Proposed User Experience for Handling Multiple Identity Providers in Network Identity Manager 2.0

Similar documents
AT&T Global Network Client for Mac User s Guide Version 1.7.3

AT&T Global Network Client for Mac User s Guide Version 2.0.0

Configuring Microsoft Outlook to Connect to Hosted Exchange Service

Partner Integration Portal (PIP) Installation Guide

Network Security Essentials

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

A Guide to Quark Author Web Edition September 2016 Update

PASSPORTAL PLUGIN DOCUMENTATION

ForeScout Extended Module for VMware AirWatch MDM

Bloomberg Software Installation Manual New Bloomberg Professional Installer (InstallAware) English

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Xton Access Manager GETTING STARTED GUIDE

A Guide to Quark Author Web Edition 2015

BASICS. Create a Project. Click on a question below to skip to the answer. How do I create a project?

TABLE OF CONTENTS CHAPTER 1. PROTOCOL APPLICATION PROCESS OVERVIEW

SAS Data Explorer 2.1: User s Guide

Creating Reports in Access 2007 Table of Contents GUIDE TO DESIGNING REPORTS... 3 DECIDE HOW TO LAY OUT YOUR REPORT... 3 MAKE A SKETCH OF YOUR

Team Member Management

Configuration Guide. Requires Vorex version 3.9 or later and VSA version or later. English

A Guide to Quark Author Web Edition October 2017 Update

Trusted Intermediaries

AIT 682: Network and Systems Security

Digest Authentication Setup for SIP Trunks

Administration. Training Guide. Infinite Visions Enterprise Edition phone toll free fax

ForeScout Extended Module for Tenable Vulnerability Management

SQL Server. Management Studio. Chapter 3. In This Chapter. Management Studio. c Introduction to SQL Server

ForeScout Extended Module for MaaS360

INSTALLATION GUIDE Spring 2017

Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain

Modern Requirements4TFS 2018 Update 1 Release Notes

Remote Support 19.1 Web Rep Console

ONE ID Identity and Access Management System

Business Insight Authoring

Managed Access Gateway. User Guide

Understanding the Local KDC

Privileged Access Management Android Access Console 2.2.2

TRAINING GUIDE. ArcGIS Online and Lucity

EWAY RAPID SETUP GUIDE FOR

SpiraTeam Help Desk Integration Guide Inflectra Corporation

OpenAFS MAC 10.2 System Requirements and Installation

Two factor authentication for Microsoft Remote Desktop Web Access

Secure Web Appliance. Basic Usage Guide

Managed Access Gateway. User Guide

Best Practices Benchmarking Application

CLIQ Web Manager. User Manual. The global leader in door opening solutions V 6.1

Remote Support Web Rep Console

Area Access Manager User Guide

Configuring Remote Access using the RDS Gateway

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

MANAGEMENT AND CONFIGURATION MANUAL

AT&T Global Network Client for Android

Poet Image Description Tool: Step-by-step Guide

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Bridgeware Systems War Board Documentation

SpiraTeam Help Desk Integration Guide Inflectra Corporation

Colleague UI4.3 Documentation

Wholesale Lockbox User Guide

ForeScout Extended Module for MobileIron

Release Notes Life Technologies Attune NxT Software v2.3

Blog to Contents. User Guide March 11, 2008

Install and Configure the TS Agent

User Guide. 3CX CRM Plug-in for Zendesk. Version

9.0 Help for Community Managers About Jive for Google Docs...4. System Requirements & Best Practices... 5

How to Import a Certificate When Using Microsoft Windows OS

Manage Administrators and Admin Access Policies

INBUSINESS BANKING SYSTEM

Frequently Asked Questions Contents

MyFloridaNet-2 (MFN-2) Customer Portal/ Password Management/ VPN Reference Guide

OUTLOOK ANYWHERE CONNECTION GUIDE FOR USERS OF OUTLOOK 2007

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

Using PDC's resources in Applied CFD. Elisabet Molin PDC

OKTA users provisioning for Vable platform

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Colligo Manager 5.4 SP3. User Guide

BQS User Guide For Online (Hosted) Approved Centres

OPC UA Configuration Manager PTC Inc. All Rights Reserved.

Document Management System GUI. v6.0 User Guide

Cisco NAC Appliance Agents

8.0.6 New Features Guide Auto Window/Level Adjustments

Smart Answer Operator Manual rev. 1.0.

Comodo LoginPro Software Version 1.0

Portfolio Account Link (PAL ) User Guide

RB Digital Signature Proxy Guide for Reporters

Novell Kerberos Login Method for NMASTM

MAGNUM-SDVN Security Administration Manual

USER QUICK LOOK FOR FACULTY & STAFF

Info Input Express Network Edition

Installing and Configuring the TS Agent

MyTeleMed iphone User Guide

8x8 Virtual Office Sage ACT! Integration User Guide

Interaction Center Business Manager Supervisor Functions

COGNOS (R) 8 COGNOS CONNECTION USER GUIDE USER GUIDE THE NEXT LEVEL OF PERFORMANCE TM. Cognos Connection User Guide

Getting Started with Outlook Web App (OWA)

PECO SMART ENERGY USAGE DATA TOOL (PSEUDT)

Bell Total Connect receptionist app. Quick reference guide

BUSINESS LINE COMMPORTAL GUIDE

Network DK2 DESkey Installation Guide

IBM DB2 Query Patroller. Administration Guide. Version 7 SC

Chime for Lync High Availability Setup

IBM Security Access Manager Version January Federation Administration topics IBM

Transcription:

Proposed User Experience for Handling Multiple Identity Providers in Network Identity Manager 2.0 The current architecture of Network Identity Manager is designed around a single identity provider and multiple credentials providers. Since the only identity provider is Kerberos v5, all identities in Network Identity Manager represent Kerberos v5 principals. By implication, since every credential must be associated with an identity, all credentials derived their identity from a Kerberos v5 principal. One of the strengths of the Network Identity Manager framework is its ability to derive credentials from an identity credential (for example, a Kerberos v5 Ticket Granting Ticket.) This permits a single Kerberos v5 identity to be used to obtain tokens for multiple AFS cells or certificates from multiple Kerberized Certificate Authorities. PK INIT (RFC 4556 1 ) specifies a protocol for acquiring Kerberos v5 TGT via use of public key cryptography using either raw asymmetric key pairs or a certificate and private key (perhaps stored on a smartcard.) A single key pair or certificate and private key can be associated with one or more Kerberos v5 principals. A Kerberos v5 principal can be configured in the Key Distribution Center database to require PK INIT for TGT acquisition or permit it as an option instead of a password. In order to add support for PK INIT, it is proposed that Network Identity Manager 2.x support multiple identity providers (X.509 certificates and Kerberos v5.) One user experience that will be affected by this change is the obtain new credentials operation. This document outlines the proposed modifications to the user experience. 1 http://www.ietf.org/rfc/rfc4556.txt 1

Obtain new credentials operation The new credentials dialog will have a wizard interface with the following page flow: (One or more potential primary identities) (New identity) Start Identity Specification (No potential primary identities) Credential Options (Basic) Credential Options (Advanced) (Finish) (Finish) Progress End Overview of dialog flow Each node in the above diagram other than the "Start" and End nodes corresponds to a page in the obtain new credentials wizard. When the user initiates a new credentials operation, she will be presented with either the "Credential Options" page or the "Identity Specification" page depending on whether there are any candidate identities defined or not, respectively. The "Identity Specification" page is used to create a new identity which can then be used to obtain new credentials. Once an identity has been selected, control flows to the "Credential Options" view. Once the credentials acquisition process starts, the Progress page will be shown to indicate the progress of the operation. Credential Options The purpose of this view is to collect information from the user, including any privileged information, for a specific identity. The identity for which the dialog is displayed will be referred to as the primary identity. Successful completion of the dialog will result in an attempt to obtain new credentials for this identity. 2

This page will only be displayed if there are one or more candidates for a primary identity. Depending on the context in which the page was invoked, one of these candidates may have been implicitly selected as the primary identity. Examples of these are: If the new credentials dialog was launched as a result of a GSSAPI call, there might be an identity specified in the call, which will become the primary identity. If the "Credential Options" page was launched as a result of a successful completion of the "Identity Specification" page, then the identity that resulted from that page will be the implicit primary identity. If there is no implicit primary identity, then the identity which has been used most frequently in recent history will be selected as the primary identity. The "Credential Options" page has two modes of operation: The basic mode and the advanced mode. The basic mode is shown below. Figure 1 : Credential Options page (Basic mode) The top of the dialog displays the primary identity. Each identity is associated with an icon, which by default is an icon representing the identity provider. It can be customized by the user on a per identity basis. The identity provider is also identified by a string beside the identity name. The identity display area is active. It is rendered and acts like a drop down box. Clicking on the field allows the user to change the primary identity. If the user clicks on the field, it will expand to a secondary UI that has the affordance of a menu that lists the other candidate primary identities as well as an option for creating a new identity. 3

Figure 2 : Credentials Options page (Basic Mode) with identity menu Selecting any other identity will result in that identity becoming the active identity. Any identity specific controls that were being displayed will be replaced by controls corresponding to the new identity. If the user selects "Specify New Identity...", then the dialog would switch to the "Identity Specification" page. Implementation note: The list of potential identities will not be maintained by the Network Identity Manager application. Instead, all the identity providers will be queried for a list of potential identities for that credential type. Statistics used to order the list will be maintained by the application. The list will, in general, be unordered. The NIM application will keep track of the last known list by noting the relative position of each identity and then add any new identities at the end. Options: The list of potential primary identities can be sorted. However, for small lists, users tend to memorize the spatial location of UI elements and will be forced to read the list if they can't find the identity they are looking for in the location that they last remember seeing it. One compromise is to automatically sort the list if the number of identities exceeds a certain threshold. Each identity in the list will have a type that corresponds to the identity provider that exposed it. The icon displayed next to the identity name represents the type if the user has not assigned a custom icon to that identity. 4

Options: We can allow the identity provider to customize a short description string that will appear below the identity name. This can be used to give a more technical specification for the identity. If the list of identities is too long to be displayed in a single page, an optional scroll bar can be use to scroll the list. The area between the identity display and the dialog navigation buttons ('Advanced', 'Finish' and 'Cancel' buttons) consist of controls that are used for obtaining privileged information such as passwords. If no privileged information is required, this area will contain a message to that effect. It should never be empty. Figure 3 : Credentials Options page (Basic mode) showing an identity provider that requires no privileged interaction The preceding figure illustrates an example of what might be displayed to the user if no privileged information is required. If the user clicks on the "Advanced Options" button, or if the identity or user preferences state that it should be shown in Advanced mode, then the Credential Options page will switch to the Advanced mode. Figure 4 : Credential Options Page (Advanced mode) 5

The advanced mode is similar to the advanced mode in the new credentials dialog in existing versions of Network Identity Manager, with a few minor differences. There is no 'Identity' tab. It has been replaced by the 'Password' tab. The name of the tab corresponds to the kind of privileged information that is being requested. If no privileged interaction is required, this tab will be suppressed. Similar to the basic view, the top of the advanced view will also features an identity display button that can be used to switch to a different identity. When a different identity is selected as the primary identity, the entire set of tabs will need to be replaced. When multiple identity providers are supported, it is expected that not all credentials providers will be applicable for every identity type. In either mode, if there is sufficient information to proceed with the new credentials acquisition, then the 'Finish' button will become enabled and the default. Pressing this button will start the process of acquiring new credentials and may cause the dialog to switch to the progress page. Issues: There might be situations where multiple pages of interaction are needed before initial credentials can be successfully acquired, such as when the user s password needs to be changed, or a secondary authentication mechanism needs to be used. In this case, the Password tab or whichever tab is used for privileged information can be shown multiple times to the user. However, since knowing how many sessions of interaction are needed in advance is not always possible, these additional views may have to be shown after the user has selected the Finish button. This is problematic since it violates Wizard 97 guidelines on how the Finish button should function. When multiple sessions of privileged interaction is needed, the banner or the heading of the tab should clearly explain why it was necessary to prompt the user again and make it obvious that this is a new page of information. An alternative to showing the credential options page to the user multiple times with different Password tabs is to use a pop up modal dialog box to perform any additional interaction that is necessary. This makes it obvious to the user that additional interaction is necessary. The new credentials acquisition framework supports complex hierarchies of identities and credentials. Currently, the user experience (UX) framework does not aim to provide a dedicated specification for managing identity hierarchies. Note: The UX does not aim to aggregate the derived identities. Instead, individual credentials providers are expected to expose interfaces for deriving identities from individual credentials. 6

Note on credential options: Per identity settings are independent of the identity hierarchy used to obtain the identity credentials. In general, if a particular identity A is configured to obtain a particular credential C, then this should happen regardless of whether A is the primary identity or a derived identity. However, exceptions to this are allowed. If there is some credential that is sensitive to the identity hierarchy, then this should be made visible to the user through the Advanced Options page. If a credential cannot be obtained using the current identity hierarchy, it should be indicated to the user by making the specific credential appear disabled. If the sensitivity to the identity hierarchy is not known for a particular credential until the time an attempt is made to obtain the credential, the user should be notified about it including information on how she should rectify the situation. An example of a credentials provider that supports derived identities is shown below: Figure 5 : Credential Options page (Advanced mode) showing an identity with derived identities The sample sketch shows the credentials options tab for a hypothetical Secure Key Storage provider that allows specification of derived identities. For consistency, the NIM application will provide UX transactions for specifying new identities and configuring them. In the sketch above, clicking on the 'New Identity' button will launch another dialog that is similar to the Identity Selection menu or 'Identity Specification' page (depending on whether there are any identities to choose from) with a suitable caption. The 'Configure' button will similarly launch a UX transaction for configuring the selected derived identity. These UX transactions are described in Appendix A. Issues: Navigation: Even if the user is configuring a complicated hierarchy of identities, it should be easy for her to navigate the hierarchy. The proposed design does not 7

make the hierarchy obvious and does not allow configuring an arbitrary identity without navigating there by opening the advanced page of each node along the path to the target identity from the primary identity. Assuming that the Privileged Information tab has signaled that there is enough information to complete the credentials acquisition, the user will be able to click the 'finish' button to acquire credentials. Identity Specification The identity specification page is used to specify a new identity. This will be the initial page in the new credentials dialog/wizard if there are no known identities. Figure 6 : Identity Specification Page The top of the dialog contains a set of set of icons and names for the identity types that are supported. The user can select one of the icons, after which the identity type specific selectors appear below the icons. The sample above shows the user interface if the Kerberos v5 identity type is selected. The realm control is a combo box with auto complete semantics. If the drop down button is clicked, the user is presented with a list of recently used realms. The last item in the list is "(Show all realms)", which, if selected, displays all the realms in the drop down list. Implementation Note: The identity selector controls other than the row of buttons that select the identity type are provided by the selected identity provider. It's the identity provider's responsibility to signal to Network Identity Manager whether or not a valid identity is selected. Another sample view follows which demonstrates the selection of a certificate identity type. When the selected identity type is changed, the identity selector controls will be replaced with the set of controls that will assist in the specification or selection of an identity of that type. 8

Figure 7 : Identity Specification page with a certificate type identity When a valid identity is selected or specified, then the 'Next' button becomes enabled and becomes the default. At that point, the user can hit the 'return' key to proceed to the next page. The 'Back' button may be disabled if this is the first page presented to the user. Note on derived identity selection: The Identity Selection and Identity Specification pages only select the primary identity for the new credentials operation. Once a primary identity is known, the credentials providers and identity providers will be queried for the credentials and derived identities that will also be obtained. If there are any derived identities, they will be queried in turn to build a breadth first tree of credentials and derived identities. 9

Progress Page Since obtaining credentials is a time consuming task, it is proposed that there should be a progress page. It will not be required to display this page at every new credentials acquisition. However, it should be displayed after a certain amount of time has passed since the user initiated the credential acquisition if the operation is still on going. Figure 8 : Progress Page Implementation Note: The Network Identity Manager Message Queue supports marking dispatched messages as cancelled. This feature was added with the intent of supporting operations that can be cancelled. Certain credentials acquisition operations tend to be time consuming, especially if network access is slow. If the delay is particularly long, the user may wish to abort the operation in whole or in part. The mock up above shows a Cancel button for this purpose. However, current versions of Network Identity Manager don t implement this feature because most of these delays happen during calls to APIs beyond the scope of the application which can t be cancelled. Network Identity Manager 2.x series plans to implement this feature and credential providers are expected to comply with cancelled messages to the best of their ability. Options: It may be desirable to allow the user to cancel individual credential providers. If a user has configured multiple identities with multiple credential types, the user might not wish to obtain credentials for all identities all the time. Having this feature would allow the user to cancel out identities that are not necessary at that time. 10

Appendix A: Secondary UX Transactions The following UX transactions will be provided for use by credentials providers when adding or configuring derived identities. Derived Identity wizard The dialog flow for the derived identity wizard is as follows: Start Derived Identity Specification Credential Options for Derived Identity (Per Identity) End The Credential Options for Derived Identity page is mostly identical to the advanced mode of the 'Credential Options' page, with the exception that there is no tab for privileged information. The title bar will be different and will reflect the fact that a new identity is being derived from a specific identity. The 'Derived Identity Specification' page will resemble the Identity Specification page. When the wizard starts, it will check if there are any candidate identities for the user to choose from. If there are no candidates, then the wizard starts with the 'Derived Identity Specification' page. Implementation Note: The list of potential derived identities is not queried from anywhere. Instead it should be provided to the wizard when it is invoked. A derived identity can itself have other derived identities and will be exposed via a similar UI. Upon completion of the wizard, the caller will be notified of the new derived identity. If the user activates the identity button and selects Specify New Identity, the wizard will show the Derived Identity Specification page to allow the user to specify the new derived identity. The wizard runs as a modal dialog box. 11

New Derived Identity dialog The New Derived Identity wizard/dialog is simply a special case of the above 'Derived Identity' wizard where the wizard starts at the 'Identity Specification' page. The dialog runs as a modal dialog box. 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback