Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

Similar documents
Internet Identity Initiatives. RL Bob Morgan University of Washington and Internet2 EMC2 Málaga, S pain October 2006

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Identity-Enabled Web Services

Managing Trust in e-health with Federated Identity Management

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Services Specifications: Realizing New Business Capabilities

Introducing Shibboleth. Sebastian Rieger

Federated Identity. enabling the service chain. Thomas van Vooren, Everett. Everett Wiersedreef ZX Nieuwegein The Netherlands

A RESTful Approach to Identity-based Web Services

Liberty Alliance Project

A Welcome to Federated Identity Nate Klingenstein, Internet2, USA. Prepared for the Matsuyama University, December 2013

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Introducing ArisID An open source, declarative identity API for developers

Identity and capability management and federation

Auto-Connect via Dynamic Federation

Federated Web Services with Mobile Devices

OPENID CONNECT 101 WHITE PAPER

Orange Liberty-enabled solution for 71 million subscribers. Aude Pichelin Orange Group Standardisation Manager

Warm Up to Identity Protocol Soup

Identity Management. Identity Management Bart Preneel. Finse, Norway, April Outline. What is Identity Management (IDM)?

TAS 3 Architecture. Sampo Kellomäki Symlabs , ServiceWave, Stockholm

Federated Identity Management and Network Virtualization

Gaps and Overlaps in Identity Management Solutions OASIS Pre-conference Workshop, EIC 2009

Kerberos for the Web Current State and Leverage Points

Kantara Identity Assurance Framework Catalyzing an Identity Services Marketplace

IDENTITY MANAGEMENT AND FEDERATION BC.Net Conference April 25, 2006

Access Control Service Oriented Architecture

Federated Identification Architecture

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

Moving Digital Identity to the Cloud, a Fundamental Shift in rethinking the enterprise collaborative model.

Trust and Identity Services an introduction

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Authentication in the Cloud. Stefan Seelmann

Authentication. Katarina

eid Interoperability for PEGS WS-Federation

From UseCases to Specifications

Standardization Trends in Identity Management Technologies

[GSoC Proposal] Securing Airavata API

Services and Identity Management Contents. A Basic Web Service. Web applications. Applications and Services

National Identity Exchange Federation. Terminology Reference. Version 1.0

Cloud-based Identity and Access Control for Diagnostic Imaging Systems

Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation

Federated Authentication with Web Services Clients

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Interagency Advisory Board Meeting Agenda, August 25, 2009

Global Reference Architecture: Overview of National Standards. Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

CAS s IDP system and resources in Education Cloud

DIX BOF Digital Identity exchange. 65 th IETF, Dallas March 21 st 2006

Scaling Interoperable Trust through a Trustmark Marketplace

Novell Access Manager 3.1

Middleware, Ten Years In: Vapority into Reality into Virtuality

Simplifying Federation Management with the Federation Router

Enterprise Adoption Best Practices

Potential for Technology Innovation within the Internet2 Community: A Five-Year View

Single Sign-On Best Practices

einfrastructures Concertation Event

OSIS Open Source Identity Systems

IAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management

The AAF - Supporting Greener Collaboration

Access Management Handbook

Security Assertions Markup Language (SAML)

Authorization Survey Results & Use Cases Presentation to Concordia Working Group

The Care and Feeding of Online Relationships. Eve Maler Principal Engineer Sun Microsystems, Inc.

INDIGO AAI An overview and status update!

User-Managed Access (UMA)

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Challenges in Authenticationand Identity Management

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Introduction to Identity Management Systems

Topics of Discussion

Oracle WebCenter Interaction: Roadmap for BEA AquaLogic User Interaction. Ajay Gandhi Sr. Director of Product Management Enterprise 2.

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION

Layered Identity Infrastructure Model for Identity Meta Systems

Data Virtualization Implementation Methodology and Best Practices

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Eclipse Higgins 1.0 Release Review v1.1

MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK

CONNECTED IDENTITY: BENEFITS, RISKS, AND CHALLENGES DIRECTOR - SECURITY ARCHITECTURE, WSO2

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

REST/SOAP Harmonization proposal for Identity-based Web-Services

SAML-Based SSO Solution

WSO2 Identity Management

5 Pillars of API. management

The Three S s Of Distributed Authorization: Safe, Simple, Scalable

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Decentralized IDentifers (DIDs) Markus Sabadello, M.Sc., M.A. Danube Tech, Sovrin Foundation, OASIS XDI TC.

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Federated Access Management Futures

Facilitating the Attribute Economy. David W Chadwick George Inman, Kristy Siu 2011 University of Kent

EUDAT. Towards a pan-european Collaborative Data Infrastructure

Direct, DirectTrust, and FHIR: A Value Proposition

SELF SERVICE INTERFACE CODE OF CONNECTION

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Your Auth is open! Oversharing with OpenAuth & SAML

U.S. E-Authentication Interoperability Lab Engineer

ActiveVOS Technologies

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

Transcription:

www.oasis-open.org Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity Eve Maler eve.maler@sun.com 1

A few notes about me and this talk Some relevant affiliations/perspectives: The thoughts I'm presenting today are my own, on... Today's complicated identity landscape Opportunities and pain points in achieving success in federated identity Experiences with Project Concordia as a forum for getting there faster 2

www.oasis-open.org Not to belabor the point at this workshop, but... Identity must be made more portable! More precisely, identity-related information needs to cross domain boundaries and identity-related tasks need to be shared across them ( = federated identity) What: attributes, claims, authentication contexts, security contexts, entitlements How: easily, robustly, efficiently, and securely, with fidelity, trust, privacy, and scale Why: user experience, personalization, access control, bottom-line savings, and new business models 3

It's not just about SSO and account linking Though they are major use-case drivers Identity provider (login site) Relying party (web application or community) Browser (or other interface) User 4

SOA needs federated identity too Identity in distributed computing offers the ability to: Get around browser payload limitations Let multiple services cooperate securely on a person's behalf Allow actions to happen silently when the person is not online, in a way that is... Mediated by policy Protective of privacy Auditable 5

One reason this is important 6

Ways in which the real world intrudes on these objectives Heterogeneity is everywhere Application platforms Protocols (standardized and otherwise) Legacy systems Devices at the network's edge Technical issues are swamped by business and regulatory issues Users often act in ways experts wish they wouldn't 7

The tyranny of choice OpenID, SAML, WS-*, ID-WSF, ID-FF, WS-Fed, Shibboleth, Yadis, isso, CardSpace, XRI/XDI, OAuth, XACML, CARML.. User-centric, VRM, enterprise, mobile... OASIS, OpenID community, Liberty Alliance, IETF, W3C, Identity Commons, ITU, Internet 2, Google groups... [Specification], defined by [Spec Definition Body], has been optimized to support [Use Case] identity. Work is under way to create software libraries at [Open Source Project]. There will be an interop demonstration of [Specification] and [Specification] working together, as profiled at [Metasystem Initiative] at [Conference/Meeting]. Meanwhile, bickering continues on [Discussion Group]. Bandit, Higgins, Shibboleth, OpenLiberty, OpenID for PHP, OpenSAML, ZXID, SimpleSAMLphp... Concordia, OSIS... adapted from Paul Madsen's ConnectID Catalyst, RSA, DIDW, IOS, IIW... ID Gang, OpenID general... 8

We've seen some consolidation... Liberty Phase 1 SAML1 Liberty ID-FF 1.1,1.2 SAML1.1 Liberty Federation = SAML2 Shibboleth 1.0,1.1 Shibboleth 1.2 2002 WS-Federation 1.0 2003 2004 2005 WS-Federation 1.1 2006 Liberty bases new federation standard on emerging SAML standard Liberty tracks SAML evolution; Internet2 Shibboleth bases its solutions on SAML also; Microsoft and partners publish WS-Federation 1.0 Liberty contributes ID-FF to OASIS for SAML2 convergence; Shibboleth also takes part Liberty endorses SAML2 as its identity federation solution and provides interop and conformance testing; Shibboleth is working on new SAML2-based APIs Microsoft and partners publish WS-Federation 1.1; OASIS TC formed May 2007 9

We've seen some consolidation... ID-WSF 1.0 ID-WSF 1.1 ID-WSF 2.0 WS-Security, SAML TP 1.0 WS-Security, SAML TP 1.1 WS-Addressing Core/Bind 1.0 2003 2004 2005 2006 Liberty ID-WSF uses WS-Security before the ink is dry ID-WSF revision takes into account new versions of underlying standards Incorporates WS-Addressing once standardized 10

We've seen some consolidation... 2006 A number of technologies are explored for lightweight Internet identity early 2007 OpenID 2.0 incorporates i-names and Yadis and is influenced by the others 11

Quién es más meta? A hub service to handle translations between formats for security and identity tokens so that systems can communicate reliably? System A Token format A WS-Trust System B Token format B Token format exchanger System D Token format D System C Token format C 12

Quién es más meta? Or a hub format for security and identity tokens that disparate systems can agree to use consistently? How about both? System A System B System C System D SAML (V1.1 or V2?) Standard token format Standard token format Standard token format Standard token format WS-Trust Token format exchanger Token issuer / PDP / PEP WS-Trust; also Liberty ID-WSF Discovery, Authn, SSO, Identity Mapping Services System E System F Legacy token format Request for ID-based access 13

So, some of the deployment challenges are... Complexity and feature duplication Differing models and abstractions between solutions What information will persist, and what tasks can be performed, safely across them? Compliance and certification assurances Composability vs. interoperability Adoption trends for competing solutions Which horse to back 14

Project Concordia offers one way to evolve past the strife Public forum For deployers, who feel the pain And vendors, who provide it... Deployers are use-case contributors Similar to Liberty's gathering of market requirements Facilitate high-leverage solutions Profiles and best practices Educational materials Testing out interop ``` 15

Who is at the table? Use-case contributors so far AOL, Boeing, Chevron, General Motors, Government of British Columbia, InCommon Federation, New Zealand State Services Commission, U.S. General Services Administration Sampling of representation from key vendors, OSS projects, protocol development efforts, and related communities CardSpace, Microsoft, OSIS, SAML, Shibboleth, Liberty, OpenID, OAuth, WS-*... 16

Some common themes we're hearing from deployers Too many choices for federation! CardSpace futures with SAML and ID-WSF As well as OpenID with ID-WSF... Handling impedance mismatches between WS-Federation and SAML2 Scalable federation and interfederation Need better metadata distribution and IdP discovery solutions Interoperability in conveying levels of assurance 17

One of the use cases from NZ 18

One of the use cases from Boeing 19

Who needs to get smarter to handle heterogeneity? Different answers represent different use cases Previous technology choices made? Identity provider (login site) Relying party (web application or community) Amount of control or influence over business partner and user behavior? Performance considerations? Number of federations each party has to deal with? Browser (or other interface) User 20

APIs vs. protocols looking for the truth Protocol extension, gateway, or profile Best practices or guidelines API API Protocol Protocol Protocol API 21

Next steps for Concordia Add detail to highest-priority use case areas: SAML2 + WS-Federation (SAML/ID-WSF) + CardSpace Federation rolled out at scale (Ping proposal) Propose improvements in: Proxying/translation/switching Metadata distribution and lifecycle IdP discovery Work towards interop demonstrations during RSA conference in April 2008 Continue to collect new use cases 22

An invitation to get involved Why? Many other venues focus on prospective development, by vendors, of specs, APIs, mashups... a very important role! Concordia is responding to deployers' needs and concerns about heterogeneous environments today If you have needs and concerns, we're here to help How? www.projectconcordia.org Mailing list, wiki, workshops, telecons, interops Upcoming telecon (Nov) and workshop (Dec)... 23

www.oasis-open.org Thanks! Questions? Eve Maler eve.maler@sun.com www.xmlgrrl.com/blog openid.sun.com/xmlgrrl :-) 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback