federated identity management, the real story

Colorado Software Summit: October 24 – 29, 2004 © Copyright 2004, IBM Corporation

Tony Nadalin — Federated Identity Management, the Real Story

Federated Identity Management, the Real Story

Anthony NadalinChief Security ArchitectIBM Corporation



AgendaWeb Services Overview

Security RoadmapFederation Overview

Federation Drilldown



Secure, Reliable, TransactedWeb Services

Service Composition

ComposableService

Assurances

Description

Messaging

Transports

BPEL4WS

Security

XSD, WSDL, UDDI, Policy, MetadataExchange

XML, SOAP, Addressing

HTTP, HTTPS, SMTP

ReliableMessaging Transactions

From joint IBM/MSFT WS Whitepaper at From joint IBM/MSFT WS Whitepaper at http://msdn.microsoft.com/webservices/default.aspx?pull=/libraryhttp://msdn.microsoft.com/webservices/default.aspx?pull=/library/en/en--us/dnwebsrv/html/wsoverview.aspus/dnwebsrv/html/wsoverview.asp

http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en /en-us/dnwebsrv/html/wsoverview.asp us/dnwebsrv/html/wsoverview.asp



Importance of CompositionEverything works in combination

Ex: Transaction context works over a reliable connection Ex: Participants use WS-Security to secure transactions (for all types participants)

Not "reinventing the wheel" for every stackCode reuse, lower costs, faster time to marketEx: all resources named using WS-Addressing

The overall system is more stableChanges don't percolate up the stackEx: By using WS-Security, Federation supports all tokens, including future ones



Composable Headers

Addressing

<S:Envelope … ><S:Header>

<wsa:ReplyTo><wsa:Address>http://business456.com/User12</wsa:Address>

</wsa:ReplyTo><wsa:To>http://fabrikam123.com/Traffic</wsa:To><wsa:Action>http://fabrikam123.com/Traffic/Status</wsa:Action><wssec:Security>

<wssec:BinarySecurityTokenValueType="wssec:X509v3" EncodingType=“wssec:Base64Binary">

dWJzY3JpYmVyLVBlc…..eFw0wMTEwMTAwMD</wssec:BinarySecurityToken>

</wssec:Security><wsrm:Sequence>

<wsu:Identifier>http://fabrikam123.com/seq1234</wsu:Identifier><wsrm:MessageNumber>10</wsrm:MessageNumber>

</wsrm:Sequence></S:Header><S:Body>

<app:TrafficStatusxmlns:app="http://highwaymon.org/payloads">

<road>520W</road><speed>3MPH</speed></app:TrafficStatus>

</S:Body></S:Envelope>

Security

Reliability



WS-Security Roadmap

SecuritySecurity

SecuritySecurityPolicyPolicy

SecureSecureConversationConversation

TrustTrust

FederationFederation

PrivacyPrivacy

AuthorizationAuthorization

SOAP MessagingSOAP Messaging



Federated Identity Administration Problem

Access to Access to ThirdThird--party Usersparty UsersAccess to Access to ThirdThird--party Resources party Resources

USERS

ThirdThird--party Users ?party Users ?Subsidiaries, Subsidiaries, partnerpartner--users, users, etc.etc.

ThirdThird--party party Resources ?Resources ?External Web Sites, External Web Sites, Internal Web SitesInternal Web Sites

Customers, Employees

Identity & Access Management

Provisioning Endpoints

Applications

ORGANIZATION

IBMDirectory

c

o

ou



Federated Identity“Federated identity” is defined as collection of federated attributes that can be sourced across multiple federated and authoritative data sources”

Technology for creating a globally interoperable Online Identity for driving Relationship or Affinity driven Business Models Between companies

To an individual user, it means the ability to associate his various application and system identities with one another.

It refers to the ability of one enterprise to associate with one or more others in a Federation, such that the identities from one enterprise domain (or identity provider) are granted access to the services of another enterprise (or service provider).

Concept is nothing newCREDIT CARD

ATM CARD

STATE DRIVER LICENSE

PASSPORT

Administrative concept that Administrative concept that extends identity lifecycle extends identity lifecycle management across identity management across identity domains domains ––Addresses lifecycle management of Addresses lifecycle management of users across domains users across domains

Federated Identity Management Federated Identity Management



Federation Roles: Identity and Service Provider

1. Issues Network / Login credentials

2. Handles User Administration/ ID Mgmt

3. Authenticates User; “Vouches” for the user’s identity and entitlements in a transaction

1. Relying Party; “WHO is the USER?”

Access to Services are controlled by Service Provider

2. Third-party User is provided access to services for the duration of the federation

Identity Provider

(IdP)

“Owns the user relationship”

“Asserting or Vouching” party in the transaction

Provides Services to trusted users

“Validation or Relying” party in the transaction

ServiceProvider

(SP)USERS

Mutual TRUST



User Interaction

Identity Provider

ServiceProviderMutual TRUST

User

Bookmark

User may start at the Service Provider

User may start at the Identity Provider

Identity

Who is the “Identity Provider”Who is the “User” ?How can get “identity information” from the User ?



WS-FederationAnnounced by BEA, IBM, Microsoft, RSA, and VeriSign

WS-Federation (Web Services Federation Language)Enables security realms to federateEnhances policy to enable federation of related servicesDescribes federation messagesDescribes federated Attribute and Pseudonym service relationships

WS-Federation: Passive Requestor ProfileUses the cross trust realm identity, authentication and authorization federation mechanisms in WS-Federation to support passive requestors, such as Web browsers

WS-Federation: Active (Smart) Requestor ProfileUses the cross trust realm identity, authentication and authorization federation mechanisms in WS-Federation to support active requestors, such as SOAP-enabled applications



AgendaWeb Services Overview

Security RoadmapFederation Overview

Federation Drilldown



One Protocol, Multiple BindingsCommon protocol (WS-Trust)Two “profiles” of the model are defined

Smart/Active clients (SOAP)Passive clients (Browser – HTTP/S)

Supporting services (attribute/pseudonym/…)

SecuritySecurityTokenToken

ServiceService

HTTPHTTPReceiverReceiver

HTTP messagesHTTP messages

SOAP messagesSOAP messagesSOAPSOAP

ReceiverReceiver



Trust TopologiesFederation approach must address different trust topologies

Model existing business practicesLeverage existing infrastructure

Sample topologiesDirect trust

• Exchange• Validation

Indirect trustDelegation



Direct TrustToken Exchange

TrustTrust

Get identityGet identitytokentoken

Get accessGet accesstokentoken11

33

22

Trust

Trust



Direct TrustToken Validation

TrustTrust

Get identityGet identitytokentoken

Get accessGet accessverificationverification

11

22

33

Trust

Trust



Indirect Trust

TrustTrustTru

stTrust

C trusts B which vouches for A who vouches for clientC trusts B which vouches for A who vouches for client

11

22

Trust

Trust

Trust

Trust

CC

BB

AA



Delegation

TrustTrust

11

33

22

TrustTrust

55

44Trust

Trust

Trust

Trust



Single Sign-Out

11

22

22

22

……

……



Attribute ServiceScenario: You ask a weather service for the current weather (or visit a weather site), it provides personalized response because it knows your zip codeWhy it worked:

Policy indicated an attribute serviceIdentity information was used to find zip codeWeather service was authorized to access zip code

Specification defines the concept of an attribute service but not a specific interface



Attribute Scoping

Zip: 12309Zip: 12309FN: FredFN: FredID: 3442 ID: 3442 Nick: Nick: FreddoFreddoID: FJ454ID: FJ454Nick: Nick: FredsterFredsterID: 3ID: 3--5555--3434……

Model allows for attributes to be scopedModel allows for attributes to be scoped

(fabrikam123.com)(fabrikam123.com)

(business456.com)(business456.com)

((example.comexample.com))



Attribute DiscoveryOpen design model

Any attribute store can be usedIntegration with legacy systems

Discovery via policyRequestor’s policy attribute serviceAttribute service has its own policyCommunication governed this policy

UDDI is an example store



Attribute Discovery

Pol

icy

Pol

icy

Pol

icy

Pol

icy

11

33

2244 ““Get FN”Get FN”



Attribute Example

TrustTrust

11

33

22 44

TrustTrust

Zip: 12309Zip: 12309FN: FredFN: Fred……



Protecting IdentitySingle sign-on also needs to

Prevent collusionProvide anonymity

Other forms of collusion still exist:AddressPhone numberCredit cardSocial security number



Pseudonym ServiceThis service provides a mechanism for associating alternate identitiesPseudonyms represent alternate identities

Scoped by a domain expressionSubject to authorization controlCan be accessed by authorized servicesCan be integrated with IP/STS



Pseudonym Discovery

Pol

icy

Pol

icy

Pol

icy

Pol

icy

11

33

2244



Pseudonym Example 1

Service sets pseudonym for its domain

TrustTrust

““Fred” Fred” ““A123A123””

““A123” A123” ““FreddoFreddo””

11

22

33

““A123A123””



Pseudonym Example 2

Service fetches pseudonym for its domain

TrustTrust

““Fred” Fred” ““B456B456””

““B456” B456” ““FreddoFreddo””

11

22

33

““B456B456””



Pseudonym/STS Integration

Pseudonym & STS can work togetherSingle physical serviceSeparate but tightly coupled servicesScope of request selects pseudonym

TokenTokenRequestRequest



Pseudonym Example 3

Use pseudonyms to obtain initial token

TrustTrust

““Fred” Fred” ““FreddoFreddo””

““Fred” Fred” ““FreddoFreddo””11

33

““FreddoFreddo””

22



Federation Discovery Recap

……P

olic

yP

olic

y



Active (Smart Client) ProfileDescribes options with SOAP clientsAllows rich cachingVaried models based on policy

Business needsInter-organizationRegulations

Strong authentication of all requests



Example Flow (SOAP)Requesting

ServiceRequestor’s

IP/STSTargetService

Target’sIP/STS

Acquire policy

Request token

Return token

Request token

Return token

Send secured request

Return secured response



Passive ProfileDescribes options with browsers

Pure redirect with GETURL-onlyPOST body

Uses redirection to effect messagesTunnels WS-Trust messages

ImplicitlyExplicitly

Allows custom caching mechanisms



Example Flow (Browser)Requesting

BrowserRequestor’s

IP/STSTarget

ResourceTarget’sIP/STS

Get resource

Detect realm

Redirect to resource’s IP/STS

Redirect to requestor’s IP/STS

Login

Return identity token

Return resource token

Return secured response



Federating SecuritySummary

Generic token acquisitionEnables different trust topologies

Integrates with existing infrastructuresBusiness modelToken formatsAttribute storesDirectory services




Identity Protection and PrivacyVarying levels supportedAllows true anonymitySupports multiple privacy languagesRich privacy options

End-to-end, no HTTPS requiredPublic review and participationFree to implement




Together with the other WS-* specifications, provides a rich fabric for building secure, reliable, transacted systems across federation boundariesSOAP composability model allows layering of vertical and value-add applications and protocols



Authenticate

The Client’s Problem

Browser-Based User SBC Yahoo

MySBCMySBC

Federal DoFederal Do--NotNot--Call RegistryCall Registry

Service Provider

Service Provider

•Multiple Logins, PW rules, etc

•Disjoint user experience, no crossover incentive

•Costly user administration at every Service Provider

Authenticate

Authenticate



Scenario



The Solution – Federated Identity Management

Browser-Based User SBC FreedomPass

MySBCMySBC

Federal DoFederal Do--NoNo--Call RegistryCall Registry

Service Provider

Service Provider

AuthenticateSingle Sign On

Single Sign On

•Reduced ID Management costs

•User satisfaction creates ‘stickiness’

•Fast service provider adoption

•Passwords, passwords, passwords

Trust

Trust

WS-FederationSAMLLiberty



Scenario 1: Sign On to Freedom Pass Portal

Starting from welcome page on the Freedom Pass siteLog into Identity Provider (IdP) as edwardArrive at Freedom Pass portal



Freedom Pass Intro page



Freedom Pass login



Portal Site



Scenario 2: Federate Liberty User and SSO

Start from Edward’s Freedom Pass portal pageClick on MySBC under the “Services Available to Link” menu to initiate account federationConfirm federation to partner by clicking ContinueLog into SP as eddieArrive at Federation Success pageClick on MySBC buttonArrive at MySBC pageClick Local LogoutReturn to Freedom PassClick on MySBC to SSO to SPSingle-sign out using the Freedom Pass logout link.



Initiate Account Federation to Partner



Confirm Federation to Partner



User Logs into Service Provider



Federation Success Page



Arrive at MySBC



Local Logout



Return to FreedomPass



SSO to MySBC



FreedomPass Logout

federated identity management, the real story

Documents