universal identity and management in soa
TRANSCRIPT
-
8/3/2019 Universal Identity and Management in SOA
1/21
Presented by :Mebratu Tsehayu & Mismaku Hiruy
[email protected]@miun.se
06 October, 2011
*
-
8/3/2019 Universal Identity and Management in SOA
2/21
Introduction
Overview
Importancy
Long-term shift to Identity Providers by industry
Requirements
Key identity challenges
Industry work Examples of different approaches
The Pieces of the IDM Puzzle
IDM Meets SOA
Conclusion
*
-
8/3/2019 Universal Identity and Management in SOA
3/21
W hat is Identity?o Identity is both a real-world concept and a digital construct
In the real world:o The individual characteristics by which a thing or person is
recognized or known.
In the digital world:o Information about an entity that is sufficient to identify that entity
in a particular context.
o Digital representation of a set of claims made by one party andpresented to another party
o A digital identity can be a set of identity information
-
8/3/2019 Universal Identity and Management in SOA
4/21
Identity managemento Broad administrative area that deals with identifying individuals in a
system and controlling their access to resources within that systemby associating user rights and restrictions with the establishedidentity.
eg. The driver licensing system
o The set of processes, policies and technologies that enableauthoritative sources to accurately identify entities. (ISO, 5th draft IdMFramework, Nov. 2008)
o The structured creation, capture, syntactical expression, storage,tagging, maintenance, retrieval, use and destruction of identities bymeans of diverse arrays of different technical, operational, and legalsystems and practices. (ITU-T X.1250)
-
8/3/2019 Universal Identity and Management in SOA
5/21
-
8/3/2019 Universal Identity and Management in SOA
6/21
It provides assurance of identity information in a manner thatsupports: secure, trusted access control.
The ability of a user to select an Identity Provider ( IdP)Supports a multitude of identity-based services to include:
targeted advertising; personalized services based on geo-locationand interest;
Authenticated services to decrease fraud and identity theft.
Essential for communications, commerce, and just about anysignificant societal activity
Essential for network/cybersecurity and critical infrastructure
protection both preventative and forensicOpen nomadic networks
services and content are an enduring strong value proposition
Essential for securing the SOA world, W S related resources
Because most of professional lives will be spent dealing with ithttp://www.itu.int/en/ ITU-T/gsi/idm/Pages/default.aspx, 25 september 2011
-
8/3/2019 Universal Identity and Management in SOA
7/21
S h i f t
Primary driver is Nomadicity
-
8/3/2019 Universal Identity and Management in SOA
8/21
Portability and Interoperability
The service must use globally unique identifiers in a common interchange formatThe service must support extensible mapping
The service must use a common protocol
ExtensibilityThe service and protocol should be based on XML and XML Schemas
The service must support global vocabulary definitionThe service should support distributed local vocabulary definition
N egotiated Privacy and SecurityThe service must allow identity owners to control their information
The service must use a common a negotiation protocol
The protocol must support anonymity and pseudonymity
AccountabilityAll identity owners and service providers should agree to common terms
The accountability framework should be based on universal legal principlesStandard dispute resolution mechanisms
-
8/3/2019 Universal Identity and Management in SOA
9/21
Distributed Registration and certification AuthorityThe service should support both hierarchical and peer-to-peer registration andcertification modelsIn the hierarchical model, common standards and protocols should apply to allregistration and certification authorities
Registrations should be portableCertification standards should support multiple trust levels
Certification standards should be extensible to new attributes
Independent Governing AuthorityThe governing authority should be chartered as an international non-profit organizationIt should set both technical and operational standards for the service,It should manage global vocabulary development for universal identity attributes and global
protocol control structures.It should set the accountability terms for all agents, including registration and certificationauthorities.It should serve as an impartial root authority for hierarchical registration or certificationmodels.
http://www.w3.org/2001/03/W SWS-popa/paper57
-
8/3/2019 Universal Identity and Management in SOA
10/21
IDM presents several challenges in most organizations:
Security:Do user entitlements exactly match their needs? Are policies, such assegregation of duties rules, violated? Do access rights persist after theyare no longer needed?
Consistency:
User profile data entered into different systems should be consistent.The fact that each system has its own user profile management systemmakes this difficult.
Efficiency:Setting a user to access multiple systems is repetitive.
U sabilityReliability
Scalability:Enterprises manage user profile data for large numbers of people.
Any IDM system used in this environment must scale to support the datavolumes and peak transaction rates produced by large user populations.
-
8/3/2019 Universal Identity and Management in SOA
11/21
o Several types of technologies are available to manage user identity data
across the enterprise.o Focus on streamlining the identity management process and managing data
consistently across multiple systems.
H iggins - an extensible, platform-independent, identity protocol
independent, software framework to support existing and new applicationsthat give users more convenience, privacy and control over their identityinformation.
Cardspace is a system in the Windows Communications. (WCF) of WinFXFoundation allows users to manage their digital identities from variousidentity providers, and employ them in different contexts
Liberty - allows consumers and users of Internet-based services toauthenticate and sign-on to a network or domain once from any device andthen visit or take part in services from multiple Web sites.
-
8/3/2019 Universal Identity and Management in SOA
12/21
OpenID - is a decentralized single sign-on system.Is a free and easy way to use a single digital identity across the Internet.Providers
Yahoo!, B logger, AOL, Live Journal, MyOpen ID.com, Link Safe, etc60 listed at openiddirectory.com
Relying Parties
Plaxo, Pibb, Magnolia, B logger comments, Live Journal, Wordpress, wikis,blogs, etcMany, many more listed at openiddirectory.com
ChallengesPerception
Relying Party (business)
User Experience
Technical
-
8/3/2019 Universal Identity and Management in SOA
13/21
Directories
The storage area for user IDs and passwords. It offers one place for acompany to view system access across the company.
Accessed using the lightweight directory access protocol (LDAP)
A directory is just the starting point for identity and access
Meta DirectoriesEngines that synchronize data about users between different systems.Simplify user administration
A middleware used to manage authentication and authorization of usersaccessing one or more web-enabled applications.
A Web SS O system intercepts initial contact by the user's web browser to aweb application and either verifies or else redirects the user to anauthentication page,
WebAM component of the system controls the user's access to applicationfunctions and data.
A Web SS O / WebAM product uses an LDAP directory as a back-end repository, toidentify all users
-
8/3/2019 Universal Identity and Management in SOA
14/21
Password managementCombination of password synchronization between systems andapplications and self-service password reset.
Users to maintain a single password, subject to a single security policy,across multiple systems.
Effective mechanism for addressing password management problems onan enterprise network
Enterprise single sign-onIts a way for storing user credentials outside of the various applications
E-SS O systems have had limited success in large production environments
U ser provisioningShared IT infrastructure which is used to externalize the management ofusers, identity attributes and entitlements from individual systems andapplications.Intended to make the creation, management and deactivation of login
-
8/3/2019 Universal Identity and Management in SOA
15/21
Role Based Access Control (RBAS)An approach to managing entitlements
A user has access to an object based on the assigned role.
Permissions are defined based on job authority and responsibilities withina job function.In SS O system, R BAC grant privileges directly to roles and attach users toroles
Access CertificationRegulatory compliance requirements and security policiesIt is a process where business stake-holders are periodically invited toreview entitlements, sign-off on entitlements that appear to bereasonable and flag questionable entitlements for possible removal.
There are several components to access certification
Authorization managementA system for managing user access to resources by user, group or role
-
8/3/2019 Universal Identity and Management in SOA
16/21
Beyond the enterpriseo Identity management can extend beyond a single organizationo Federation enables applications in different domains to share
information about users.Its The ability to grant system access to parties outside the companysfirewall, such as suppliers and outsourcing partners.
Federation requires that software at one site can communicate basicinformation to software at another site
Different organizations use different software products for theirmanagement
To interoperate, different software products rely on standard
protocolsStandards regarding federation:
Liberty Alliance ID-FF and ID-WSF.Security Assertions Markup Language ( SAML).
WS-Federation.
-
8/3/2019 Universal Identity and Management in SOA
17/21
o While SOA promises a new level of IT agility, it also brings securityvulnerabilities. Similarly, Web services introduce new security concernswhich, if not properly addressed, threaten the success of any SOA project.
o Web services are inherently open and easily accessibleo Web services must be protected by authentication and authorization
processeso Web service may call other Web services that, in turn, might call multiple
other Web services.o The concept of identity management must be extended Web services, devices
and other entities.o Securing applications within an SOA environment presents challenges as well.
Typical threats include message integrity, confidentiality, availability, man in
the middle attacks and forged claims.o Further complicating matters are the issues unique to the SOA environment
itself, such as:Services arent always user-initiated
Unlike applications, services have multiple points of entry
Web services operate in heterogeneous environments
-
8/3/2019 Universal Identity and Management in SOA
18/21
o SOA security needs to be part of a centralized, integrated offering
o Identity management functions must deliver set of standard Web servicesincluding:Authentication
AuthorizationIdentity administration
Account provisioning
Auditing and reporting
o the web service can consume and use of thus services to Provides a layers ofprotection and management for web services
o This method provides all the benefits of a central identity managementsystem, including:
A consistent set of enterprise wide policies
A global view of accounts and access rights
Aggregated auditing across the enterprise
Enhanced compliance with regulatory legislation such as Sarbanes-Oxley andHIPAA
Lower administrative costs
-
8/3/2019 Universal Identity and Management in SOA
19/21
Implementing effective identity management capabilities are
essential as they have always been for public infrastructuresAnonymity almost disappears; privacy is a value proposition
Globalization/nomadicity combined with complexity of theinfrastructures and applications increase the IdM value propositionImmediate priorities include better identity proofing and lifecyclemanagement, trusted identifiers for providers and network objects,discovery and assurance metrics
Primary venues for Identity Management includeGovernment/intergovernmental actionsIndustry/developer initiatives and productsStandards and administrative implementations
Identity management is a class of technologies intended tostreamline the management of user identity information both insideand outside an enterprise.
-
8/3/2019 Universal Identity and Management in SOA
20/21
-
8/3/2019 Universal Identity and Management in SOA
21/21