universal identity and management in soa

8/3/2019 Universal Identity and Management in SOA

1/21

Presented by :Mebratu Tsehayu & Mismaku Hiruy

[email protected]@miun.se

06 October, 2011

*


2/21

Introduction

Overview

Importancy

Long-term shift to Identity Providers by industry

Requirements

Key identity challenges

Industry work Examples of different approaches

The Pieces of the IDM Puzzle

IDM Meets SOA

Conclusion

*


3/21

W hat is Identity?o Identity is both a real-world concept and a digital construct

In the real world:o The individual characteristics by which a thing or person is

recognized or known.

In the digital world:o Information about an entity that is sufficient to identify that entity

in a particular context.

o Digital representation of a set of claims made by one party andpresented to another party

o A digital identity can be a set of identity information


4/21

Identity managemento Broad administrative area that deals with identifying individuals in a

system and controlling their access to resources within that systemby associating user rights and restrictions with the establishedidentity.

eg. The driver licensing system

o The set of processes, policies and technologies that enableauthoritative sources to accurately identify entities. (ISO, 5th draft IdMFramework, Nov. 2008)

o The structured creation, capture, syntactical expression, storage,tagging, maintenance, retrieval, use and destruction of identities bymeans of diverse arrays of different technical, operational, and legalsystems and practices. (ITU-T X.1250)


5/21


6/21

It provides assurance of identity information in a manner thatsupports: secure, trusted access control.

The ability of a user to select an Identity Provider ( IdP)Supports a multitude of identity-based services to include:

targeted advertising; personalized services based on geo-locationand interest;

Authenticated services to decrease fraud and identity theft.

Essential for communications, commerce, and just about anysignificant societal activity

Essential for network/cybersecurity and critical infrastructure

protection both preventative and forensicOpen nomadic networks

services and content are an enduring strong value proposition

Essential for securing the SOA world, W S related resources

Because most of professional lives will be spent dealing with ithttp://www.itu.int/en/ ITU-T/gsi/idm/Pages/default.aspx, 25 september 2011


7/21

S h i f t

Primary driver is Nomadicity


8/21

Portability and Interoperability

The service must use globally unique identifiers in a common interchange formatThe service must support extensible mapping

The service must use a common protocol

ExtensibilityThe service and protocol should be based on XML and XML Schemas

The service must support global vocabulary definitionThe service should support distributed local vocabulary definition

N egotiated Privacy and SecurityThe service must allow identity owners to control their information

The service must use a common a negotiation protocol

The protocol must support anonymity and pseudonymity

AccountabilityAll identity owners and service providers should agree to common terms

The accountability framework should be based on universal legal principlesStandard dispute resolution mechanisms


9/21

Distributed Registration and certification AuthorityThe service should support both hierarchical and peer-to-peer registration andcertification modelsIn the hierarchical model, common standards and protocols should apply to allregistration and certification authorities

Registrations should be portableCertification standards should support multiple trust levels

Certification standards should be extensible to new attributes

Independent Governing AuthorityThe governing authority should be chartered as an international non-profit organizationIt should set both technical and operational standards for the service,It should manage global vocabulary development for universal identity attributes and global

protocol control structures.It should set the accountability terms for all agents, including registration and certificationauthorities.It should serve as an impartial root authority for hierarchical registration or certificationmodels.

http://www.w3.org/2001/03/W SWS-popa/paper57


10/21

IDM presents several challenges in most organizations:

Security:Do user entitlements exactly match their needs? Are policies, such assegregation of duties rules, violated? Do access rights persist after theyare no longer needed?

Consistency:

User profile data entered into different systems should be consistent.The fact that each system has its own user profile management systemmakes this difficult.

Efficiency:Setting a user to access multiple systems is repetitive.

U sabilityReliability

Scalability:Enterprises manage user profile data for large numbers of people.

Any IDM system used in this environment must scale to support the datavolumes and peak transaction rates produced by large user populations.


11/21

o Several types of technologies are available to manage user identity data

across the enterprise.o Focus on streamlining the identity management process and managing data

consistently across multiple systems.

H iggins - an extensible, platform-independent, identity protocol

independent, software framework to support existing and new applicationsthat give users more convenience, privacy and control over their identityinformation.

Cardspace is a system in the Windows Communications. (WCF) of WinFXFoundation allows users to manage their digital identities from variousidentity providers, and employ them in different contexts

Liberty - allows consumers and users of Internet-based services toauthenticate and sign-on to a network or domain once from any device andthen visit or take part in services from multiple Web sites.


12/21

OpenID - is a decentralized single sign-on system.Is a free and easy way to use a single digital identity across the Internet.Providers

Yahoo!, B logger, AOL, Live Journal, MyOpen ID.com, Link Safe, etc60 listed at openiddirectory.com

Relying Parties

Plaxo, Pibb, Magnolia, B logger comments, Live Journal, Wordpress, wikis,blogs, etcMany, many more listed at openiddirectory.com

ChallengesPerception

Relying Party (business)

User Experience

Technical


13/21

Directories

The storage area for user IDs and passwords. It offers one place for acompany to view system access across the company.

Accessed using the lightweight directory access protocol (LDAP)

A directory is just the starting point for identity and access

Meta DirectoriesEngines that synchronize data about users between different systems.Simplify user administration

A middleware used to manage authentication and authorization of usersaccessing one or more web-enabled applications.

A Web SS O system intercepts initial contact by the user's web browser to aweb application and either verifies or else redirects the user to anauthentication page,

WebAM component of the system controls the user's access to applicationfunctions and data.

A Web SS O / WebAM product uses an LDAP directory as a back-end repository, toidentify all users


14/21

Password managementCombination of password synchronization between systems andapplications and self-service password reset.

Users to maintain a single password, subject to a single security policy,across multiple systems.

Effective mechanism for addressing password management problems onan enterprise network

Enterprise single sign-onIts a way for storing user credentials outside of the various applications

E-SS O systems have had limited success in large production environments

U ser provisioningShared IT infrastructure which is used to externalize the management ofusers, identity attributes and entitlements from individual systems andapplications.Intended to make the creation, management and deactivation of login


15/21

Role Based Access Control (RBAS)An approach to managing entitlements

A user has access to an object based on the assigned role.

Permissions are defined based on job authority and responsibilities withina job function.In SS O system, R BAC grant privileges directly to roles and attach users toroles

Access CertificationRegulatory compliance requirements and security policiesIt is a process where business stake-holders are periodically invited toreview entitlements, sign-off on entitlements that appear to bereasonable and flag questionable entitlements for possible removal.

There are several components to access certification

Authorization managementA system for managing user access to resources by user, group or role


16/21

Beyond the enterpriseo Identity management can extend beyond a single organizationo Federation enables applications in different domains to share

information about users.Its The ability to grant system access to parties outside the companysfirewall, such as suppliers and outsourcing partners.

Federation requires that software at one site can communicate basicinformation to software at another site

Different organizations use different software products for theirmanagement

To interoperate, different software products rely on standard

protocolsStandards regarding federation:

Liberty Alliance ID-FF and ID-WSF.Security Assertions Markup Language ( SAML).

WS-Federation.


17/21

o While SOA promises a new level of IT agility, it also brings securityvulnerabilities. Similarly, Web services introduce new security concernswhich, if not properly addressed, threaten the success of any SOA project.

o Web services are inherently open and easily accessibleo Web services must be protected by authentication and authorization

processeso Web service may call other Web services that, in turn, might call multiple

other Web services.o The concept of identity management must be extended Web services, devices

and other entities.o Securing applications within an SOA environment presents challenges as well.

Typical threats include message integrity, confidentiality, availability, man in

the middle attacks and forged claims.o Further complicating matters are the issues unique to the SOA environment

itself, such as:Services arent always user-initiated

Unlike applications, services have multiple points of entry

Web services operate in heterogeneous environments


18/21

o SOA security needs to be part of a centralized, integrated offering

o Identity management functions must deliver set of standard Web servicesincluding:Authentication

AuthorizationIdentity administration

Account provisioning

Auditing and reporting

o the web service can consume and use of thus services to Provides a layers ofprotection and management for web services

o This method provides all the benefits of a central identity managementsystem, including:

A consistent set of enterprise wide policies

A global view of accounts and access rights

Aggregated auditing across the enterprise

Enhanced compliance with regulatory legislation such as Sarbanes-Oxley andHIPAA

Lower administrative costs


19/21

Implementing effective identity management capabilities are

essential as they have always been for public infrastructuresAnonymity almost disappears; privacy is a value proposition

Globalization/nomadicity combined with complexity of theinfrastructures and applications increase the IdM value propositionImmediate priorities include better identity proofing and lifecyclemanagement, trusted identifiers for providers and network objects,discovery and assurance metrics

Primary venues for Identity Management includeGovernment/intergovernmental actionsIndustry/developer initiatives and productsStandards and administrative implementations

Identity management is a class of technologies intended tostreamline the management of user identity information both insideand outside an enterprise.


20/21


21/21

universal identity and management in soa

Documents