance is the only global bodyworking to define and drive open technology
standards, privacy and business guidelines fordigital identity management
What is the Liberty Alliance?
Vision:A networked world in which individuals and businesses canmore easily interact with one another while respecting theprivacy and security of shared identity information.
Mission:To serve as the premier open Alliance for federated networkidentity management & services by ensuring interoperability,supporting privacy and promoting adoption of its specifications,guidelines and best practices.
NOT just about technology:Addressing the “whole issue” of identity with policy, business, &
technology frameworks and certified implementationsStrong “demand side” membership driving Use Cases
Purpose: Solve Members’ Identity Problems
4. Business practices to manage risk,enforce security/privacy, provideauditability. User, customer preferences,history, personalized services,
3. Determination of access rights tosystems, applications and information:Match credentials against profiles, ACLs,policy2. Log on with a UID/PW, token, certificate,biometrics etc. A process that demands theprove that the person presenting them isindeed the person to which credentials wereoriginally issued. accept or reject
1. User, customer, device “facts”, e.g.,name, address, ID, DNA, keys; credentials,certificates that were issued e. g. by aCertification authority
Policy
Authorization
Authentication
Identity
Secu
rity
Man
agem
ent
Iden
tity
Man
agem
ent
The Problem is Trust in the digital world
Liberty Alliance delivers real world solutions to solvereal world identity problems
Liberty helps organizations build a foundation for trust -- critical forthe overall success of identity-based services and efficiencies
Liberty Alliance in a Nutshell
An Ecosystem ofInteroperable Products &
Services
Business and PrivacyGuidelines
Technology Standardsand Guidelines
Trust
Who Believes in Federation Trust Model…“Federation is the lynchpin ofdigital convergence andprobably one of the mostimportant technologies of themodern era. Soon, we willbegin to swim in digitaltelevision, multifunctionalphones, devices of all kinds,and at the core of making allthese things work togetherwith our computer networksand the Internet lies identitymanagement. At the core ofidentity management liesfederation.”
Tom Adelstein, Linux Journal,July 5, 2005
CELL
… Liberty Associates (9/2005)
ActivCard Adobe Systems Al-Elm Information Security BEA Systems, Inc. Bell Canada Bluewin AG CDC Mercure ChoicePoint Citigroup Convergys Courion Corporation Deloitte & Touche LLP Deny All EarthLink Inc. Entr'ouvert Evidian
Fidelity National Financial Fischer International Fujitsu Invia Gamefederation Giesecke & Devrient GMBH Hewitt Associates LLC Imprivata, Inc. KDDI Corporation Lockheed Martin Corp. M-Tech Information Technology Merck & Co., Inc. Methics Oy Minnesota Mutual Companies Nationwide News Interactive Pty Ltd. Nextel Communications NRI Pacific, Inc. Oberthur Card Systems
OmniBranch, Inc. OpenwaveSystems, Inc.Passlogix, Inc. PhoenixTechnologies, Ltd.Ping Identity CorporationSiemens AGSoftware AGSony CorporationSprint PCSStudio Notarile Genghini-SNGSwedbankSystex CorporationT-Online International AGTelewest BroadbandTeliaSonera ABThe Boeing CompanyWave SystemsWorkscape, Inc.
… Liberty Affiliates (9/2005)
AdettiBUPACanada Post CorporationCenter for Democracy and TechnologyChief Information Office AustriaChina Internet Network Information Center (CNNIC)Computer & Communications Industry AssociationElectronics and Telecommunications Research InstituteEngineering Partnership in LancashireEnterprise Java Victoria Inc.Financial Services Technology ConsortiumFraunhofer Institute for Integrated Circuits IISFraunhofer-GesellschaftHealthcare Financial Management Association (HFMA)Helsinki Institute of PhysicsHong Kong PostInstitut Experimentelles Software Engineering (IESE)Universitat St.GallenInternet2Interoperability Clearinghouse (ICH)Java Wireless Competency Centre (JWCC)
Kuratorium OFFIS e.V.National Institute for Urban Search & Rescue IncNetwork Applications Consortium (NAC)Newspaper Association of AmericaOrganization Internationale Pour La Securite des
Transactions ElectroniquePAM ForumRadicchio Ltd.Singapore Institute of Manufacturing TechnologySoftware&Information Industry AssociationTechnische Universitat BerlinTeleTrusTThe Financial Services Roundtable/BITSThe Open GroupThe University of Chicago as Operator of Argonne
National LaboratoryTRUSTeU.S. Department of DefenseUniversidad Politecnica de MadridUniversity of BirminghamUniversity of North Carolina at CharlotteWeb Services Competence Center (WSCC)
Balanced Representation
Large Data Custodians / Users of Federation Large Technology Vendors
Government Agencies
Universities and Non-Profit Organizations Small Businesses
Over 50% of Liberty Membership is either Non-Profit or a company with less than 100 employees
Technology: Liberty’s Architecture
Liberty Identity Services Interface Specifications (ID-SIS)Liberty
FederationFramework
(ID-FF and SAML 2.0)
Liberty Web Services Framework (ID-WSF)
Enables identity federationand management through
features such asidentity/account linkage,simplified sign on, and
simple sessionmanagement
Enables interoperable identity services such as personalidentity profile service, contact book service, geo-location
service, presence service and so on.
Provides the framework for building interoperableidentity services, permission based attribute sharing,
identity service description and discovery, and theassociated security profiles
Liberty specifications build on existing standards (SAML, SOAP, WS-Addressing, WS-Security, XML, etc.)
2005 – Liberty Alliance
FebruarySecond Version of WebServices FrameworkSpecifications
AprilInterface Specifications forIdentity-based Web Services
JuneFormation of MessagingService InterfaceSpecifications Group
FebruaryNew Mobile BusinessGuidelines
AprilLegal Framework for Circles ofTrust to Comply with EuropeanUnion Data Protection andPrivacy Laws
OctoberDeployment Gudelines forplanning Circles of Trust
AprilLiberty Extends InteroperableTesting Program to IncludeSAML 2.0
MayInteroperable CertificationAwarded to Eight Companies
AugustFirst Companies Pass SAML2.0 Interoperability Testing
Identity Theft Prevention -- Strong Authentication -- e-Health -- Japanese SIG
Business and PrivacyGuidelines
Technology Standardsand Guidelines
An Ecosystem ofInteroperable Products &
Services
• Leverages Liberty’s diversemembership, structure andtechnical specifications tohelp address identity theftchallenges and speeddevelopment of solutions
• Group formed in June2005
• Chaired by AMEX andFidelity Investments
• 87 members participating
• Concentrates oninteroperability andauthentication in thehealthcare industry includinginformation sharing andauthentication for patients,providers and payers
• Group formed in June2005
• Chaired by VeriSign
• 125 Liberty membersparticipating
• Focuses on identity issuesat a geographic level todrive understanding ofJapanese issues intobroader Libertymembership, and organizesactivities to localize Libertydocuments for Japaneseaudience
• Group formed in June2005
• 20 companiesparticipating
2005 - Expand Scope Vertically
Identity TheftPrevention
eHealthcare Japan
A Grand Convergence
SAML V1.1
ID-FF V1.1
Shib V1.x
SAML V2.0SAML V1.0
Phase 1 ID-FF V1.2 SAML V2.0adoption/testing
OASISSSTC
LibertyAlliance
Internet2Shibboleth
Jul 2002 Jan 2003 Nov 2003 Apr 2005
Nov 2002 Mar 2005
Jul/Aug 2003
Shib V1.2Apr 2004
OASISContribution
OASISParticipation
Sep 2003
Liberty ID-FF / SAML 2
SP
Jane using abrowser
IdP
It’s Jane
ID-FF/SAML2
ID-FF: The SP interactswith the IdP through Jane’s
browser to obtain theidentity credential for Jane.
ProfilesCombinations of assertions, protocols, and bindingsto support interoperability for particular use cases
BindingsMappings of SAML protocols onto standardmessaging and communication protocols
ProtocolsRequest/response message pairs for
obtaining assertions and doing identitymanagement
SAML Components
AssertionsAuthentication, attribute,
and entitlement information
Authenticationcontext
Detailed data on typesand strengths ofauthentication
MetadataConfiguration data
for assertion-exchanging
parties
Liberty Federation
• Well defined
• Testedinteroperable
• Certified GAproducts
• Cross-domainSimplified Sign-on
• Global Log-out
• Foundation for“Circles of Trust”
Liberty Federation
(ID-FF and SAML 2.0)
Technology frameworks
Federation technology
in place!
Federation - Interoperability Program
Key Liberty Alliancedifferentiator for advancingfederation deployments
Designed to validate coreLiberty Alliance functionality
Over 60 product tests sinceLiberty launched the programin 2003
Next SAML 2.0 testingevent November in Tokyo
Eight vendors passed Liberty’s firstSAML 2.0 interoperability testing
event held in July 2005
An Ecosystem ofInteroperable Products &
Services
NEWS! In October LibertyAlliance released businessguidelines for organizationslooking to develop Circles ofTrust as they deployfederated solutions
Developed for policy-decisionmakers, Liberty’s guidelineswill help organizationsmanage the business, legaland privacy issues associatedwith developing anddeploying Circles of Trust
Q) What are each of the members' data practices,including collection, use, transfer and retention?
Q) Have the members and the CoT taken allreasonable steps to avoid wholesale data theft orindividual identity theft?
Q) What data consent, collection, use, retention andstorage activities are necessary to meet the CoT'sgoals?
Developed basedon the experience
of Libertymembers
working ondeploying CoTs
Business and PrivacyGuidelines
Federation – Deployment Guidelines
• Educational workshops staffed byLiberty members who have developedand deployed federated solutions basedon Liberty specifications
• Held quarterly around the globe withthe last event held in Chicago, withattendees from more than 50 non-member organizations
• Demonstrations, Q & A’s and review ofcase studies --- what was hard, whatwas easy, benefits, ROI and roadmapsfor next steps
• NEXT EVENT: 7 December, Paris
Federation – Deployment Workshops
Logos represent member organizations taking part indeployment workshops worldwide
We federated…
you can too!
Need for Stronger Authentication
PasswordSniffers
Phishing
IdentityTheft
RemoteWorkers
On-lineCommerce
ID Theft costsusers $500
and 30 hoursper incident
(US FTC, 2003)
Wireless LAN’sand VPN’s
eliminate thesecurity
perimeter
Crack once, spoofeverywhere (my
bank password isalso my Yahoo!Mail password) Phishing successful
5-10% of the time
$3B in remotepayment fraud
Demonize-T TrojanHorse forwards
password keystrokesto hacker websites
In 2005, liabilitycan be shifted toissuing banks…
how will they pass-on the losses?
70% of users would tradetheir password for
chocolate
On-line Commercefastest growing
method and twicethe cost of in-
person payment
As we begin to rely on shared credentials, the need for strong authentication will become even more important
Liberty Federation and Strong Authentication
“Strong auth won't be successful unless it's made easy and user friendly.Federation is that solution, making it applicable to the larger market.” –Alex Popowycz, Vice President, Fidelity Investments, August 2005
NEWS! Q4 ’05 - Liberty forms Strong Authentication Expert Group to define ID-SAFe(IdM Strong Authentication Framework) - moving from requirements stage to development
274728428
TOKEN
Company A Company A
IDP
SecureAuthentication
ServerServiceProvider
ServiceProvider
ServiceProvider
… the Crossroads of IdentityMobile / Telephony
FinancialGovernment & Consumer
Access Control / Corporate
Liberty Web ServicesLiberty Identity Services Interface
Specifications (ID-SIS)
Liberty Identity Web ServicesFramework
(ID-WSF)
Enables interoperable identity services such aspersonal identity profile service, contact book
service, geo-location service, presence serviceand so on.
Provides the framework for buildinginteroperable identity services, permission
based attribute sharing, identity servicedescription and discovery, and the associated
security profiles
Liberty specifications build on existingstandards (SAML, SOAP, WS-Addressing
WS-Security, XML, etc.)
Identity-based Web services: Are associated with a Principal's
Identity (e.g. My Calendar Service) Can be invoked using a Principal’s
identity
Permissions-based Attribute Sharing: Invoking Services under control of
user Service Requestor doing so on behalf
(either directly or indirectly) of user
Discovery: Credentials to use when accessing
information Appropriately mapped identifiers for
any principals involved (so that theirpseudonyms can be protected)
•SOAs must incorporate identity
•ID-WSF components ready todeploy in SOA environment
•Cross-industry applications forjump-starting SOAimplementations
•Available to any organizationlooking to implement responsive,flexible and secure SOAs
•Provide security and trust at theapplication level
•SOA security, identity andprivacy enabled “out of the box”
Liberty Web Services - SOA Ready
Discovery service Interaction service Authentication service Security Mechanisms SOAP Binding
Driving highfunctionality into Web
services standards
Liberty Web Services
"Sun is heavily invested in the ID-WSF 2.0 specificationbecause it hits a sweetspot for defining highly-secure,identity-based Web services." - Joe Keller, Vice Presidentof Marketing, Advanced Development Platforms, SunMicrosystems Inc.
"HP has long been committed to supporting and drivingopen standards including the recent work with the LibertyAlliance for ID-WSF version 2.0." - Todd DeLaughter, VicePresident and General Manager, Management SoftwareBusiness, Hewlett-Packard
"By adding the ability to leverage the SAML 2.0 protocol forsingle sign-on, ID-WSF version 2.0 has emerged as theleading standard for adding identity federation to Webservices that span multiple domains.“ - Greg Whitehead,CTO, Trustgenix
Logos represent member organizationspassing ID-WSF interoperability testing
An Ecosystem ofInteroperable Products &
Services
WS-* and Liberty Web Services
Need for profiles complicatesdeployment process
Tight profiles help simplifydeployment
UnknownPrivacy features built-in andbased on a combination oftechnology and guidelines
Requires significant profilingComplete profiles
UnknownTested interoperable
Some components aredeployed; status of othersare unknown
Deployed
By invitationCompletely open
WS-*Liberty WebServices
Convergencevs Interoperability…
there are currentrealities that need to
be addressed
Liberty ID-FF & ID-WSF
SP/WSC
Jane using abrowser
IdP DS
WSP
It’s Jane
ID-FF/SAML2 ID-WSF
WSP
ID-FF: The SP interactswith the IdP through Jane’s
browser to obtain theidentity credential for Jane.
ID-WSF: The SP (acting asa WSC) interacts with theDS and Jane’s WSPs in
order to invoke services atthe WSPs on Jane’s
behalf..
Liberty – Adoption – 2004
• 400M Liberty-enabled identities and devices in 2004• Well-publicized federated Liberty deployments at GM,Orange, France Telecom, Fidelity, AOL and Nokia• Early adopters set an excellent pace, uncovering newbusiness opportunities as well as challenges to solve
Federationtechnologyin place and
adoptiongrowing
Adoption – Growing Momentum
• Accelerated adoption in multiple verticals (mobile, eGovernment,financial services, transportation) and in application areas(HR/benefits and supply chain)• Virtually 100 percent of off-the-shelf SSO vendors using orplanning support for Liberty specs by 2006• Standards organizations are adopting Liberty within their specs
• Emergence of a true digital ecosystem:• Mobile—well established and growing• Finance—greater traction and growing rollouts• Transportation—greater traction and major rollouts• Government—growing interest at all levels• Healthcare—emerging—watch in ’06/’07
Adoption Snapshots
American Express• Intranet and Internet enabled for SSO• Production federations with AEFA• Partner federations with Intel and AON in the works• Hundreds of implementations planned for corporatetravel partners
Elios• Mobile tech provider• Mobile deployment could impact 196M customers
Edumart• Japanese educational project using Liberty specs at40,000 schools
報道資料
Adoption Snapshots (cont)
BIPAC• Lobbying organization• 10 additional Liberty deployments reaching 500,000individuals by end of 2006
French Government• eGov initiative recommends that all French agenciesuse LAP specs• French tech providers (Entrouvert, Elios,FranceTelecom, Orange and others) are rolling outprojects today• Potential to serve millions of French citizens
Adoption Snapshots (cont)
JAL ONLINE• B2B services solution for JAL, Japan's premierairline•Provides ticketing, scheduling and other servicesto more than 12,500 companies•LAP spec adopted as standard technology
Star Alliance• A group of 17 airlines including Air Canada,Lufthansa and United, serving 382 millioncustomers in 139 countries• When a user becomes SA member he isfederated, gaining SSO with any airline• Additionally, through LAP specs, each airline canaccess a common set of passenger info, such asseat preference, etc.
Adoption Snapshots (cont)
• Hundreds of enterprise customersdeploying Liberty-enabled devices
• Single deployments are reachingthousands (HR projects, supply chain,to millions of individuals, mobile,government, financial services,healthcare)
• Vertical leaders are setting the pacefor others to follow or be left behind
Liberty Adoption
More than one billion Liberty-enabled identitiesand devices by the end of 2006…and that’s just
what we know about
Enhanced functionality and new capabilities in open identitymanagement, extending complete framework to the client
Liberty Alliance Web Services – What’s Next
Robust
Client
Strong
AuthenticationProvisioning
• Serves as powerful andtrusted client, providingexceptional user andconsumer functionality
• Interoperability priorityone, with overall goal ofdriving worldwide massadoption of strongauthenticationtechnologies
• Designed to expeditebulk federation/de-federation and definehow to provision intoLiberty clients (esp.insupport of Strong Auth,Robust, etc.)
Liberty on the Client Side
iClient• New capabilities at the
client level withTrusted Modules (TM)for managing client-resident identityinformation andallowing the client tomove easily on- andoff-line
• Sharing an IntelligentClient’s TM’s toadvance verticalmarket interoperabilityand reducedeployment costs
Liberty Federation and Liberty Web Services....A Continuing Supporting Infrastructure
Authentication
AuthenticationLocal Attribute
AuthenticationConnectivity Variances
Local Attribute
Liberty Federation
andLiberty
WebServices
Authentication
Provisioning
Robust Client
iClie
nt
The Liberty Client
Use cases:• Sharing contact information (dating & business)• Patient-doctor medical records• Family credit card• Family browsing• Corporate mobility• Rights management• Sharing a pre-pay account• Exchanging game characters
Robust Client• Completes Liberty’s
framework extension tothe client by building onthe requirements for, andthe architectures of,iClient
• Serves as a powerfuland trusted client,supporting advancedfunctionality for usersand consumers
• The industry’s only fullycapable and active clientthat provides, delegatesand introduces identityinformation
Liberty Federation
andLiberty
WebServices
Robust ClientiClient
ID-SAFE
Strong Authentication Expert Group (SAEG)will be responsible for defining a standardindustry framework that enablesinteroperability of multiple authenticationmechanisms in Federated and/or Webservices and/or stand-alone digital identityarchitectures/environments. A working titlefor this deliverable is ID-SAFE (IdentityStrong Authentication FramEwork).
• Completion of ID-WSF 2.0 and continuing work on newspecifications and services (Mobile Payment, BreechNotification, Directory Access Protocol, others discussed)
• Further demonstration of Liberty’s commitment to convergencethrough profiling of WS-Trust & WS-Policy, etc.
• ID-SAFe 1.0 to enable strong authentication interoperability
• New business, legal and policy guidelines and deploymentworkshops to help speed deployments
• ID-SAFe business and privacy guidelines• Programs and services focused on the enterprise• Release of identity theft prevention collateral and portal
• Web services deployments increasing and enhancementsreleased
• Further enhancement of the certification program• Focus on driving Liberty to the client – Liberty everywhere• Continued traction in interoperable strong authentication• Vertical focus to capture experience & new requirements
What you’ll see in 2006
Technology Standardsand Guidelines
Business and PrivacyGuidelines
An Ecosystem ofInteroperable Products
& Services
Liberty - Solving Members’ Problem
Liberty is all things identity
Committed to facilitating solutions of all needs—technical,business and policy
Long-term stewardship for all activities related to success ofour members
Many new initiatives and programs being proposed regularlyto address further aspects of identity
Members see Liberty as a natural place to centralize andmaximize their standards investments
Take advantage of the open membership structure tomaximize your investments in “identity” management
Next Steps… Work Together?
Modinis Good Practices Modinis Workshops guIDe architecture Fidelity CoT OpenSC/e-Forum WG OpenSC Digital Austria guIDe offline use cases guIDe Biz Data
Liberty Case Studies Deployment Workshops Liberty Architecture New Requirements ID-SAFe interoperability Active Client & Privacy Trust interoperability Liberty Client ID-SIS-Business Profile
Liberty European eGov IDM Special Interest Group?