Gaps and Overlaps in Identity Management Solutions OASIS Pre-conference Workshop, EIC 2009

Similar documents
Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management

SUSE Manager Roadmap OS Lifecycle Management from the Datacenter to the Cloud

Docker Networking In OpenStack What you need to know now. Fawad Khaliq

Building a Secure and Compliant Cloud Infrastructure. Ben Goodman Principal Strategist, Identity, Compliance and Security Novell, Inc.

How To Make Databases on SUSE Linux Enterprise Server Highly Available Mike Friesenegger

Secure Authentication

SUSE OpenStack Cloud. Enabling your SoftwareDefined Data Center. SUSE Expert Days. Nyers Gábor Trainer &

SUSE Manager in Large Scale 17220

Best practices with SUSE Linux Enterprise Server Starter System and extentions Ihno Krumreich

SUSE Manager and Salt

SaltStack and SUSE Systems and Configuration Management that Scales and is Easy to Extend

Essentials. Johannes Meixner. about Disaster Recovery (abbreviated DR) with Relax-and-Recover (abbreviated ReaR)

VSP16. Venafi Security Professional 16 Course 04 April 2016

BOV89296 SUSE Best Practices Sharing Expertise, Experience and Knowledge. Christoph Wickert Technical Writer SUSE /

Provisioning with SUSE Enterprise Storage. Nyers Gábor Trainer &

Too Many Metas A high level look at building a metadata desktop. Joe Shaw

Build with SUSE Studio, Deploy with SUSE Linux Enterprise Point of Service and Manage with SUSE Manager Case Study

Linux and z Systems in the Datacenter Berthold Gunreben

Protect your server with SELinux on SUSE Linux Enterprise Server 11 SP Sander van Vugt

Expert Days SUSE Enterprise Storage

Novell SLES 10/Xen. Roadmap Presentation. Clyde R. Griffin Manager, Xen Virtualization Novell, Inc. cgriffin at novell.com.

SUSE Linux Enterprise Kernel Back to the Future

Using Linux Containers as a Virtualization Option

Exploring History with Hawk

Authentication. Katarina

Introduction to Software Defined Infrastructure SUSE Linux Enterprise 15

SUSE Linux Enterprise High Availability Extension

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Using Crowbar to Deploy Your OpenStack Cloud. Adam Spiers Vincent Untz John H Terpstra

Open Enterprise & Open Community

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Novell Infiniband and XEN

Welcome to SUSE Expert Days 2017 Service Delivery with DevOps

Dell One Identity Cloud Access Manager 8.0. Overview

Cloud in a box. Fully automated installation of SUSE Openstack Cloud 5 on Dell VRTX. Lars Everbrand. Software Developer

Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

Linux High Availability on IBM z Systems

Liferay Security Features Overview. How Liferay Approaches Security

Internet Identity Initiatives. RL Bob Morgan University of Washington and Internet2 EMC2 Málaga, S pain October 2006

Access Management Handbook

Saving Real Storage with xip2fs and DCSS. Ihno Krumreich Project Manager for SLES on System z

Samba HA Cluster on SLES 9

PayThankYou LLC Privacy Policy

Novell Access Manager 3.1

April Understanding Federated Single Sign-On (SSO) Process

Identity Management: Setting Context

Exploring the High Availability Storage Infrastructure. Tutorial 323 Brainshare Jo De Baer Technology Specialist Novell -

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Define Your Future with SUSE

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Microsoft SharePoint Server 2013 Plan, Configure & Manage

SafeNet Authentication Manager

Should You Use Liberty or Passport for Digital Identities?

DIX BOF Digital Identity exchange. 65 th IETF, Dallas March 21 st 2006

Middleware, Ten Years In: Vapority into Reality into Virtuality

ios Supervised Devices

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

1 Privacy Statement INDEX

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

SafeNet Authentication Client

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

SafeNet Authentication Service

SAP Single Sign-On 2.0 Overview Presentation

SafeNet Authentication Service

Oracle Cloud Using the Microsoft Adapter. Release 17.3

SafeNet Authentication Service

OATH : An Initiative for Open AuTHentication

Legal notice and Privacy policy

Warm Up to Identity Protocol Soup

SafeNet Authentication Service

Avaya Software Keycode Installation Guide

BT Assure Cloud Identity Annex to the General Service Schedule

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

SICOOB. The Second Largest Linux on IBM System z Implementation in the World. Thiago Sobral. Claudio Kitayama

SafeNet Authentication Service

Cloud Access Manager Overview

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

KT-1 Token. Reference Guide. CRYPTOCard Token Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

Novell Identity Manager

Oracle Cloud Using the Evernote Adapter. Release 17.3

5 OAuth Essentials for API Access Control

Quick Start Access Manager 3.1 SP5 January 2013

AD SSO Technical White Paper

AUTHORIZED DOCUMENTATION. Using ZENworks with Novell Service Desk Novell Service Desk February 03,

1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.

SAML-Based SSO Solution

SafeNet Authentication Service

Bots. Table of Contents

TERMS OF SERVICE. Maui Lash Extensions All Rights Reserved.

Funding University Inc. Terms of Service

Using ZENworks with Novell Service Desk

SafeNet Authentication Service

Oracle Enterprise Manager

Integration Guide. SafeNet Authentication Service. NetDocuments

Eagles Charitable Foundation Privacy Policy

Oracle Cloud Using the Eventbrite Adapter. Release 17.3

Avaya Communications Process Manager Release 2.2 Web Portal Help for Non-administrative Users

INTEGRATION CLOUD SERVICE. Accelerate Your Application Integration Across the Cloud and On Premises

Transcription:

Gaps and Overlaps in Identity Management Solutions OASIS Pre-conference Workshop, EIC 2009 Dale Olds Novell Distinguished Engineer dolds@novell.com

Overview 2 Problems with identity management today It's a mess, why can't it be easy enough for Grandma? Online relationships need more intuitive usability, context, courtesy, and respect as well as security. Significant improvements and trends Cross domain identity systems and the identity provider model More authorization less identification Token transformation/combination rather than connect/retrieve Overlaps and gaps Are overlaps bad? Some examples of overlaps and gaps What can be done about them

Problems of Identity Management in the Real World

Simple Beginnings Web Site Corp Portal Username Password It seemed like such a good idea at the time... 4

Multiplication of Network Services Document Management HR Web Site Email Username Password Departmental File and Print 5 password policies 5 Username Password Username Password Username Password Username Password 5 accounts External Instant Messaging System 5 administrators

Boundaries and Identity Management Identity Vault Synch Identity Provider HR Web Site Email Access Manager 6 Access Manager External Instant Messaging System Departmental File and Print 2 password policies Redirect Document Management 2 accounts 3 synced accounts

Obsolete and Evolving Services Identity Vault Synch Identity Provider HR Web Site Email Access Manager Access Manager External Instant Messaging System Departmental File and Print 4 password policies Redirect Document Management 4 accounts 3 synced accounts Username Password Obsolute Point of Sale System 7 Departmental Wiki Departmental Blog

Changing Boundaries, Dissolving Perimeters Mega HR Mergers and Acquisitions Identity Vault Synch New Email Email System Identity Provider HR Web Site Access Manager Redirect Document Management Access Manager Renegade Department? Home Access Departmental File and Print? 6 password policies Obsolute Point of Sale System 7 accounts 2 synced accounts Username Password Also, need to add compliance reporting 8 External Instant Messaging System Information Card Open ID Departmental Wiki Departmental Blog

It's Not So Simple Anymore Mega HR Mergers and Acquisitions Synch New Email Email System We are here HR Web Site Access Manager Redirect Document Management Access Manager External Instant Messaging System Departmental File and Print? Unknown accounts, lost track Unknown password policies Reset password every time Authorization unpredictable compliance reporting difficult 6 password policies 7 accounts 2 synced accounts Username Password Obsolute Point of Sale System 9 Identity Provider Renegade Department? Home Access Identity Vault Information Card Open ID Departmental Wiki Departmental Blog

The Problem with Identity Systems Internet identity systems won't be widely used until they are simple enough for grandma, and she will only remember one username and password. Statement from panel discussion at EIC 2008 (as best as I can remember it) I could not disagree more. 10

Granny Needs a Richer Identity System We don't need to dumb it down for her. She can easily handle complex forms like politeness. She can handle context, courtesy, respect relationships. Politeness is calibrated to the level of the threat to the hearer's face. The threat level in turn depends on the size of the imposition, the social distance from the hearer (the lack of intimacy or solidarity), and the power gap between them. The Stuff of Thought Language as a Window into Human Nature, by Steven Pinker 11

The Real Problem for Identity Systems 12 The problem is not to make is simple enough as in one username and password for granny. The problem is that it needs to be intuitive, contextual, and nuanced enough for granny to express the subtleties and richness of her relationships. These issues exist in employee and customer relationships as much as they do for granny. Granny manages it all just fine in real life better than most technologists.

Trends to Help Granny and the Rest of Us

Multi-domain Identity Systems and the Identity Provider Model 14 In the picture of the current mess, most problems are related to one user account per online service. The Identity Provider model separates (frees) the user account, authentication, and identity information from the online service. Federation and user-centric approaches all follow the model, e.g. SAML, WS-Fed, OpenID, Information Cards, OAuth. The identity provider model is just as useful within an enterprise (across departmental boundaries) as it is for consumer Internet services (multiple service providers). This is good timing since the enterprise walls are coming down. Cloud computing services are accelerating the collapse.

Less Identification More Authorization We are moving to less identification by a service. Instead access is granted due to token contents rather than authentication. Authentication is external to application or service, only to Identity Providers. 15 The anonymous student health clinic story The difficulty is that it involves a paradigm shift for programmers who are used to asking who is this and what can they do (authentication then authorization).

Token Transformation & Combination Many identity information transactions involve more than 2 identities. The identity provider(s) who assert the information The user(s) who release the information The service that uses the information Token and document transformation/combination rather than connection/credential. 16 Token based (e.g. SAML) rather than connection (LDAP) For example, consider the grade school field trip permission system.

Progress, Overlaps, and Gaps

Progress in Internet Identity Systems Last year this stuff (OpenID, information cards, user-centric, federation) was a hot topic, now... However, progress has been steady and fast: Before the dawn of time there were Directory Services which begat LDAP. Shortly thereafter the Liberty Alliance begat federation... 2006: Protocol consolidation and open implementation issues resolved (Open Specification Promise, OpenID 2.0 started, and, um, federation kept going). 2007: Dozens of interoperable implementations developed and demonstrated. 2008: Vendor supported products developed and early adopters deploy. 2009: Started with shipping products (insert shameless Novell plug here), government deployments scheduled, even identity conference usage (like EIC). 18 Don't hear much about it anymore... Not much traction... So... how's that identity metasystem coming? What's next? It should be real world deployments.

Are Overlaps Bad? 19 The world runs on a financial services model that is similar to the identity provider model Checks similar to OpenID: easy to implement, but spoofable. Information cards similar to credit/debit/business cards: useful for many things, but more difficult to implement. Electronic transfers between linked accounts are like federation: difficult to set up trust relationship, but essential. All are useful for some scenarios.

Some Overlaps are Not Useful 20 Overlap of browser plugins and client agents between protocol families are counter-productive. Perceived protocol wars in the press are distracting. Semantic clashes (impedance mismatches) between protocol families are an insidious problem. For example, there are various approaches and meaning as to how to transfer a SAML token via OpenID. Syntax and protocol are easy for specific use cases. Synchronizing schema and semantics of a general (and good) underlying identity model is hard. But that's what we should do.

Gaps 1 Terms and conditions should be attached to claims User-agent string pollution Some identity selectors are advertising themselves in inappropriate ways. The user agent string is for diagnostic messages, not client capabilities. Show some respect to granny. Offending vendors, you know who you are. Multiple information card support 21 If your service asks for identity information, make it clear to the user (and attach it to the data) the terms and conditions to which the user agreed, e.g. did you promise not to sell it to spammers? Many real-word information card use cases involve multiple sources of identity information (or cards), yet the user interface does not support this.

Gaps 2 22 Auditing instrumentation, standards, tools Who did what, when? Appears to be surprisingly little interest from vendors and implementors However, XDAS is active and viable. Receipts When granny buys something (a transaction involving a more powerful entity) she gets a receipt. Allows her recourse in case of a dispute Allows her to mercilessly harangue the unfortunate kid at the returns counter

Questions? For me: Dale Olds <dolds@novell.com> For Granny: Are you sure you want to ask? If so send them to me, I will relay them. 23

Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback