1 / 15

SOA Federated Identity Management

SOA Federated Identity Management. How much do you really need? Andrew S. Townley Founder and Managing Director Archistry Limited. Agenda. Definitions Business drivers for federated identity Approaches to providing federated identity Technical considerations Questions. Definitions.

alva
Download Presentation

SOA Federated Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing Director Archistry Limited

  2. Agenda • Definitions • Business drivers for federated identity • Approaches to providing federated identity • Technical considerations • Questions

  3. Definitions • Federated system – integrates existing, possibly heterogeneous systems while preserving their autonomy • Association autonomy– the ability of a component system to decide whether and how to share its operations and resources with other systems • Federated identity– a shared name identifier agreed between partner services in order to share information about the user across organizational boundaries

  4. Business Drivers • What are you trying to do? • Provide single sign-on (SSO)? • Support dynamic collaboration? • Provide a central point of access to distributed services? • Who are the other participants? • Services controlled by a single organization? • Services provided by trading partners? • Parties with whom you have no formal relationship?

  5. Additional Considerations • Privacy and consent • Will the users use the system? • How will their privacy be protected? • How will you respond to a right to access request? • Accountability • What mechanisms will be used for identity proofing? • What mechanisms will ensure non-repudiation of authentication? • How will you respond to claims of fraudulent access?

  6. Approaches • Don’t federate • Federated identity • Chain of trust • Federated authorization

  7. Federated Identities • Leverages the identification/authentication of a trusted member of the federation (e.g. SAML IdP) • May or may not require local accounts at all service providers • Requires out-of-band business agreements between members of the federation • Does nothing more than assert a claim as to the identity of a user or request within a given context

  8. Example: US Government E-Authentication Framework

  9. Chain of Trust • Each participant responsible for authenticating only the members directly communicating with it • Information integrity must be assured by the information producer • Requires out-of-band business agreements between members of the federation • Each member of the chain is authenticated to the next—any other credential information is opaque • Ensures a sequence of participants can exchange information, but does not directly authenticate (or may not even identify) the original information producer

  10. Example: Irish Government’s Reach Project

  11. Federated Authorization • Federation defines the semantics of a particular set of profile attributes • Service provider association and access control is based on the presence of one or more attributes • Can be used in conjunction with federated identities or without them for dynamic collaboration • Still requires out-of-band business agreements between members of the federation • Can be used for more flexible and dynamic collaborations, but attribute negotiation may have privacy implications

  12. Example: EU Driving License Regulations

  13. Technical Considerations • How will the business agreements be managed electronically (Proprietary XML, SAML, XACML, WS-Policy or something else)? • Are the services provided asynchronously or synchronously? • What is the temporal coupling between the services? • Are the services provided to interactive users or automated agents? • How much information is necessary to identify the user to the local service? • Will the local services also support authentication and management of their own user identities? • Which is most important: the identity of the principal making the request or the identity of the principal to which the request refers? • Who (or what) is actually making the request?

  14. References • US E-Government Authentication Framework and Programs, IT Professional, May/June 2003, http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/it/&toc=comp/mags/it/2003/03/f3toc.xml&DOI=10.1109/MITP.2003.1202230 • Technical Approach for the Authentication Service Component, Version 1.0.0, GSA (2004), http://www.cio.gov/eauthentication/documents/TechApproach.pdf • SAML V2.0 Technical Overview, Working Draft 10, http://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf • Liberty ID-WSF Web Services Framework Overview, Version 2.0, http://www.projectliberty.org/liberty/content/download/889/6243/file/liberty-idwsf-overview-v2.0.pdf • Access Control Management in a Distributed Environment Supporting Dynamic Collaboration, Shafiq, B. et al (2005), http://portal.acm.org/citation.cfm?id=1102503 • Implementing a Federated Architecture to Support Supply Chains, Chadha, B. (2003), http://www.coensys.com/files/federation%20white%20paper%2003.PDF • A Distributed Trust Model, Abdul-Rahman, A., S. Hailes (1997), http://portal.acm.org/citation.cfm?id=283739 • Access Control in Federated Systems, De Capitani di Vimercati, S. and Samarati, P. (1996), http://portal.acm.org/citation.cfm?id=304871

  15. Archistry Limited 33 Pearse Street Suite 115 Dublin 2, Ireland www.archistry.com Phone +353 86 996 2490 Fax +353 865 996 2490 Email info@archistry.com Turning innovation into business value TM

More Related