Tivoli Federated Identity Manager. Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic

Transcription

1 Tivoli Federated Identity Manager Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic IBM Software Day Vilnius 2009

2 Agenda IBM strategy on IAA What is a federation from a business perspective How does it work Web services severity identity propagation Customer cases 2

3 Identity and Access Assurance Tivoli Capabilities User provisioning & role management Unified single-sign-on Privileged user activity audit & reporting Directory and integration services Log Management Self-service password reset Identity Assurance / Strong authentication management Benefits: Reduce help desk operating expenses Comply with regulations Improve user productivity Reduce risk from privileged insiders Respond quickly to business initiatives (e.g. new applications, M&A, restructuring) 3

4 Getting started with Identity and Access Assurance Single Sign On & Password Management User Provisioning / Role Management Tivoli Identity Manager Accounts on 70 different Accounts on 70 different types of systems managed. types of systems managed. Plus, In-House Systems & Plus, In-House Systems & portals portals Applications Databases Operating Systems HR Systems/ ID stores Networks & Physical Access Access Attestation 1 Security log management & reporting Authoritative Identity Source (Human Resources, Customer Master, etc.) TIM Trusted Identity Store 2 Accounts jcd0895 jdoe03 Sarah_s4 4 John C. Doe nbody Business Applications Recertification Request Sarah s Manager 3 ackerh05 5 Access Revalidated and Audited Sarah K. Smith doej smiths17 Cisco Secure ACS 4

5 Agenda What is a federation from a business perspective 5

6 Key Business Models Driving Federation Mergers and Acquisitions Success of a merger is often related to how quickly disparate systems can be integrated to meet the needs of the business. Collaboration between autonomous Business Units Many companies maintain separate autonomous business units for political, competitive, and regulatory reasons but still require cross-unit access for management and customers. Collaborative development with Partners Some organizations are working more with partners on new strategic developments, thereby increasing the need for federated access to partner systems. Employee access to Outsourced Services 6 Costs of building and maintaining point-to-point solutions for access to outsourced solutions can dilute benefits of outsourcing.

7 Key Business Models Driving Federation (cont) Service Provider Automation Service providers can incur significant costs in managing user accounts across their customer base federated technologies can dramatically reduce these costs. Government collaboration Government security based initiatives to gain access to law enforcement and a wide range of other personal data in a secure, efficient manner. Improved Corporate Governance Key issue with audit/compliance is management of external access to systems. 7

8 Federated Identity Management Federation Identity Provider IdP business agreem ents, technical agreem ents, and policy agreem ents Service Provider Service Provider Service Provider SP SP SP Objectives Lower Identity Management costs Improve user experience Provide end-to-end security and trust foundation for inter-organization application integration Leverages concept of a portable identity End to end user lifecycle management Identity is asserted from a trusted third-party Passport Credit / ATM Card Drivers License 8

9 What does IBM Tivoli Federated Identity Manager (TFIM) bring to table? Ability to handle identity/attribute transformation as part of token handling Ability to exchange token types as part of validation of request at edge Enables advanced intermediary type functionality Ability to do authorization decisions at abstract WSDL level Independent of WSDL binding Integrates with TAM Authorization Access allowed? (Yes/No) Protected Object Policies (e.g. Time of Day) Authorization Rules (authorization policies based on client attributes) Audit All of this in a standards-based manner! 9

10 Agenda How does it work 10

11 TFIM Architecture Overview Federated Single Sign -On Secure user interaction Federated Web Services Secure application interaction Web Portal Web Portal Web Application App Portal App Gateway ESB App O p e n Provisioning System Business agreements Federated Provisioning Trust infrastructure Transport : SSL/TLS, WS -Sec Database Message : sign/ encrypt Tokens : sign /encrypt Provisioning System Legal agreements S t a n d a r d s Technical implementation 11

12 Identity Federation SSO with OOB Acct Linking (cont) Mapping between identities is not defined by the specification. Source Web Site svest SAML 1.x use-case Identity Provider 1. Authenticate 2. Assert Identity Destination Web Site my.travel.com Assertion svest. 3. Access Resource Service Provider? Sven_Erik 12

13 Identity Federation Attribute Federation Identity mapping based on some shared attribute SAML 1.x use-case Source Web Site svest Identity Provider 1. Authenticate 2. Assert Identity Destination Web Site my.travel.com Assertion svest m 3. Access Resource Service Provider Sven_Erik 13

14 A Quick, Practical Example Partner Case HRservices.com Myportal.com 1 HRservices.com End User HTTPS Access Manager 2 Federated Identity Management Trust Broker / Trust Service Identity Broker Security Token Service Kerberos, SAML, X.509v3 Custom Tokens SSO Service SSO SAML Liberty WS-Federation User Provisioning Service Partner Key Mgmt 3 Myrecord 1. User logs on MyHR.com - TAMeb authenticates user, creates session - TAMeb controls user access & session mgmt. 3. FIM initiates SSO with 3 rd party site - FIM creates SSO Token user session 4. Options.com maps token to local identity User x 2. User clicks on third-party link Options.com - Link configured for Liberty, WS-Fed, or SAML TAM consults FIM *** User has transparent SSO to third-party *** 4 14

15 Agenda Web services severity identity propagation 15

16 Use Case Services Integration Propagate identity: Cross domain/realm identity mapping and token transformation Reflect business relationships: Trust Management (for data, identity, etc) Protect business information Governance, Risk & Compliance Application Service Service Requesto r Business Service Service Requesto r Service Requesto r Enterprise Service Bus Identity & Authentication Authorization & Privacy Confidentiality & Integrity Infrastructur e Service Partner Service 16

17 TFIM Components for Web Services Security Management Web Services Requests WebSphere WebSphere W eb Services Handler TFIM Web Services Trust Handler WS App Key Encryption Signing Service Trust Trust Service Service STS Auth Service Client App ISC TFIM Console Access Manager Policy Server & Authorization Server LDAP User Registry 17

18 TFIM WSSM Generic Design Overview Web Service Server/Gateway Application Admin Security Token SOAP Request TAM Admin Web WSSM Services Token Security Module Processing SOAP Request Security Token FIM Admin token WS-Trust token Authorization /itfim-wssm /Container /Service-1 TFIM Trust Service Local Credential /PortType /operation TAM Protected Object Space /Container TFIM Runtime module module module User Directory/Datastore 18

19 Web Service Security Management : Solution Architecture SOAP Request Company A User Web Security Server Internet SOAP Request Token Web Service Firewall Gateway Invoke Application local ID Web Service Application local ID Token Token local ID Identity Mapping Attribute Mapping Token Management Authorization Control Identity Mapping Attribute Mapping Token Management Authorization Control 19

20 IBM Tivoli Federated Identity Manager IBM Software group Federated Single Sign-On Integration with IBM Tivoli Access Manager Supported Protocols: SAML 1.0 / 1.1 / 2.0 WS-Federation Liberty 1.1 / 1.2 Federated Web Services WS-Trust based integration with Enterprise Service Buses, XML Gateways Integration with WebSphere Application Server SOAP, JCA and JDBC integration SAML modules to allow WAS to generate/consume SAML assertions in WS- Security headers of SOAP message Evolving into Identity Propagation in SOA Federated Provisioning Provides linking of local provisioning systems Supported Protocol: WS-Provisioning 20

21 Agenda Customer cases 21

22 Single Sign-On (tomgreat) TFIM/SAML1.1 SP User Tom Bear Single Sign-On Links UID/UserCode/Pwd Login (tbear) INTERNET IdP SSO Module Financial Services Company RichPortal User Registry TFIM/SAML1.1 Single Sign-On SAML1.1 (tombear) Customized application SAML1.1 Customized application SAML1.1 Customized application SAML1.1 Customized application Single Sign-On (beartom) Request, Assertion Request, Assertion Single Sign-On (tom_bear) Request, Assertion INTERNET Request, Assertion Request, Assertion Single Sign-On (bear123) SSO Module User Registry Member Life Insurance B2C Portal SP User Registry Member Bank My Bank SSO Module SP SSO Module Member Securities User Registry My Securities SP User Registry Member Futures My Futures SSO Module SP SSO Architecture SSO Module User Registry Member Securities Investment Trust MySIT 22

23 Internet Logon TFIM Solution TDS Mgmt Zone SAML TFIM SPS TFIM STS Internet User 1 3 SAML 2.0 WebSeal 2 5 KBS 6 KBS Internet DMZ MOSS WEB AD Internet Zone SIGNICAT Web Server Zone User accesses protected page no session defined 2. Reroute to Signincat 3. Signicat authenticates user and sends SAML 2.0 encrypted assertion through browser picked up by WebSeal 4. Single Protocol Service - TFIM called to create HTTP HDR based on SAML 2.0 assertions 5. Single Token Service WS-Trust used to create KBS token 6. Request sent to Moss with correct KBS token

24 SOA Security Overview TAM Policy Server TFIM Server TDS Customers (Master) Employees Management Zone Internet User Partner Application Internet Zone Intranet User (employee or Agent) WebSeal Reverse Proxy Web Services Security Gateway Internet DMZ WebSeal Reverse Proxy Intranet Zone WEB AD MOSS 2007 portal framework Other Clients e.g. Web Server Zone Customers Employees Business Service Employees (Master) Intranet AD Service Zone Integration layer Z/OS Z/OS Z/OS Z/OS. Backend Zone 24

25 Does This Also Help with Compliance? You bet. One of the hardest compliance issues to solve is: Prove to me that your external users still need access to the current system, including all their current privileges. 25

26 Questions?

27 27 IBM Software group

28 Trust Service Composed of Module Chains Select Chain based on: 2 1. properties of STS message 2. trust service configuration 3 module chain-1 module module module 1 STS message RequestSecurityToken elements: <RequestType>, <Issuer>, <AppliesTo>, <TokenType> web service interface Which Chain? = module instance module chain-2 module module module module chain-3 module module module 28