Will open standards increase ecommerce?

Transcription

1 Liberty Alliance Project Open Standards for Network Identity Will open standards increase ecommerce? Bill Smith Director, Liberty Alliance Technology Sun Microsystems

2 Permissions The author has graciously given permission to reproduce his presentation at the XML 2002 Conference in Baltimore, Maryland. If copied, changes should not be made and appropriate citation of the author s work should be given. Instructional media + magic, inc., December 2002

3 Brief Intro to Liberty Alliance Business Needs and Uses Technical Overview Scenario Q&A

4 Identity Physical Height, Weight, Gender Experiential Education, Travel, Dining Preferential Food, Clothing, Shelter

5 Identity Physical Height, Weight, Gender Blood Type, Fingerprint, DNA Experiential Education, Travel, Dining Stock Purchases, Mortgage Balance, Drug Use Preferential Food, Clothing, Shelter Religion, Political affiliation, Club Memberships

6 Identity Some information needed to determine who I am is widely available I distribute it A larger set of information is unavailable I restrict access to trusted relationships Most of this information is in digital form

7 Identity Control who has access to what information Choose who to trust, what to give, when to change Trust relationships take time to establish

8 Digital Identity Much of the information about me is in digital form, accessible via the Web It is kept by trusted brokers High-quality services are provided I can access and update

9 Digital Identity Much of the information about me is in digital form, accessible via the Web It is kept by trusted brokers High-quality services are provided I can access and update What's the problem?...

10 Digital Islands I have multiple Digital IDs Information is duplicated and difficult to synchronize Better services are possible

11 Digital Islands Multiple, disconnected identities scattered across isolated Internet sites User Name: Bill Smith PIN: Credit card number Social security number Drivers license Passport Entertainment preferences Notification preferences Employee authorization Business calendar Dining preferences Education history Medical history Financial assets

12 Digital Islands the problem Multiple, disconnected identities scattered across isolated Internet sites Inconvenient and frustrating for users Distributed identityservices are difficult to develop and deploy Continual reauthentication to disparate systems

13 Network Identity the solution A method to link the Digital Islands Provide a logical single identity Preserve and enhance existing trust relationships Provide choice and opportunity for better services

14 Why is Liberty Alliance the Solution? Increase consumer confidence and usage in electronic transactions! Easier! Available! As! Targeted! Enable Simplify B2B e-commerce offerings! Simplify! Make! Allow the ability for businesses to collaborate online it easier to offer new services to customers organizations to maintain ownership of their customer bases and to maintain operational autonomy Simplify and expand employee use of enterprise Intranets! Enable employees to move seamlessly from one application to another Facilitate interoperability! With and more convenient to use via any digital device secure as possible and more personalized offerings that allow consumers to maintain control over their information existing systems, standards, and protocols

15 Network Identity it s simple A Network Identity is a user s overall global set of attributes constituted from their various accounts

16 Network Identity not so fast Digital Islands Disparate Systems Lack of communication, interoperability Conflicting Interests Technology suppliers, Technology consumers Service providers, fixed vs. mobile Consumer Demands Better services, Improved convenience Respect Privacy

17 Network Identity practical solutions Broad scope Web itself Fixed, wireless, desktop, cell phone, PDA, car... Complexity Technology, Business, Consumer Service providers Reality Digital Islands exist Trust relationships well-established

18 A Business Consortium Solving A Business Problem Over 30 for-profit, not-for-profit and government organizations, representing a billion customers, are currently Alliance members * Only a sample of Liberty members

19 Liberty s commercial investment in network identity and the collaboration of its diverse array of member companies can bring a lot to this space. The group s combined experience, their collective ability to drive usage and the fact that they re not trying to promote a product but a solution to a problem will help in their success. Dan Blum Burton Group

20 Mission of the Liberty Alliance Establish an open standard for federated network identity through open technical specifications that will: Support a broad range of identity-based products and services Allow for consumer choice of identity provider(s) and the ability to link accounts through account federation Provide the convenience of simplified sign-on, when using any network of connected services and devices Enable organizations to realize new revenue and cost saving opportunities Allow organizations to economically leverage relationships with customers, business partners, and employees Improve ease of use for e-commerce

21 Advise Liaison Consists Responsible Final Develops Develops Develops Responsible Management Structure Management Board of 6 founding sponsors for overall governance and maintenance voting authority for specifications and other output Public Policy Expert Group Technology Expert Group Marketing Expert Group on privacy, security, and other public policy issues to privacy groups and government agencies technical architecture and engineering requirements technical specifications Interoperability marketing requirements and use cases for membership, press relations, and marketing communications Adoption

22 Brief Intro to Liberty Alliance Business Needs and Uses Technical Overview Scenario Q&A

23 Why is Federated Important? Centralized Model Open Federated Model Network Centralized Single Links identity and user information in single repository control point of failure similar systems Network No No Links identity and user information in various locations centralized control single point of failure similar and disparate systems Central Provider Provider Provider Provider Provider Provider Provider

24 Solution Analogous to ATM Networks Separate Cards with Each Bank Linked Cards within Bank Networks Seamless Access Across all Networks Bank A ATM Card Bank B ATM Card Bank ATM Network A Bank ATM Network B Bank A ATM Card Bank B ATM Card Bank ATM Network A Bank ATM Network B Bank C ATM Card Bank ATM Network C Bank C ATM Card Bank ATM Network C

25 Solution Analogous to ATM Networks Separate Cards with Each Bank Linked Cards within Bank Networks Seamless Access Across all Networks Bank A ATM Card Bank B ATM Card Bank ATM Network A Bank ATM Network B Bank A ATM Card Bank B ATM Card Bank ATM Network A Bank ATM Network B Bank C ATM Card Bank ATM Network C Bank C ATM Card Bank ATM Network C Individual Accounts with Many Web Sites Federated Accounts within Trust Domain Linkage of Trust Domains.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com.com

26 Examples of Trust Domains B2C Travel Industry Car Rental Hotel B2E Employee Intranet 40k 3d Party Providers Airline Partner Airlines Company Intranet Employee Purchase Plans Cruise Line Livery Health Insurance Dental Insurance B2B Financial Services B2B - Automotive Treasury Debt Suppliers Dealers Commercial Banking Equity Manufacturers Transport Agencies Clearing House Credit Fleet Financing

27 Federated Opt-in Security Permissions-based Schema/protocols Simplified Delegation Approach Drivers Specifications: A Phased Approach Support rapid acceptance and deployment Phases build on each other Enable incremental adoption Version.0 (Released 5 July 2002) Future Versions network identity attribute sharing account linking and simplified sign-on within an authentication domain created by business agreements built across all the features and specifications for core identity profile service sign-on across authentication domains created in version.0 by business agreements of authority to federate identities/accounts

28 Business Benefits for Version.0 Specifications Enhance Affinity Relationships More Easily Offer Value Add Services to Customers Simplify Customer Experience Improve Customer Confidence Enhance Intra-Enterprise Relationships Offers Accelerated Time to Market for Identity Based Services

29 Brief Intro to Liberty Alliance Business Needs and Uses Technical Overview Scenario Q&A

30 Enabling the Federated Identity Liberty Alliance Defines protocol specifications for federated identity built on SAML to provide additional privacy and security Liberty is not an identity network or authentication authority -- it defines specs that can be used to create identity networks Security Assertion Markup Language (SAML) An XML-based framework for exchanging security information (e.g. authentication) A committee specification in the OASIS security services technical committee

31 Version.0 Specifications Builds on top of SAML to provide additional privacy and functionality! Opt-in account linking Users can link their accounts with different service providers within circles of trust! Enhanced single sign-on for linked accounts Once users accounts are federated, they log-in, authenticate at one linked account and navigate to another linked account, without having to log-in again! Authentication context Companies linking accounts communicate the type of authentication that should be used when the user logs-in! Global log-out Users can be automatically logged-out of all sites to which they have active sessions! Multiple Client Support browser, mobile device, and proxy

32 ! An XML-based framework for exchanging security information. XML schema and definition for security assertions 2. XML schema and definition for a request/response protocol 3. Rules on using assertions with standard transport and messaging frameworks (SOAP, Web Browsers). Bindings and Profiles! An OASIS standard Vendors and users are both involved SAML in a Nutshell Codifies current system outputs rather than inventing new technology! Excellent traction in the marketplace

33 XML Related Security Standards Work! XML Signature SAML uses this for signing assertions! XML Encryption Important for flexibly managing security and privacy risks, e.g., encrypting just the credit card number! Other XKMS can be used for key management XACML can be used for an access control policy language

34 SAML Assertions! An assertion is a declaration of fact, according to some authority! Assertions are produced by an asserting party (aka authority) and consumed by a relying party! An assertion contains a set of statements about a subject (human or program): Authentication statement Attribute statement Authorization decision statement! An assertion can be digitally signed by the asserting party! You can extend SAML to make your own kinds of assertions and statements

35 SAML Assertions and Statements Assertion IssuerID IssueInstant AssertionID <Conditions> <Advice> Signature Authentication Statement Attribute Statement Authorization Statement <Subject> <Subject> <Subject>

36 SAML Producer/Consumer Model Policy Policy Policy Credentials Collector Authentication Authority Attribute Authority Policy Decision Point SAML Authentication Assertion Attribute Assertion Authorization Decision Assertion System Entity Application Request Policy Enforcement Point

37 SAML is Cafeteria Style! SAML can be used ala-carte: it s a composable architecture, making it very flexible.! In practice, multiple kinds of authorities may reside in a single system! The arrows may not reflect information flow in real life The order of assertion types is insignificant Information can be pulled or pushed Not all assertions are always produced Not all potential consumers (clients) are shown! SAML must be profiled to specify actual usage (e.g. browser-based single-sign-on)

38 Browser-based SSO Login Excite.com Authentication Authority Be recognized Pets.com Relying Party

39 SAML Browser-based SSO Excite.com Authentication Authority. Relying Party uses HTTP redirect or Form Post to Authentication Authority Pets.com Relying Party

40 SAML Browser-based SSO 2. User redirected to Authentication Authority and logs in Excite.com Authentication Authority. Relying Party uses HTTP redirect or Form Post to Authentication Authority Pets.com Relying Party

41 SAML Browser-based SSO 2. User redirected to Authentication Authority and logs in Excite.com Authentication Authority 3. User is authenticated. Relying Party uses HTTP redirect or Form Post to Authentication Authority Pets.com Relying Party

42 SAML Browser-based SSO 4. Redirect back to Relying Party with a nonce embedded in the URI Excite.com Authentication Authority Pets.com Relying Party

43 SAML Browser-based SSO 4. Redirect back to Relying Party with a nonce embedded in the URI Excite.com Authentication Authority 5. Relying Party receives nonce in the redirect process. Pets.com Relying Party

44 SAML Browser-based SSO 4. Redirect back to Relying Party with a nonce embedded in the URI Excite.com Authentication Authority 6. Relying Party invokes SAMLbased web service to obtain an Authentication Assertion 5. Relying Party receives nonce in the redirect process. Pets.com Relying Party

45 Liberty Federation/ Account Linking Pre-existing accounts at various sites can be linked Excite.com Identity Provider Joe23 Pets.com Service Provider JoeSmith Books.com Service Provider Joe

46 Liberty Federation/ Account Linking Upon linking those accounts, the sites need to be able to have a frame of reference for the user Excite.com Identity Provider Joe23 Pets.com Service Provider JoeSmith Books.com Service Provider Joe

47 Liberty Federation/ Account Linking If account names are exchanged, sites can talk to each other without the user s approval Excite.com Identity Provider Joe23 JoeSmith@pets.com Joe@books.com Pets.com Service Provider JoeSmith Joe23@excite.com Books.com Service Provider Joe Joe23@excite.com

48 Liberty Federation/ Account Linking If account names are exchanged, sites can talk to each other without the user s approval Excite.com Identity Provider Joe23 JoeSmith@pets.com Joe@books.com Pets.com Service Provider JoeSmith Joe23@excite.com Books.com Service Provider Joe Joe23@excite.com

49 Liberty Federation/ Account Linking Instead, unique opaque handles resolvable only by the issuer should be exchanged Excite.com Identity Provider Joe23 Pets.com Service Provider JoeSmith <alias="dtviircmlpcqv6xx" SecurityDomain="excite.com" Name="mr3tTJ340ImN2ED" /> <alias="mr3ttj340imn2ed" SecurityDomain= Pets.com" Name="dTvIiRcMlpCqV6xX" /> <alias= xyrvds+xg0/pzsgx" SecurityDomain= Books.com" Name="pfk9uzUN9JcWmk4RF" /> Books.com Service Provider Joe <alias="pfk9uzun9jcwmk4rf" SecurityDomain="excite.com" Name="xyrVdS+xg0/pzSgx" />

50 Liberty Enhanced SSO! Extends an authentication assertion to include the context How did the user log in? Password? Smartcard? Etc. When should the user be re-authenticated? How did account registration occur? (in person, via web page)! Extends the authentication request to allow for requesting a strength of authentication! Necessary for real-world scenarios: not all services require the same level of authentication.

51 Liberty Additional Features! Simple session management Provides single-logout functionality! Identity federation management Ability to terminate the federation Ability to modify the opaque handle shared between authentication authority and relying party! Identity network support Specifies a protocol by which a website can discover what Identity Provider a user is using

52 Liberty Enabled-Products Coming Soon!

53 Liberty Version 2.0! Permissions-Based Attribute Sharing Enable businesses to share a principal's attributes according to their corporate policies, business agreements and local regulations, all while adhering to the principal's preferences and permissions! Interoperability Specs for Core Identity Profile Service Enables users to obtain secure, personalized services that are interoperable across different service providers! Federation of Authentication Domains Enables users to conveniently navigate and use SSO and share attributes with service providers who may be in different authentication domains. Version 2.0 specifications expected early 2003

54 Possible Interactions ActionWatch.com Service Provider. User registers to watch an auction 2. Service provider requests SMS ticket Identity Provider doesn t see message text Excite.com Identity Provider 4. Mobile operator sends SMS message to user 3. Service provider sends SMS message to mobile operator PacBell.com Service Provider

55 Policy Enforcement Concepts User s data is only released with the user s consent and based on the user-defined policies 3. user accepts or rejects exceptions to existing policies and preferences Excite.com Identity Provider. service provider requests user attributes from identity provider 2. attributes released per user s policies and preferences Pets.com Service Provider

56 Liberty & Passport Comparison How do Liberty Alliance and Microsoft Passport Contrast and Compare?! Microsoft Passport is a product/service supported by one company! Uses a global PUID (Passport User ID) for authentication! Limited flexibility in authentication methods (I.e. user name/password)! Microsoft has committed to Kerberos and to support SAML! Liberty Alliance is providing specifications supported by many companies! Offers a non-repeating unique identifier for authentication! Does not dictate authentication method (I.e. biometrics, smartcard, etc.)! Liberty Alliance has committed to use SAML, and can also support Kerberos

57 Passport & Liberty Co-existence Scenario 3. User redirected to Passport.com for log-in Passport. User attempts to access Service.com 2. User redirected to Liberty IDP Identity.com Identity.com Service.com Identity.com sits in both Passport & Liberty communities acts as a bridge

58 Passport & Liberty Co-existence Scenario Passport 4. After Passport log-in, User gets redirected to Identity.com, which issues a Liberty SAML assertion 5. SAML assertion delivered to Service.com which grants access to User Identity.com Service.com Identity.com sits in both Passport & Liberty communities acts as a bridge

59 Passport & Liberty Co-existence Scenario 2 3b. User redirected to Passport.com for log-in for low-value transactions Passport 3a. User redirected to Identity.com requesting strong authentication for high-value transaction. User attempts to access Service.com 2. Service.com determines to which SSO infrastructure to redirect User based on transaction Service.com Identity.com Service.com sits in both Passport & Liberty communities uses them appropriately

60 Brief Intro to Liberty Alliance Business Needs and Uses Technical Overview Scenario Q&A

61 Enterprise Use Case! Many enterprises outsource various business functions, e.g.: Corporate intranet 40(k) management Stock option management Others (expense vouching, payroll statements, etc.)! Liberty facilitates better integration of the outsourced services to decrease administration cost and enhance user experience! Liberty-enabled enterprise will play a role of a Liberty Identity Provider to manage identities and authentications of their employees, who will access their accounts on the outsourced Liberty Services Providers without additional prompts for authentication! Enterprise-issued identities will cross application, division and corporate boundaries

62 Brief Intro to Liberty Alliance Business Needs and Uses Technical Overview Scenario Q&A

63 Liberty the Initiative Established to address real business and technology issues Recognized as the focal point for Network Identity discussions and solutions Produced well-received specification Proceeding with phased approach to deliver on vision and mission