270 likes | 506 Vues
Federating Identity Management: Standards, Technologies and Industry Trends November 20, 2003. Daniel Blum Senior VP, Research Director dblum@burtongroup.com www.burtongroup.com. Federated Identity Management. Thesis
E N D
Federating Identity Management: Standards, Technologies and Industry TrendsNovember 20, 2003 Daniel BlumSenior VP, Research Directordblum@burtongroup.comwww.burtongroup.com
Federated Identity Management • Thesis • What? Parallel efforts from OASIS, Liberty Alliance, Web access management vendors, and platform vendors are gaining momentum and will ultimately converge • Perhaps not without some pain • “Identity networks” are needed to scale ubiquitous operation • Why? By meeting business requirements for loosely coupled security between autonomous domains, federated identity extends identity management • When? Now. Federated identity has many early adopters across multiple industries; products and tools are available; ROI and competitive advantage are in sight
Identity Management and Federation • Agenda • Federated Identity Concepts • Industry Trends • Recommendations
Identity Management and Federation • Agenda • Federated Identity Concepts • Industry Trends • Recommendations
Federated Identity Concepts • The challenge: Managing many identities Tightly-coupled or loosely coupled, Integrated or federated interior systems Loosely-coupled, Federated exterior systems Extranets Internal Systems & Data The Internet Employees Partner or xSP Customers Less-known Unknown
Federated Identity Concepts • What is federated identity management? • Agreements, standards, technologies that make identity and entitlements portable across autonomous domains • Authentication assertions (federated sign on) • Authorization assertions • Attribute assertions • Identity linking procedures • Trust relationships • Business, legal agreements
Federated Identity Concepts 5) Co. B requests identity assertion for User 6) Co. A sends identity assertion 2) Check User’s id/credential 1) User authenticates 3) User requests resource 7) User gets access! • Federated authentication between domains Company A: Identity Provider (IDP) access point Company B: Service Provider (SP) access point Internet 4) Check policy User Company A Identity repository Company B resource
Federated Identity Concepts Federation concepts Federated sign on Authentication requests, assertions Session management Federated identity mapping Account linking Privacy protections Link account to role (or persistent policy) Federated identity information Attribute requests, assertions Privacy protections Federated authorization Authorization requests, assertions Management Business, legal agreements Trust relationships Audit services
Federated Identity Concepts • Risks • Federated identity creates new risks • Relying on external party for identity assertions • Forensics and record retention must span boundaries • Slippery slope of transitive trust - trust failures could propagate, cross-over attacks are possible • …but reduces other risks • Pushes IdM and accountability to most responsible party • High security domains can be autonomous, but still interoperate • Lessens reliance on a large scale, centralized security infrastructure (shifts complexity)
Identity Management and Federation • Agenda • Federated Identity Concepts • Industry Trends • Recommendations
Industry Trends • What infrastructure is needed for federated identity? Public identity services, or other communities Identity Networks Ping Id Shibboleth Verified By Visa . NET Passport Others Federated Identity Standards Used between Or within Products/ Domains SAML WS-Security WS-Federation Liberty XACML Others Base Security Capabilities (Mostly) Used Within Domains Kerberos LDAP ID /Pwd Others X.509 Token
Industry Trends • Security Assertion Markup Language (SAML) • SAML provides authentication, authorization, and attribute assertions between loosely coupled domains • Meant to be complemented by XACML and other specs • SAML 2.0 will converge with donated Liberty Alliance Phase I work, add user to role mapping, better session management, perhaps credentials collection
Industry Trends • Liberty Alliance • Consortium of over 160 organizations: enterprises, service providers, and vendors • In 2002, developed Identity Federation Framework (ID-FF) using opt in account linking on top of SAML • In 2003, developing Identity Web Services Framework (ID-WSF), permission based attribute sharing and additional capabilities User Browser redirect Or Web service Domain A (IDP) Domain B (SP) SAML Assertion Circle of Trust Linked account Linked account
Industry Trends • Federated identity products and adoption • SAML early adoption gaining momentum • Multiple Web access management and other security products in various stages of release or development • Open source solutions and toolkits available • Growing customer adoption across multiple industries • Liberty entering early adoption • Head start by encouraging end user membership, adopting SAML, and putting Liberty Phase I into OASIS • Products and early implementations underway • But some Web access management vendors are not yet implementing Liberty standards
Industry Trends • Federated identity: A growing stack of converging standards with common foundations Liberty Phase 2: Permission based attribute sharing WS-Secure Conversation WS- Federation WS- Authorization, WS-Privacy XACML XrML WS-Policy WS-Trust Liberty ID-FF Federated Sign on SAML SPML WS-Security XML Signature, XML Encryption, XML Key Management Services (XKMS) Foundation Web Standards: WSDL, SOAP, XML, HTTP, HTML K E Y Microsoft, IBM, etc. unpublished Liberty Alliance – Ph 2 (ID-WSF, ID-SIS) OASIS - new work Liberty Alliance – Phase 1 (ID-FF) Microsoft, IBM, etc. published OASIS - published
Industry Trends • SAML, Liberty Alliance, and WS-* • Where they agree • WS-Security and WS-* carry SAML and Liberty assertions • OASIS, Liberty Alliance developing WS-Security bindings • Microsoft says it will support SAML in Authorization Manager; IBM supports SAML, says it will support Liberty • WAM vendors will support both • Where they disagree • Microsoft, IBM won’t join Liberty Alliance • WS-Federation has a different profile for browser based users than SAML and Liberty • Microsoft promoting XrML, not SAML and XACML
Industry Trends • SAML, Liberty Alliance, and WS-* : What to expect • A standards race of “The Tortoise and the Hare” • SAML and/or Liberty “hare” racing ahead with federated identity specific initiatives, well into early adoption • WS-* “tortoise” will need a few years to be fully standardized, built, and broadly deployed • But Microsoft, IBM and partners can push a lot of software into the channel • SAML and Liberty Alliance likely to converge with WS-* over the next 5 years for a relatively comfortable coexistence
Industry Trends • Technology availability and adoption waves 2003 2004 2005 2006 2007 SAML Liberty ID-FF WS-Security WS-*, New Liberty specs, SAML 2.0 Components, timing variable subject to standardization and convergence
Industry Trends • Identity networks today • Centralized • .NET Passport and AOL Screen Name Service • Industry-based, proprietary • SecuritiesHub, Verified by Visa, others • SAML-powered • Shibboleth, multiple corporate networks • Liberty-powered • Corporate B2E projects underway • PingID and Neustar (eRX Land Records Exchange Network) • Financial networks (SecuritiesHub, others) • Mobile communications networks
Identity Networks • Federation implies a poly-centric environment • Many islands will emerge • Industry-specific solutions are likely • How will they converge? • Identity networks could emerge to link the islands • Identity networks may be centralized (like Passport), member-owned (as in the ATM, credit-card worlds), provide common governance and policy frameworks, or other models Identity Network A Identity Network B Identity peering Identity domains
Identity Networks • Federated Identity and Web services network types 2003 2004 2005 2006 2007 Pair-wise, internal federation Trusted third party enabled federation Communities (hub optional) Identity Networks
Identity Management and Federation • Agenda • Federated Identity Concepts • Industry Trends • Recommendations
Recommendations • Early adopter lessons learned • If you build it, they will come • Partner interest cascades… • Return on investment (ROI) is out there • Federated identity is flexible, it works, and its reliable • But • You have to pay to play • SAML protocol has some gaps • Browsing issues and performance bottlenecks arise • The infrastructure must be secure • Users will always surprise you
Recommendations • Lessons learned from early deployments • Technical issues not so difficult • Web developers prefer standards based SAML or Liberty approach to point integration solutions • Some enterprises have written their own XML based federation layer • Others purchasing Web access management (WAM) support for IDP operations, WAM or toolkit to accept assertions as SP • Business issues more complicated than technical ones • Build in time to get business application owners on board, and work through arrangements with partners • Some enterprises mandating federated IdM for suppliers • Create “workbooks” or other collaterals that help early partners understand federated IdM (trading “hubs” can drive adoption) • Leverage existing industry associations, identity networks
Recommendations • Today: Implement SAML, Liberty, and conventional IdM at appropriate architecture tiers • Future: Integrate federated identity with secure Web services
Recommendations • Deployment considerations • Use consolidation, integration to build base camp to federate from (continue cleaning the identity house) • Consider SAML and/or Liberty for current projects, augmenting conventional IdM • Monitor WS-* for future opportunity to deploy secure, Web services solutions; seek convergent solutions • Prepare for breaches on either side of your federations by adding business agreements for cooperative risk management and dispute resolution • Brief the purchasing department, security department, and legal department to get their buyoff
Conclusion • Conclusion • Federated identity management is a strategic capability that will solve real problems • SAML and Liberty provide federated identity to the current generation of Web-enabled computing • Next generation of Web services computing taking shape, will include federated identity • In the long run, federated identity will converge across both generations of computing • Identity networks will link partners - internal and external, large and small