dragoljub nesic 08/12/2013 does identity managent really have to be difficult?
TRANSCRIPT
DRAGOLJUB NESIC
08/12/2013
DOES IDENTITY MANAGENT REALLY
HAVE TO BE DIFFICULT?
What will we talk about today?
• A brief introduction to me• A quick look at recent history of shared
authentication in the UK• A glance at the pressure points from the world
around us now• An overview of the PSIIF• An example scenario walkthrough• What can you do?
Lord of the tokens
EASSponsored at the time by DCSF (ContactPoint), aimed to establish a trust-framework for registration, and an authentication infrastructure based on 2FAIt also provided a shared IdP for LAs that did not want to establish their own2FA device in the hands of all public sector employees accessing central applications
What did the local authorities really want?Cost efficient CoCo complianceFreja – “One token to rule them all”
Real life
World-wide financial crisis 2008 onwardsGovernment change 2009ContactPoint was discontinuedConcerns about Government Gateway performance in conjunction with LAsA failure, or?
Positive Legacy
ContactPoint was discontinued – EAS uptake was low. But…Wider public sector agreement on trust framework agreement
Especially registration of user/reuse of credentials
Governance and assurance approach for distributed user registrationFlexible IdP implementation modelBody of best practice for LA registration
Newham & Salford
Regional hub projects kickoffPrinciples of collaboration DWP/HMRC/E&H/Police working together
Today’s challengesRemote workforce
PSN compliance is getting tougher and tougherMore workers are working remotely a greater portion of timeCO2 footprint reductionEscalating costs or not so secure solutionWhat if one could locally issue strong, 2FA for remote workers with a potentially zero-cost authentication device?
Cloud services are explodingMost with own – password based – identity systemsOften complicated directory integrationWhat if one could reuse locally issued, strong 2FA for authenticating users to such systems i.e. cloud based services with ground based authentication?
Today’s challenges, cont’dNeed to collaborate with neighbours
Shared services amongst boroughs are a real needBut who authenticates an individual?Directory federation is difficult to setup and manageWhat if one could reuse locally issued, strong 2FA across partnerships?
Increase internal efficiencyBringing new applications online is expensiveWhat if one could reuse locally issued, strong 2FA for plug-and-play integration of new applications?
Still need to access central government servicesThe applications may have changed, the basic need still remainsWhat if one could reuse locally issued, strong 2FA for accessing applications hosted by or on behalf of central government?
PSIIF – a 180 turn
Not a “top-down” approachPSIIF - Standards based infrastructure on top of PSN defining exchanges between
IdPsHubsService Providers
Allows re-use of (conformant) credentials for accessing “external” services including G-Cloud, central government or services hosted by regional partners on the PSN
Information highway needs vehicles
An infrastructure is only good if it is put to useImagine if you could decide whom and how you want to collaborate with:
Your employees to access G-Cloud services while retaining identity issued by youEmployees of regional partners to access your systems without issuing a separate authenticator to their employeesYour employees access central government servicesRequest attributes from or release attributes to parties you select
G-Cloud service example
User
G-Cloud Service
Freja IdPFreja SSP Freja
Registration &
Provisioning
Where are your from?Please authenticate this userDo I recognize the service?Convince me who you areWhat do I know about you?How much information should I/can I release to the service?Sign an assertionDo I trust the assertion issuer?OK, what can this user do here
SSO
User
Cloud Service
Freja IdPFreja SSP Freja
Click on link to service 2Please authenticate this userDo I recognize the service?Do I have a valid session?How much information should I/can I release to this service?Sign an assertionDo I trust the assertion issuer?OK, what can this user do here
Cloud Service 2
What can you do?
You get to chose whether you want to act as SP, IdP, AP or any combination thereof – no mandateA lot of software you own already supports SAML 2 integration – you can act as SP straight awayA lot of G-Cloud services already support SAML 2 (or are rapidly adapted to do so)IdP functionality can be plugged into your existing authentication infrastructure with practically no disruption
Why would you?
Standards-based, loosely coupled architecture – no vendor tie-inPotential for better services, to larger audiencesAn identity need not be established times and times againBetter control of identity, better control of data access, better control of information release (please search for TheEllenShow, “Out of your password minder” on YouTube)Easier to audit
{ENTER TEXT}