Federated Identity Concept

Transcription

1 Federated Identity Concept Muhammad Abu-Saqer Some definition and images are taken 1. from workshop slides by Tony Nadalin (IBM) and Chris Kaler (Microsoft)

2 Paper Overview The paper describe the issues around federated identity management and describes a comprehensive solution 2

3 Federation terminology Federation A collection of realms/domains that have established trust. The level of trust may vary, but typically includes authentication and may include authorization. The technology and business arrangements necessary to interconnect users, applications, and systems Federated systems can interoperate across organizational and technical boundaries (i.e., various operating systems or security platforms) Trust Is the characteristic that one entity is willing to rely upon a second entity to executes a set of actions and/or make set of assertion about subjects and/or scopes. Single Sign On An optimization of the authentication sequence to remove the burden of repeating actions placed on the end user. 3

4 Federated ATM Network Account Number and PIN Visiting Bank Network Funds Network of Trust Home Bank Network 4

5 The Federation Model The appeal of federation is that they are intended to allow a user to seamlessly traverse different sites within a given federation. When the trust relationships established between the federation participants, one participant is able to authenticate a user and then act as an issuing party. Other federation participants became rely parties. 5

6 What is the federation identity management problem There is no single entity or company that can centrally manage or control identity information. In some cases businesses like to outsource some security functions to parties which mange identity but they cannot because: 1. There is no third pray identity providers serving market. 2. There is no business liability models which make it safe to rely on. Other businesses want to leverage the identity they maintain to enable additional business interactions but Establishing the trust mechanism to allow entities to be federated across business is difficult They are afraid of the risk of damming their reputation if any security penetration occurred 6

7 Who has the federated management problem Medium and large organization that use identity information to provide service to customer like university (online service like order a transcript). Medium and large organization that do business with one another and need to exchange information about individuals identities (like airline and rental car agency,hospital, health insurance provider). Organization that need to integrate business applications across the enterprise and chain of supplier and customer( and need to authorize employee to conduct transaction on behalf of the organization). 7

8 The Problem 8

9 The primary goals of federated identity service are: Reduce the cost of identity management by reducing duplication of effort. Leverage the work these existing identity mangers had already done by giving other parties access to the relevant identity information. Preserve the autonomy of all parties such that the identity mangers choice of operating system, network protocols, should not impose the same choice on its partners. Respect business s pre-existing trust structure and contracts. Protect individuals privacy by giving the user control over which attributes could other parties in the federation access Build an open standard to enable secure reliable transaction. 9

10 Advantages federation model Flexibility companies can easily build new services to deliver innovative business models or link their value-chin network to partners. Convenient navigation allow end-user and partner to navigate easily between websites without constantly authenticate themselves Less administration there will be need to administer a large and rapidly changing base of identities that are not under the control of the company. Safely satisfy the need of some business that unwilling to give their customers information to a business partner. 10

11 Three component enable the federation Identity provider simply means the entity that provides identity. (will precisely defined later). Attribute services provides away to federate access to authorized attributes for federated identities The attributes owner has full control to decide which of his attributes could exposed to other parties in the federation. The pseudonym service provides mapping mechanism which can be use to facilitate the mapping of trusted identities across federations to protect privacy and identity. 11

12 WS-Federation Terms Authorities Security Token Service (STS) Web service that issues security tokens; makes assertions based on evidence that it trusts to whoever trusts it Identity Provider (IP) Entity that acts as an authentication service to end requestors (an extension of a basic STS) Principles Requestor Resource Other Services 12

13 Direct Trust Token Exchange IP/STS Trust IP/STS Get identity token 1 Get access token 2 Resource Requestor 3 13

14 Attribute Service Scenario: Suppose you visit a weather site for the current weather ; it provides a personalized response because it knows your zip code Why it worked: Policy indicated an attribute service Identity information was used to find zip code Weather service was authorized to access zip code Specification defines the concept of an attribute service but not a specific interface 14

15 Attribute Service Example Attributes may have associated authorization rules (scope) Each attribute may have its own access control and privacy policy 15

16 Attribute Scoping Zip: FN: Fred ID: 3442 Nick: Freddo ID: FJ454 Nick: Fredster ID: (fabrikam123.com) (business456.com) (example.com) Model allows for attributes to be scoped 16

17 Pseudonym Service This service provides a mechanism for associating alternate identities Pseudonyms represent alternate identities Depends on scope of request Subject to authorization control Can be integrated with IP/STS 17

18 Pseudonym Example B456.com IP Trust B456.com Pseudony m Service Fred A123@B456.com A123@B456.com 1 3 Freddo@F123.com Requesto r 2 Resource A123@B456.com 18

19 References White paper titled Federation of identities in a Web Services World ry/en-us/dnglobspec/html/ws-federation-strategy.asp WS-Federation Feedback Workshop Specworkshops/ws-fed html Federation of Identities in a Web Services World 19