Identity Management Technology

Transcription

1 Identity Management Technology Version 1.0 Dr. Horst Walther, Software Integration GmbH, Lefkosia / Cyprus

2 Technology Evolution how did we get here? Directory services Metadirectory services Virtual directory services Provisioning systems Web Access Tools Standards

3 Evolution of Identity Management. Independent sources 1988 X RBAC 1996 PKI 2001 IDM Historically 3 independent streams... The idea of a public key infrastructure (PKI) for a certificate base strong authentication can be tracked back to 1976, The CCITT[1] today ITU-T[2] published its 1 st specification of a X.500- directory service in Today common directory services are influenced by this development. 5 years later the NIST[3] startet its work on role based access control (RBAC)[4]. Later mechanisms for role based access are based on these works. [1] Comite Consultatif Internationale de Télégraphie et Téléphonie [2] International Telecommunications Union- Telecommunication [3] National Institute of Standards & Technology [4] RABC: Role Based Access Control Components show a considerable functional overlap and can t easily be combined to form a full function Identity Management Infrastructure.

4 An Identity Management Architecture

5 The need for integration The typical Fortune 500 company reports that it maintains over 180 directories, like address repositories, phonebooks... (Source: Forrester Research). Many Applications and Systems maintain their own Identitystores... Operating systems: Windows NT, 2003, XP,... Database management systems: ORACLE, DB2,.. Mail-Systems: Outlook, Lotus NOTES,... Service-Systems: RACF, Firewalls,... E-business-Systems: Internet-Portals, e-banking-systems,... Home-grown business applications.

6 Specialisations of database systems OLTP- database systems Transaction processing frequent Updates, short records, OLAP-database systems Analysis of pre-consolidated, redundant bulk data Directory Services, frequent read accesses, Special-DBMS optimised to (short) single record look-up. Despite all confusion on what directory services really are They are just specialised Database systems.

7 Integration via directory services A directory service offers a unified view on Identity Information The directory... Used by many applications Enables the maintenance of Information at a single point. Offers a universal, easily usable interface for access. Is the backbone of Intranet applications. Workflow Video Conference Application Sharing Telephone Security Certification Authority Electronic Mail Network- Administration Directoryservice Multimedia WWW Calendar Groupware Many systems maintain their own directory SAP: HR, User management, accounts payable, accounts receivable, etc. RACF: administration of privileges, Identities and Roles. Windows : Active Directory / MS Exchange Lotus Notes: Notes name and address book, ACLs per Notes-DB..

8 Evolution of directory services Triggers for further development... In early times the Implementation was too demanding for the existing Hardware. Result: Lightweight-DAP (X.500-access protocol), LDAP. Later war Hardware became less a bottleneck. A large amount of the identity information was stored in non- LDAP-Repositories already. Chance for virtual directory services... Deliberately skipping the read optimisation. The directory access is simulated only The original data sources are accessed instead Increasing bandwidth of public networks led to a decreasing relevance of X.500-Protocols like DSP or DISP. Today XML-Dialects may turn out as an competitors to LDAP. Most Directory services originate from auf the X.500-Standards.

9 X.500 and LDAP How did it happen? LDAP offers 90% of the DAP-functionality at 10% of the Costs LDAP advantages over X.500-DAP are: Functionality LDAP Runs directly over TCP eliminating the overhead of the OSI session and presentation layers required by DAP. Simplifies the X.500 functional model, Uses string encoding rather than the ASN.1 notation Frees clients from the burden of chasing referrals. DAP Costs Demand for LDAP hence offers standardisationstill. A unifies access and A unified communication with directory services

10 X.500 vs. LDAP X The first standard - published in Is a ISO- (International Standards Organisation) und ITU- (International Telecommunications Union) Standard. Defines how global directories should be structured. Follows a hierarchical organisation e.g.: country, city, organisational unit,... Supports X.400 Systems. Is the result of a long-winded work in the standardisation boards of the national Telecoms. (top-down-approach) LDAP... The pragmatic approach of the Internet-community towards X.500. Stands for Lightweight Directory Access Protocol. Replaces X.500 / DAP. Was developed to enable access to X.500 to lean Clients (PC s). Skips X.500 s communication basis, the (mighty) OSI-Protocol Uses the widely used TCP/IP. Is taken care by the Internet Engineering Task Force (IETF). They communicate via RFP s. (Bottom-Up- approach) The all encompassing standard -- vs. -- The easy access

11 X The Standards-Series X /93 Overview over Concepts, Models and Services X /93 Models X /93 Authentication-Framework X /93 Abstract Service Definition X /93 Services for distributed processing X /93 Protocol Specification X /93 Selected Attribute Types X /93 Selected Object Classes X /93 Replication X /95 Directory-Access Protocol X /95 Directory-System Protocol Auch außerhalb von In use outside the X.500-world too. Source:

12 Evolution of the Standards X.500 Concepts, Models and Services RFC2251 X.501 Models RFC2252 X.509 Authentication-Framework RFC2253 X.511 Services Definition RFC2254 X.518 Distributed Processing RFC2255 X.519 Protocol Specification RFC2256 X.520 Attribute Types RFC2164 X.521 Object Classes RFC2247 X.525 Replication X.581 Access Protocol (DAP) RFC2307 RFC1487 RFC1488 X.582 System Protocol (DSP) X.530 Access Protocol DRAFT X.500 LDAP v1 String Representation RFC1777 LDAP v2 Working Group RFC1788 String Representation for Attributes RFC 1779 Working Group String Representation for DN RFC1823 LDAP API LDAPv3 Attribute Syntax Definition UTF-8 String Representation of DN String Representation for Search Filters URL Format X.500 User Schema for use with LDAPv3 X.500/LDAP MIXER address mapping Domains in X.500/LDAP DN RFC2559 LDAP as Network Information Service X LDAPv2 LDIF inetorgperson LDUP LDAPext RFC1959 RFC1960 LDAP URL String Representation for Search Filters

13 Data and Directory Integration The Data and Directory Integration solution also serves as the foundation for security applications, such as: Single Sign-On Password Management PKI Digital Certificate Services User Provisioning The consolidation of user data stores could result in increases in consistency by 44%, accuracy by 36% and actual security by 33%. META Group

14 Synchronisation of directory services (1) Horizontal Coordination No automated synchronisation among Directories (effort rises exponential) Non coordinated Schema s MS ADS IBM RACF Sec.Way z.b. Sun One SAP R/3 Lotus Notes Tivoli, TME10 C/S Host Unix Netw./System Management

15 Synchronisation of directory services(2) Horizontal Coordination Common Schema mutual synchronisation among Directories (effort rises quadratically)... Common Schema plus. system specific Extensions MS ADS IBM RACF Sec.Way z.b. Sun One SAP R/3 Lotus Notes Tivoli, TME10 C/S Host Unix Netw./System Management

16 Synchronisation of directory services(3) Horizontal Coordination Common Schema Synchronisation via Meta-Directory Common Schema plus system specific Extensions MS ADS IBM RACF Sec.Way z.b. Sun One SAP R/3 Lotus Notes Tivoli, TME10 C/S Host Unix Netw./System Management

17 Architecture of an Identity Management System Human Resource Superior Employee applicants Application workflow Role Administration ID Administration central store for identities, groups, roles and policies Directory service Provisioning workflow Audit & Reconciliation Target Systems

18 Integration via Federation Central-Model Network-Identity and user information in a single store, Centralised control, Single point of failure, Connects uniform Systems. Federated Model Network-Identity und user information in different stores No central Control No Single point of failure Connects uniform and non-uniform Systems

19 Federated Identity Managing and brokering trust relationships across multiple organizations with support for federated identities Federated scenarios: Consumer convenience Related industry groupings Self-contained, highly distributed organizations Strategic B-to-B relationships Via opt-in to heterogeneous single sign on federation provides the link.

20 Questions, Suggestions, Hints? Thank You!!

21 Stop, Appendix From here on the back-up-slides follow...