1 / 29

Federated Identity Management

Federated Identity Management. Business and Technical Overview. Identity Crisis. Joe’s Fish Market.Com. Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams. Too many passwords, too few uses…. More Identity Crisis…. Recent Headlines:

paul
Download Presentation

Federated Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated Identity Management Business and Technical Overview

  2. Identity Crisis Joe’s Fish Market.Com Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams Too many passwords, too few uses…

  3. More Identity Crisis… • Recent Headlines: • “Huge credit card data theft found – MasterCard: 40 million accounts at risk” -- San Jose Mercury News Jun 18, 2005 • “Info on 3.9M Citigroup customers lost” -- CNN June 6, 2005 • “Identity Theft is an epidemic” – Equifax CEO • Multiplicity of sensitive data a key cause of identity theft • “Identity Federation is a killer app for Authentication” – Forrester • “Federation is a key component of an Identity Management architecture” - Burton Group

  4. Growing Complexity of User Identity Business Automation Customers (B2C) Company (B2E) Partners (B2B) Mobility Client Server Internet Mainframe # of Digital IDs Time Pre 1980’s 1980’s 1990’s 2000’s

  5. The Identity Management Paradox • Many enterprises have deployed centralized identity management throughout their enterprises • Though users still have multiple passwords and user ID’s! • If I’m an employee, I have many more external passwords than internal • If I’m a partner / customer employee or a consumer, I have many id’s and passwords at many sites • Net Result – Single sign-on is not achieved in any circumstance! • Fidelity Study* shows enterprise users have on average 20 accounts! • 5 internal and 15 external • Even after enterprises have deployed Identity Management! *Presented in the Digital ID World Conference 2003

  6. Identity Management Components • Web Access Management • Identity Management / Provisioning • Virtual Directories • Federated Identity Management

  7. Web Access Management • Web Access Management • Centralized policy server with agents protecting web-sites • Agents authenticate users against central policy server • Agents share session tokens for single sign-on Source: Computer Associates

  8. Identity Management / Provisioning • Ensuring application stores have user information before users log on • Enable “reduced sign-on” (RSO) • Extend to mainframe and client-server applications

  9. Virtual Directories • Aggregate view of information based on disparate stores • Typically an LDAP view • Connectors / adapters to all data sources / sinks • Can be used to enable provisioning • Provide password synchronization

  10. Federated Identity Management • The evolution of identity and access management (IAM) • Agreements, standards and technologies that make identity and entitlements portable across autonomous domains. • Seamless access to independent web-resources without a centralized repository • Standards based • Liberty Alliance • SAML • WS-Federation / Trust Source: Aberdeen Group

  11. SAML position relative to the Gartner Hype Cycle SAML 2.0 enabling

  12. Why Federated Identity Standards • Federation is all about communication between independent enterprises / organizations • Proprietary approaches have failed in the past • Microsoft Passport • Proprietary WAM solutions • Interoperability is of paramount importance • Technical Interoperability • Business and Process Interoperability • Open reviews and non-discriminatory IP policy drives security

  13. Standards in Federated Identity “I love standards – there are so many to choose from!” • SAML from OASIS SSTC • Oldest, most prevalent standard • Foundational mechanisms in SAML 1.1 and 1.0 (Liberty based on SAML 1.1) • SAML 2.0 has more features (e.g. global logout) • Liberty Alliance a body of over 150 companies • Many technology users on management board • Microsoft and IBM: behind WS-Federation • Microsoft incorporating into Windows 2003 server R2 patch release

  14. Key Concepts and Terminology - Universal to the “Standards” • Identity • Circle of Trust / Trusted Sites • Principal Identity • Identity Provider (IdP) • Service Provider (SP) • Liberty Enabled Clients or Proxies (LECP) • Federation and De-federation – initial linkage or final disconnect • Single Sign-On and Authentication • Single Logout / Global Logout • Network Identity / Federated Identity – Federated Network • Pseudonyms & Anonymity (Opaque Identifiers) • Authentication Assertions

  15. Federated Identity Management – Value Proposition • Each domain manages attributes and credentials for their own user community. • Deployments focus on reduced administrative costs and improved user convenience, but there is more value to be gained. • Administrative authorities can react faster to status changes of their own employees. • Instead of relying on delegated administration or synchronization. • User Attributes are shared on a limited basis or specific purposes • Improving implied and effective privacy. • Federation supports and simplifies compliance initiatives. • Federation separates Session Management from the User Management and Provisioning infrastructure.

  16. Federated Identity Management – Typical Scenario • A large organization must provide access to internal applications for thousands of partners (each having thousands of potential users). • External users are co-mingled with employees in a corporate directory. • A combination of delegated administration and synchronization is used to manage these entries. • Often this is coupled with other processes to maintain the directory. • Identity Federation provides relief for this situation.

  17. Simplified Sign-On Airline.inc “Fly Right,Airline Group” Login: Password: Identity Provider John Airline.inc xxx Initial Authentication Shared AuthenticationDomain Access federated services Service Provider CarRental.inc “Fly Right,Airline Group” Welcome John12 You’re signed on. CarRental.inc No longer need to provide username and password for each service. Once a user has authenticated she can use the other services directly and securely. Source: Liberty Alliance

  18. Simplified Sign-On (Contd.) SP① account John_s@sp1 IDP account SP② account John123@idp js0072@sp2 SP③ account jj-com@sp3 Even with different usernames and passwords at each service provider the initial authentication provides secure and simplified access to federated services. Source: Liberty Alliance

  19. Federated Identity Management – Enhancing Privacy Who are you? • Federation reduces (if not eliminates) the capture and storage of identity data across domains. • Fewer organizations hold user information • Easily accommodate regional, cultural or legal differences in privacy regulations • Make users anonymous where appropriate. • A partner may only need to know the originating domain (and assume that domains user authentication) not specific information about the specific user. • Implement pseudonyms for audit tracking. • Home domain holds mapping for user to pseudonym. • Permission based attribute sharing. • Puts user in control of attributes being shared • Application can prompt user to release information • A user can control what information is released and when • Effectively ties into “Emerging User Centric Business Model”. • Simplify infrastructure for global enterprises • Privacy concerns delaying or stopping deployments due to regional issues • Federation provides a viable alternative • Reduced need to consolidate all attributes in a single location • Provides opt-in model

  20. Federated Identity Management – Improves Security Reduce Burden on Security Administrators • Enable them to focus on internal users • Let partners / customers manage their own users • Reduce or eliminate the need to mix external identities in internal user repositories • Best practices say that you should separate internal users from other user communities. • This reduces your exposure to vulnerability and outside attack.

  21. Federated Identity Management – Improves Security Federation Provides more Access Control Options • Access control checking at originating site, destination site, or both • Ability to map external users to internal groups, roles or local system records • Eliminate the need to provision credentials and access control to partner systems. • Consistently enforce policy throughout a transaction chain. • More granular access control than most VPN connection options.

  22. Federated Identity Management – Improves Security Fewer Passwords for Users to Remember • Passwords are weak authenticators • Users can rely on fewer, yet stronger authentication credentials • Enterprises have more flexibility to implement stronger authentication where appropriate. • Enterprises can convey that stronger authentication in a federated network.

  23. Federated Identity Management – Demonstrates Compliance Holding Authoritative Parties Accountable • Federation places user registration and credential management with the most responsible party. • Federation reduces duplicate administrative steps which could introduce errors or inconsistencies. • Policies and procedures for user management can be included in the ‘Federation Agreement” to be clear about responsibility and liability Makes it Easier to Audit the Environment • Streamline the audit process to clearly separate internal employees from external parties and easily demonstrate the environment is properly partitioned. • Reduces the amount of data that is collected and stored thus relieving administrative burdens as well as custodial responsibility (liability) • Reduces compliance interdependencies between partners.

  24. Federated Identity Management – Simplifies IdM Infrastructure Separates User Deployment from User Management • Expands effective user session management quickly to all resources (internal and external). • Allows for quick adoption of various standards depending on choices of all participants, without major management systems upgrades. • Provides simplified method to expose or integrate web resources (web services, applications, partners, customers) to user communities. • Delivers total platform integration flexibility (Open systems, Windows, Mainframe).

  25. Web Services Security – Impact of Federated Identity Management • Web-services typically extend key enterprise resources • Not having to trust apps simplifies development and adds flexibility • Web-services may also be exposed to partners • Usual security concerns • Authentication, privacy, integrity, non-repudiation • But at at-least two levels: • Between a web-service and an app using it • Between the web-service and the end-user using the app • Lack direct user-sessions • Proprietary technology works within one identity domain • Standards solve the problem effectively

  26. Identity Based Web Services • Effectively provides security between the web-service, consuming applications and the end-user • Security Mechanisms • Service discovery • Service invocation • Interaction with users • Standard service interfaces • Common services (e.g. user profile information)

  27. Web Services Architecture HR Web Service Sales Web Service Purchasing web service Who is the user? Which region is the user in? What is the user’s purchasing privilege? Web Service Applications Web Service Applications Authenticated Session Browser Partner Enterprise Typical Web Service Architecture

  28. Benefits of Federated Identity Management • Delivers on the promise of single sign-on and application access control • Can provide seamless, relevant access to all websites, applications, web services • Dramatic reduction in help desk (user administration) costs • Enterprises no longer required to manage their partners’ or customers’ user • Password resets, authentication enforcement. • Better Security • No stale accounts or sessions • Is the user still there? • Ensures Privacy • Places liability for user actions at authenticating party • Enables more valuable extranet transactions • Compliments and enhances compliance requirements • Creates monetization (Revenue Growth) opportunities. • Seamless access to independent partner websites • Seamless access from customer domains • Ensures user visibility and loyalty

More Related