federated identity management, the real story
TRANSCRIPT
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 1
Federated Identity Management, the Real Story
Anthony NadalinChief Security ArchitectIBM Corporation
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 2
AgendaWeb Services Overview
Security RoadmapFederation Overview
Federation Drilldown
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 3
Secure, Reliable, TransactedWeb Services
Service Composition
ComposableService
Assurances
Description
Messaging
Transports
BPEL4WS
Security
XSD, WSDL, UDDI, Policy, MetadataExchange
XML, SOAP, Addressing
HTTP, HTTPS, SMTP
ReliableMessaging Transactions
From joint IBM/MSFT WS Whitepaper at From joint IBM/MSFT WS Whitepaper at http://msdn.microsoft.com/webservices/default.aspx?pull=/libraryhttp://msdn.microsoft.com/webservices/default.aspx?pull=/library/en/en--us/dnwebsrv/html/wsoverview.aspus/dnwebsrv/html/wsoverview.asp
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 4
Importance of CompositionEverything works in combination
Ex: Transaction context works over a reliable connection Ex: Participants use WS-Security to secure transactions (for all types participants)
Not "reinventing the wheel" for every stackCode reuse, lower costs, faster time to marketEx: all resources named using WS-Addressing
The overall system is more stableChanges don't percolate up the stackEx: By using WS-Security, Federation supports all tokens, including future ones
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 5
Composable Headers
Addressing
<S:Envelope … ><S:Header>
<wsa:ReplyTo><wsa:Address>http://business456.com/User12</wsa:Address>
</wsa:ReplyTo><wsa:To>http://fabrikam123.com/Traffic</wsa:To><wsa:Action>http://fabrikam123.com/Traffic/Status</wsa:Action><wssec:Security>
<wssec:BinarySecurityTokenValueType="wssec:X509v3" EncodingType=“wssec:Base64Binary">
dWJzY3JpYmVyLVBlc…..eFw0wMTEwMTAwMD</wssec:BinarySecurityToken>
</wssec:Security><wsrm:Sequence>
<wsu:Identifier>http://fabrikam123.com/seq1234</wsu:Identifier><wsrm:MessageNumber>10</wsrm:MessageNumber>
</wsrm:Sequence></S:Header><S:Body>
<app:TrafficStatusxmlns:app="http://highwaymon.org/payloads">
<road>520W</road><speed>3MPH</speed></app:TrafficStatus>
</S:Body></S:Envelope>
Security
Reliability
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 6
WS-Security Roadmap
SecuritySecurity
SecuritySecurityPolicyPolicy
SecureSecureConversationConversation
TrustTrust
FederationFederation
PrivacyPrivacy
AuthorizationAuthorization
SOAP MessagingSOAP Messaging
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 7
Federated Identity Administration Problem
Access to Access to ThirdThird--party Usersparty UsersAccess to Access to ThirdThird--party Resources party Resources
USERS
ThirdThird--party Users ?party Users ?Subsidiaries, Subsidiaries, partnerpartner--users, users, etc.etc.
ThirdThird--party party Resources ?Resources ?External Web Sites, External Web Sites, Internal Web SitesInternal Web Sites
Customers, Employees
Identity & Access Management
Provisioning Endpoints
Applications
ORGANIZATION
IBMDirectory
c
o
ou
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 8
Federated Identity“Federated identity” is defined as collection of federated attributes that can be sourced across multiple federated and authoritative data sources”
Technology for creating a globally interoperable Online Identity for driving Relationship or Affinity driven Business Models Between companies
To an individual user, it means the ability to associate his various application and system identities with one another.
It refers to the ability of one enterprise to associate with one or more others in a Federation, such that the identities from one enterprise domain (or identity provider) are granted access to the services of another enterprise (or service provider).
Concept is nothing newCREDIT CARD
ATM CARD
STATE DRIVER LICENSE
PASSPORT
Administrative concept that Administrative concept that extends identity lifecycle extends identity lifecycle management across identity management across identity domains domains ––Addresses lifecycle management of Addresses lifecycle management of users across domains users across domains
Federated Identity Management Federated Identity Management
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 9
Federation Roles: Identity and Service Provider
1. Issues Network / Login credentials
2. Handles User Administration/ ID Mgmt
3. Authenticates User; “Vouches” for the user’s identity and entitlements in a transaction
1. Relying Party; “WHO is the USER?”
Access to Services are controlled by Service Provider
2. Third-party User is provided access to services for the duration of the federation
Identity Provider
(IdP)
“Owns the user relationship”
“Asserting or Vouching” party in the transaction
Provides Services to trusted users
“Validation or Relying” party in the transaction
ServiceProvider
(SP)USERS
Mutual TRUST
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 10
User Interaction
Identity Provider
ServiceProviderMutual TRUST
User
Bookmark
User may start at the Service Provider
User may start at the Identity Provider
Identity
Who is the “Identity Provider”Who is the “User” ?How can get “identity information” from the User ?
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 11
WS-FederationAnnounced by BEA, IBM, Microsoft, RSA, and VeriSign
WS-Federation (Web Services Federation Language)Enables security realms to federateEnhances policy to enable federation of related servicesDescribes federation messagesDescribes federated Attribute and Pseudonym service relationships
WS-Federation: Passive Requestor ProfileUses the cross trust realm identity, authentication and authorization federation mechanisms in WS-Federation to support passive requestors, such as Web browsers
WS-Federation: Active (Smart) Requestor ProfileUses the cross trust realm identity, authentication and authorization federation mechanisms in WS-Federation to support active requestors, such as SOAP-enabled applications
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 12
AgendaWeb Services Overview
Security RoadmapFederation Overview
Federation Drilldown
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 13
One Protocol, Multiple BindingsCommon protocol (WS-Trust)Two “profiles” of the model are defined
Smart/Active clients (SOAP)Passive clients (Browser – HTTP/S)
Supporting services (attribute/pseudonym/…)
SecuritySecurityTokenToken
ServiceService
HTTPHTTPReceiverReceiver
HTTP messagesHTTP messages
SOAP messagesSOAP messagesSOAPSOAP
ReceiverReceiver
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 14
Trust TopologiesFederation approach must address different trust topologies
Model existing business practicesLeverage existing infrastructure
Sample topologiesDirect trust
• Exchange• Validation
Indirect trustDelegation
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 15
Direct TrustToken Exchange
TrustTrust
Get identityGet identitytokentoken
Get accessGet accesstokentoken11
33
22
Trust
Trust
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 16
Direct TrustToken Validation
TrustTrust
Get identityGet identitytokentoken
Get accessGet accessverificationverification
11
22
33
Trust
Trust
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 17
Indirect Trust
TrustTrustTru
stTrust
C trusts B which vouches for A who vouches for clientC trusts B which vouches for A who vouches for client
11
22
Trust
Trust
Trust
Trust
CC
BB
AA
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 18
Delegation
TrustTrust
11
33
22
TrustTrust
55
44Trust
Trust
Trust
Trust
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 19
Single Sign-Out
11
22
22
22
……
……
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 20
Attribute ServiceScenario: You ask a weather service for the current weather (or visit a weather site), it provides personalized response because it knows your zip codeWhy it worked:
Policy indicated an attribute serviceIdentity information was used to find zip codeWeather service was authorized to access zip code
Specification defines the concept of an attribute service but not a specific interface
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 21
Attribute Scoping
Zip: 12309Zip: 12309FN: FredFN: FredID: 3442 ID: 3442 Nick: Nick: FreddoFreddoID: FJ454ID: FJ454Nick: Nick: FredsterFredsterID: 3ID: 3--5555--3434……
Model allows for attributes to be scopedModel allows for attributes to be scoped
(fabrikam123.com)(fabrikam123.com)
(business456.com)(business456.com)
((example.comexample.com))
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 22
Attribute DiscoveryOpen design model
Any attribute store can be usedIntegration with legacy systems
Discovery via policyRequestor’s policy attribute serviceAttribute service has its own policyCommunication governed this policy
UDDI is an example store
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 23
Attribute Discovery
Pol
icy
Pol
icy
Pol
icy
Pol
icy
11
33
2244 ““Get FN”Get FN”
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 24
Attribute Example
TrustTrust
11
33
22 44
TrustTrust
Zip: 12309Zip: 12309FN: FredFN: Fred……
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 25
Protecting IdentitySingle sign-on also needs to
Prevent collusionProvide anonymity
Other forms of collusion still exist:AddressPhone numberCredit cardSocial security number
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 26
Pseudonym ServiceThis service provides a mechanism for associating alternate identitiesPseudonyms represent alternate identities
Scoped by a domain expressionSubject to authorization controlCan be accessed by authorized servicesCan be integrated with IP/STS
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 27
Pseudonym Discovery
Pol
icy
Pol
icy
Pol
icy
Pol
icy
11
33
2244
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 28
Pseudonym Example 1
Service sets pseudonym for its domain
TrustTrust
““Fred” Fred” ““A123A123””
““A123” A123” ““FreddoFreddo””
11
22
33
““A123A123””
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 29
Pseudonym Example 2
Service fetches pseudonym for its domain
TrustTrust
““Fred” Fred” ““B456B456””
““B456” B456” ““FreddoFreddo””
11
22
33
““B456B456””
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 30
Pseudonym/STS Integration
Pseudonym & STS can work togetherSingle physical serviceSeparate but tightly coupled servicesScope of request selects pseudonym
TokenTokenRequestRequest
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 31
Pseudonym Example 3
Use pseudonyms to obtain initial token
TrustTrust
““Fred” Fred” ““FreddoFreddo””
““Fred” Fred” ““FreddoFreddo””11
33
““FreddoFreddo””
22
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 32
Federation Discovery Recap
……P
olic
yP
olic
y
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 33
Active (Smart Client) ProfileDescribes options with SOAP clientsAllows rich cachingVaried models based on policy
Business needsInter-organizationRegulations
Strong authentication of all requests
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 34
Example Flow (SOAP)Requesting
ServiceRequestor’s
IP/STSTargetService
Target’sIP/STS
Acquire policy
Request token
Return token
Request token
Return token
Send secured request
Return secured response
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 35
Passive ProfileDescribes options with browsers
Pure redirect with GETURL-onlyPOST body
Uses redirection to effect messagesTunnels WS-Trust messages
ImplicitlyExplicitly
Allows custom caching mechanisms
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 36
Example Flow (Browser)Requesting
BrowserRequestor’s
IP/STSTarget
ResourceTarget’sIP/STS
Get resource
Detect realm
Redirect to resource’s IP/STS
Redirect to requestor’s IP/STS
Login
Return identity token
Return resource token
Return secured response
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 37
Federating SecuritySummary
Generic token acquisitionEnables different trust topologies
Integrates with existing infrastructuresBusiness modelToken formatsAttribute storesDirectory services
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 38
Federating SecuritySummary
Identity Protection and PrivacyVarying levels supportedAllows true anonymitySupports multiple privacy languagesRich privacy options
End-to-end, no HTTPS requiredPublic review and participationFree to implement
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 39
Federating SecuritySummary
Together with the other WS-* specifications, provides a rich fabric for building secure, reliable, transacted systems across federation boundariesSOAP composability model allows layering of vertical and value-add applications and protocols
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 40
Authenticate
The Client’s Problem
Browser-Based User SBC Yahoo
MySBCMySBC
Federal DoFederal Do--NotNot--Call RegistryCall Registry
Service Provider
Service Provider
•Multiple Logins, PW rules, etc
•Disjoint user experience, no crossover incentive
•Costly user administration at every Service Provider
Authenticate
Authenticate
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 41
Scenario
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 42
The Solution – Federated Identity Management
Browser-Based User SBC FreedomPass
MySBCMySBC
Federal DoFederal Do--NoNo--Call RegistryCall Registry
Service Provider
Service Provider
AuthenticateSingle Sign On
Single Sign On
•Reduced ID Management costs
•User satisfaction creates ‘stickiness’
•Fast service provider adoption
•Passwords, passwords, passwords
Trust
Trust
WS-FederationSAMLLiberty
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 43
Scenario 1: Sign On to Freedom Pass Portal
Starting from welcome page on the Freedom Pass siteLog into Identity Provider (IdP) as edwardArrive at Freedom Pass portal
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 44
Freedom Pass Intro page
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 45
Freedom Pass login
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 46
Portal Site
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 47
Scenario 2: Federate Liberty User and SSO
Start from Edward’s Freedom Pass portal pageClick on MySBC under the “Services Available to Link” menu to initiate account federationConfirm federation to partner by clicking ContinueLog into SP as eddieArrive at Federation Success pageClick on MySBC buttonArrive at MySBC pageClick Local LogoutReturn to Freedom PassClick on MySBC to SSO to SPSingle-sign out using the Freedom Pass logout link.
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 48
Initiate Account Federation to Partner
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 49
Confirm Federation to Partner
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 50
User Logs into Service Provider
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 51
Federation Success Page
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 52
Arrive at MySBC
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 53
Local Logout
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 54
Return to FreedomPass
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 55
SSO to MySBC
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 56
FreedomPass Logout
Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation
Tony Nadalin — Federated Identity Management, the Real Story Page 57