SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing Director Archistry Limited
Agenda • Definitions • Business drivers for federated identity • Approaches to providing federated identity • Technical considerations • Questions
Definitions • Federated system – integrates existing, possibly heterogeneous systems while preserving their autonomy • Association autonomy– the ability of a component system to decide whether and how to share its operations and resources with other systems • Federated identity– a shared name identifier agreed between partner services in order to share information about the user across organizational boundaries
Business Drivers • What are you trying to do? • Provide single sign-on (SSO)? • Support dynamic collaboration? • Provide a central point of access to distributed services? • Who are the other participants? • Services controlled by a single organization? • Services provided by trading partners? • Parties with whom you have no formal relationship?
Additional Considerations • Privacy and consent • Will the users use the system? • How will their privacy be protected? • How will you respond to a right to access request? • Accountability • What mechanisms will be used for identity proofing? • What mechanisms will ensure non-repudiation of authentication? • How will you respond to claims of fraudulent access?
Approaches • Don’t federate • Federated identity • Chain of trust • Federated authorization
Federated Identities • Leverages the identification/authentication of a trusted member of the federation (e.g. SAML IdP) • May or may not require local accounts at all service providers • Requires out-of-band business agreements between members of the federation • Does nothing more than assert a claim as to the identity of a user or request within a given context
Chain of Trust • Each participant responsible for authenticating only the members directly communicating with it • Information integrity must be assured by the information producer • Requires out-of-band business agreements between members of the federation • Each member of the chain is authenticated to the next—any other credential information is opaque • Ensures a sequence of participants can exchange information, but does not directly authenticate (or may not even identify) the original information producer
Federated Authorization • Federation defines the semantics of a particular set of profile attributes • Service provider association and access control is based on the presence of one or more attributes • Can be used in conjunction with federated identities or without them for dynamic collaboration • Still requires out-of-band business agreements between members of the federation • Can be used for more flexible and dynamic collaborations, but attribute negotiation may have privacy implications
Technical Considerations • How will the business agreements be managed electronically (Proprietary XML, SAML, XACML, WS-Policy or something else)? • Are the services provided asynchronously or synchronously? • What is the temporal coupling between the services? • Are the services provided to interactive users or automated agents? • How much information is necessary to identify the user to the local service? • Will the local services also support authentication and management of their own user identities? • Which is most important: the identity of the principal making the request or the identity of the principal to which the request refers? • Who (or what) is actually making the request?
References • US E-Government Authentication Framework and Programs, IT Professional, May/June 2003, http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/it/&toc=comp/mags/it/2003/03/f3toc.xml&DOI=10.1109/MITP.2003.1202230 • Technical Approach for the Authentication Service Component, Version 1.0.0, GSA (2004), http://www.cio.gov/eauthentication/documents/TechApproach.pdf • SAML V2.0 Technical Overview, Working Draft 10, http://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf • Liberty ID-WSF Web Services Framework Overview, Version 2.0, http://www.projectliberty.org/liberty/content/download/889/6243/file/liberty-idwsf-overview-v2.0.pdf • Access Control Management in a Distributed Environment Supporting Dynamic Collaboration, Shafiq, B. et al (2005), http://portal.acm.org/citation.cfm?id=1102503 • Implementing a Federated Architecture to Support Supply Chains, Chadha, B. (2003), http://www.coensys.com/files/federation%20white%20paper%2003.PDF • A Distributed Trust Model, Abdul-Rahman, A., S. Hailes (1997), http://portal.acm.org/citation.cfm?id=283739 • Access Control in Federated Systems, De Capitani di Vimercati, S. and Samarati, P. (1996), http://portal.acm.org/citation.cfm?id=304871
Archistry Limited 33 Pearse Street Suite 115 Dublin 2, Ireland www.archistry.com Phone +353 86 996 2490 Fax +353 865 996 2490 Email email@example.com Turning innovation into business value TM