WP8 Security and PrivacyIdentity Management

15. November 2012Wolfgang Steigerwald (DT)Robert Seidl (NSN)

The FI-WARE Project – Base Platform for Future Service Infrastructures

Agenda

Aspects of Identity Management

Differences of the IdM solutions

The Nokia Siemens Network (NSN) IdM-System

The Deutsche Telekom (DT) IdM-System

Questions, Answers and Discussion

The FI-WARE Project – Base Platform for Future Service Infrastructures

Device

Service Network

Application

User

Aspects of Identity Management

Authentication

private

secure

mutual

Single Sign-Onto

service domains

Identity Federationtowards

applications

Authorisation & Trust

Management

User & ProfileManagement

Authentication

Authorisation

Accounting

The FI-WARE Project – Base Platform for Future Service Infrastructures

FeaturesNSN DT

Authentication Methods:Username/Password Yes YeseID (STORK) Yes (2nd version) No3rd Party Login Yes YesAttribute Based Credentials Yes No

Supported Protocols:OAuth2.0 Yes (2nd version) YesSAML2.0 Yes NoOpenID Yes (2nd version) Yeshttps Yes Yes

Interfaces:Web Yes YesRestFull No Yes

Markets: Telecommunication Internet Shops

The FI-WARE Project – Base Platform for Future Service Infrastructures

Nokia Siemens Networks IDM Solution

One-IDM

The FI-WARE Project – Base Platform for Future Service Infrastructures

What we have and what we will offer in detail to FI-Ware UC projects.

Customer self care / Customer care tools

Service specific profile Features for One-IDM customers

Service will be managed and hosted by NSN Provisioning of user accounts will be done by

NSN Set-up of trust relations will be done by NSN Configuration of attribute database scheme

will be done by NSN

Service specific attributes can be viewed Account name at service Account type (existing or on-demand) Attribute release policy (admin role) Authentication at service can consider the

trust level of used authentication method at portal (cf. box above)

Full list of attributes can be viewed on overview page

Transparency towards user is an important concern

At the portal, users are able to view and (partially) modify their attributes

Basic identifiers cannot be modified (because e.g. full name is legally bound to a contract)

Identity management / AuthenticationAt the portal, the user may choose different authentication methods: username / password Facebook Connect (Facebook can be used as

Identity Provider) Support of ABC4Trust credentialsOther authentication methods (not in portal)

include: AAA GBA German eID Identity federation in general possible

The red marked features will be not available in the project.

The FI-WARE Project – Base Platform for Future Service Infrastructures

How you can use the One-IDM

User’sHome

Example Service

Service

One-IDM System

IdM Server

IdM Portal

federation

browser based redirect

The FI-WARE Project – Base Platform for Future Service Infrastructures

The Global Customer Platform

GCP

The FI-WARE Project – Base Platform for Future Service Infrastructures

What we have and what we will offer in detail to FI-Ware UC projects.

Customer self care / Customer care tools

Product management / Subscription managementfor free products

Features for GCP-B2B-customers

Cloud-offer: Managed and hosted environment

DTAG security- and data-privacy standards Complete online administration Online management of customer care agents Complete control over your brand – white-

label platform Any functionality also exposed via APIs for full

integration Complete and comprehensive online

documentation

Product catalog management (commercial aspects such as price-plans, contractual attributes)

Payment management for subscription products

Wide range of pricing-models for subscriptions (fixed recurring, trial periods, set-up fees, usage based post paid, …)

Global payment methods

Customizable customer self care portal for customer data administration, account administration, contract management, billing management

Customer care tooling for managing user-data, customer-data, contract-data and invoicing

Customer care tooling can be integrated with existing customer care systems

Registration / Identity management / Product booking

Complete online registration Complete Login, logout, single-sign-on Registration and login using 3rd party identity

providers (facebook, google, yahoo!, …) Password change, password recovery,

management of 3rd party ID-federations OAuth 2.0-based API for apps on iOS, android,

… Complete checkout-process for product

booking Complete management of payment-

information

The red marked features will be not available in the project.

The FI-WARE Project – Base Platform for Future Service Infrastructures

How you can use GCP

WEB Shop

WEB Shop

WEB Shop

Global Customer Platform

Tenant Instance

log

inlo

gin

log

inRegistration

orLogin

Configuration

CustomerSelf-care

Management

CustomerCare

Management

Admin

The FI-WARE Project – Base Platform for Future Service Infrastructures

Outlook• During the project we will provide a common interface for both IDM systems• We will provide additional features:

• One-IDM:• switch to Digital Self• support of OAuth2.0, OpenID, eID

• GCP:• new features will be developed regarding customer needs• enhancements to the REST-API

How to access the demosGCP demohttps://logint2.idm.toon.sul.t-online.de/media-storehttps://logint2.idm.toon.sul.t-online.de/music-servicehttps://logint2.idm.toon.sul.t-online.de/video-servicePlease contact wolfgang.steigerwald@telekom.de

One-IDMhttps://85.183.197.168:8443/idmPortalhttp://85.183.197.168/shop/catalogPlease contact gerald.meyer@nsn.com

Prerequisite: add these lines to your „hosts“ file(/etc/hosts or c:\windows\system32\drivers\etc\hosts):85.183.197.168 idm.nsn.com85.183.197.168 payb.nsn.com85.183.197.168 easybuy

The FI-WARE Project – Base Platform for Future Service Infrastructures

Thanks !!

The FI-WARE Project – Base Platform for Future Service Infrastructures

Preliminary Core GEs Architecture

Identity Store

Access Policy Store

White Label IDP

Policy Enforcement

Point

Credentialand Token Handling

IdemixPrivacy Crypto

Credential Store

IdMaaS

Authentication Handling

PII Access Control

Policy Enforcement

Point

Persistence Handler

Policy Decision Point

Authentication Policy Store

Federation Handling

Stork/ EID

Policy Decision Point

Policy Administration

Point

User/ Device Authentication

Credential Management

Personal Information Access Control

Identity Federation

Log Based Privacy Scanning Engine

Privacy Scanning

External Data Stores

Attribute and

Data HandlingData Store

Monitoring

8. 1 Event Generation

Auditing

8. 3 Audit Logs

8. 4 Billing BillingServices

Data Handling

Identity

Privacy

Legend

8. 3 User Logs

Administration/ Mass

Provisioning

External Identity Store

Attribute Name Adoption

Attribute Manager