sesam - federation services for the automotive industry · 2008. 4. 28. · sesam is also an...
TRANSCRIPT
![Page 1: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/1.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 1
SESAM – Services Standards for the Automotive: Federation Services.
Business Scenarios Leveraging Federation Services Standards
for the Automotive Industry.
Wolfgang Jodl
![Page 2: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/2.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 2
SESAM.Agenda.
The BMW Group
Challenges for the Automotive Industry
Business scenarios usingFederation Services
Technical Aspects and Influencesof Federation Services
Classification of Federation Scenarios –Federation Patterns
Discussion
![Page 3: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/3.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 3
BMW Group.Premium Brands BMW, MINI and Rolls-Royce.
![Page 4: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/4.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 4
BMW Group.Company Information.
2007 2006 2005
BMW Group workforce 107,539 106,575 105,798
BMW Group revenues (in Mio. €) 56,018 48,999 46,656
BMW Group car deliveries 1,500,678 1,373,970 1,327,992
BMW Group profit (in Mio. €) 3,873 4,124 3,287
![Page 5: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/5.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 5
3 GDCs (Americas/Asia/EMEA)
13 locations on all continents
Approx. 3,000 employees
80,000 clients, 40% Notebooks
More than 6,000 servers
3 mainframe installations
Thousands of (web-)applications
3 main portals (B2B, B2D, B2E)
Several federated/trustedlocal portal solutions
Facts
BMW Group.IT Community.
![Page 6: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/6.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 6
SESAM.Challenges.
Business processes and relationships are changing fast:
Trend towards Cooperations
Enormous efforts for developing new components (e.g. engines) Trend towards Components-based assembly & development Flexible usage of On-Demand capacities
Fast integration of Mergers & Acquisitions
Time-To: fast integration into existing Infrastructure/Processes In the past, this was mainly focused on integrating infrastructures, now it is a
question of process integration (what it should be).
Flexibility & Cost reduction
Fast service integration is a major topic SAAS promises flexibility without too tight integration
![Page 7: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/7.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 7
SESAM.Challenges & Consequences.
IT must be flexible and adaptive towards new business needs.
User-centric process chain integration with external partners, Online Services, or SAAS providers
Trend towards SAAS (software-As-A-Service) models
All of those challenges result in process-oriented integration of various systems, across different companies:
Collaborative engineering, design, development and manufacturing
X-As-A-Service Models Flexible Customer services …
Federation can help solving the user-centric process & application integration challenge.
![Page 8: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/8.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 8
SESAM.Federation Business Scenarios.
BMW
Process
Step
Partner
External
Process
Step
Process
Step
Process
Step
Process
Step
Federated SSO
Process
Step
User-centricprocess integration for
Joint Ventures & Cooperations
![Page 9: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/9.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 9
SESAM.Federation Business Scenarios.
External Service Provider
BMW Corporate Network
Internet
B2X-User
Internet
Login with
c-Account
LAAS
Login with
q-Account
Intranet
B2X-User
WS-Federation Token
Group Claims
Identity Claim
Custom Claims
User
Role Store
Mapping
FE
DE
RA
TIO
N T
RU
ST
Federation
Server
BMW
Federation
Services
Hosted Services & Applications(e.g. SAAS)
![Page 10: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/10.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 10
SESAM.Federation Business Scenarios.
BMW Corporate Network
B2X User
LDAP
Mapping
Windows User
FEDERATION TRUST
B2X User
Active
Directory
Internal Federation Gateways
![Page 11: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/11.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 11
SESAM.Federation Business Scenarios.
BMW Customer
BMW Customer
Online Services
BMW Vehicle
Online Services
BMW
Third Party
Service Provider
Application 1
Application 3
Application 2
Application 1
Application 2
Application 4
Application 1
Application 3
Application 4
Federated SSO Federated SSOApplication 4
Hosted Customer and Vehicle Online Services
![Page 12: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/12.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 12
SESAM.“Federation Services“ in Everyday Life.
![Page 13: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/13.jpg)
EIC 2008Tobias FrechiC ConsultPage 13
SESAM.Speaker Change.
TOBIAS FRECH
iC Consult GmbHKeltenring 1482041 Oberhaching
![Page 14: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/14.jpg)
EIC 2008Tobias FrechiC ConsultPage 14
Company A Company B
SESAM.Federation Services.
Identity
Provider
(IdP)
Service
Provider
(SP)FEDERATION TRUST
Identity
Management
SAML 1.x
SAML 2.0
WS-Federation
Application
Authentication Authorization
Federation Token
Employee
![Page 15: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/15.jpg)
EIC 2008Tobias FrechiC ConsultPage 15
Identity
Provider
Service
Provider
SESAM.Federation Deployment Scenarios.
Single IdP to single SP Cooperation Joint-Ventures SSO Integration of different
security infrastructures
Many IdP to single SP Collaboration Platforms SAAS Platforms
Single IdP to many SP Portal Integration of
external Services External hosted Applications
Real Life Deployments Mixed infrastructures
with different federation products and protocols
Identity
Provider
Service
Provider
Identity
Provider
Identity
Provider
Identity
Provider
Identity
Provider
Service
Provider
Service
Provider
Service
Provider
Service
Provider
Company A
Company B
Identity
Provider
Service
Provider
Service
Provider
Company C
Identity
Provider
![Page 16: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/16.jpg)
EIC 2008Tobias FrechiC ConsultPage 16
SESAM.Requirements and Federation Protocols.
Microsoft
Compatible
Open Source
SAML 2.0SAML 1.x
WS-Federation
Wide
Distributed
Enhanced
Security
Metadata Support
Enhanced
Features
SharePointOutlook
Web Access
What are the requirements?What fits best for your needs?
Most Common
Different FederationProtocols for differentrequirements
What protocols are supported by the partner?
![Page 17: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/17.jpg)
EIC 2008Tobias FrechiC ConsultPage 17
Identity Management
Application Integration
Permission Management
User Helpdesk
Incident Management
Auditing
…
SESAM.Impact on IdM & Supporting Processes.
Standardizations for
Federation Integration
Requires…
for efficient federation
deployments
![Page 18: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/18.jpg)
EIC 2008Tobias FrechiC ConsultPage 18
SP managed PermissionsIdP managed Permissions
SESAM.Federation Patterns.
Identity
ProviderService
Provider
Permission
Management
Permission
Management
Standardization with Patterns
![Page 19: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/19.jpg)
EIC 2008Tobias FrechiC ConsultPage 19
SESAM.IdP managed Permissions.
Identity
ProviderService
Provider
Identity
Management
Permission
Management
Directory
Federation Token
Identity Claim
Attribute 1
Attribute 2
Attribute …
Permission 1
Permission 2
Permission …
Authorization
Application
![Page 20: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/20.jpg)
EIC 2008Tobias FrechiC ConsultPage 20
SESAM.IdP managed Permissions.
Permissions transferred with Federation Token
Impact on IdP side: Permissions management for SP applications
Impact on SP side: No external accounts needed Requires strong trust relationship to IdP EAM infrastructure must handle federated user sessions
Typical scenario: External hosted Applications
![Page 21: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/21.jpg)
EIC 2008Tobias FrechiC ConsultPage 21
SESAM.SP managed Permissions.
Identity
ProviderService
Provider
Federation Token
Identity
Management
Directory
Identity Claim
ApplicationPermission
Management
Identity
ManagementAuthorization
User Mapping
Directory
with Shadow-
Accounts
![Page 22: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/22.jpg)
EIC 2008Tobias FrechiC ConsultPage 22
SESAM.SP managed Permissions.
Permissions are attached to Shadow Accounts at SP side
Impact on IdP side: Only Identity Claim is transferred with Federation Token
Impact on SP side: Requires Shadow-Account on SP side Permission management at Shadow-Account Identity Claim is mapped to Shadow-Account How to map identities: Account Mapping, Account Linking,
Pseudonym Linking, …
Typical scenario: Confidential Collaboration Platforms
![Page 23: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/23.jpg)
EIC 2008Tobias FrechiC ConsultPage 23
SESAM.Other Federation Challenges.
Legal Issues and Requirements
Service Quality Contracts Security Policies
Organizational Issues
Support Responsibilities and Incident Management Monitoring of Federation Services How to organize incident management in federation
deployments? Different SLAs/Timezones, …
Technical Issues
How to transport authentication type/level (e.g. strong authentication)?
Session Handling (SSO, SLO, Timeouts) How to ensure privacy? (Pseudonyms, Encryption)
![Page 24: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/24.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 24
SESAM is also an official project at the Odette(www.odette.org). SESAM is about:
making Federation Services useful for the Automotive Industry. agreeing on names, trust, and organisational and legal best practices.
VTS “Virtual Team Spaces”:
Integrating internal portals with different security infrastructures and different identity stores.
External Hosted Dealer Applications
Integrating external applications into existing dealer portal, without tight application integration.
SESAM.BMW Federation Engagements & Projects.
![Page 25: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/25.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 25
SESAM.Contact.
Wolfgang [email protected]+49-(0)89-382-31997
Daniel [email protected]+49-(0)89-382-34954
![Page 26: SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an official project at the Odette (). SESAM is about: making Federation Services useful for](https://reader035.vdocument.in/reader035/viewer/2022071500/611f7f9951c8f3084d7442c7/html5/thumbnails/26.jpg)
EIC 2008Wolfgang JodlBMW GroupPage 26
Thank you for your attention.
Imprint:
Editor
BMW Group
Communication BMW Group IT
80788 München
Reproduction, even in parts, must be approved by
Bayerische Motorenwerke Aktiengesellschaft, München.
Patents may be pending on some concepts.
©2008 Bayerische Motorenwerke Aktiengesellschaft