federated identity in practice l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Federated Identity in Practice PowerPoint Presentation
Download Presentation
Federated Identity in Practice

Loading in 2 Seconds...

play fullscreen
1 / 20

Federated Identity in Practice - PowerPoint PPT Presentation


  • 434 Views
  • Uploaded on

Federated Identity in Practice. Mike Beach The Boeing Company. Federated Identity. Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Federated Identity in Practice' - sandra_john


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
federated identity in practice

Federated Identity in Practice

Mike Beach

The Boeing Company

federated identity
Federated Identity

Federated Identity allows customers, partners and end-users to use Web services without having to constantly authenticate or identify themselves to the services within their federation.

This applies both within the corporation and across the Internet.

the boeing environment
The Boeing Environment
  • Three user communities
    • 150,000 employees, contractors
    • 80,000 partners, suppliers, customers
    • 1,000,000+ ex-employees, beneficiaries
  • Three enterprise directories
    • Comprehensive Sun ONE directory (all people of interest)
    • Microsoft Active Directory (most employees)
    • RACF (most employees – but not same employees as MS AD)
  • Many Boeing web servers
    • Apache, IPlanet, IIS, ColdFusion, Shadow, Oracle
    • Over 350 web server platform/version variations
  • Multiple versions of both Netscape and IE browsers
wsso objectives
WSSO Objectives
  • Simple, consistent user experience
  • Improved security through centralized access management
  • Reduction in user accounts and passwords, thus reductions in account administration costs
  • Applications isolated from authentication mechanisms and authentication technology insertions
  • Applications agnostic to origin of user’s access (internal or external)
  • Single sign on across Boeing business domain, including partners, suppliers, customers…
wsso key solution differentiators
WSSO Key Solution Differentiators
  • Web Single Sign-on (WSSO) across Boeing and external web sites
  • Common infrastructure supporting internal and external access, for internal and external users
  • No control over desktop configuration and no ability to deploy components to the desktop
  • Leverage existing Boeing infrastructure
the deployment
The Deployment
  • Oblix Netpoint infrastructure with 12 Access Servers deployed across 3 geographic regions (plus sand box, development, test, and integration environments – about 50 machines total)
  • Primarily authentication today, limited authorization
  • No Identity Management or delegated administration
  • Custom integration with 5 authentication mechanisms
    • MS Active Directory
    • RACF
    • X.509 personal certificates
    • Proximity badge
    • Customer/supplier reverse web proxy user ID and password
major wsso components
Major WSSO Components

Identity

And

Policy Stores

WebGate

Login Hub

BoeingReverseProxy

WebBrowser

LogonW2KRACFCertificate

AD

RemoteAccessService

RACF

WebGate

Web ServerContent

WebBrowser

X.509

SAMLServices

CorporateSun ONEDirectory

AccessServer

Boeing Plugin

3rd PartyWeb ServerContent

WSSOProxyServices

Login Hub

AllPeople

Boeing Plugin

LogonPIN

OblixPolicy

Groups

Customers,Suppliers

CustomerAuthenticatorService

PIN

Authentication

DMZ

wsso authentication sources

W2K

RACF

X.509 Personal Certificates

External PIN

WSSO Authentication Sources

Identity

And

Policy Stores

WebGate

Login Hub

BoeingReverseProxy

WebBrowser

LogonW2KRACFCertificate

AD

RemoteAccessService

RACF

WebGate

Web ServerContent

WebBrowser

X.509

SAMLServices

CorporateSun ONEDirectory

AccessServer

Boeing Plugin

3rd PartyWeb ServerContent

WSSOProxyServices

Login Hub

AllPeople

Boeing Plugin

LogonPIN

OblixPolicy

Groups

Customers,Suppliers

CustomerAuthenticatorService

PIN

Authentication

DMZ

wsso authorization sources

LDAP People Branch

LDAP Group Authorization

Customer/Supplier Authorization

WSSO Authorization Sources

Identity

And

Policy Stores

WebGate

Login Hub

BoeingReverseProxy

WebBrowser

LogonW2KRACFCertificate

AD

RemoteAccessService

RACF

WebGate

Web ServerContent

WebBrowser

X.509

SAMLServices

CorporateSun ONEDirectory

AccessServer

Boeing Plugin

3rd PartyWeb ServerContent

WSSOProxyServices

Login Hub

AllPeople

Boeing Plugin

LogonPIN

OblixPolicy

Groups

Customers,Suppliers

CustomerAuthenticatorService

PIN

Authentication

DMZ

wsso perimeter access components

Typical customers, suppliers

Employees (VPN, Dial)

Federated customers, suppliers

External employees, retirees

WSSO Perimeter Access Components

Identity

And

Policy Stores

WebGate

Login Hub

BoeingReverseProxy

WebBrowser

LogonW2KRACFCertificate

AD

RemoteAccessService

RACF

WebGate

Web ServerContent

WebBrowser

X.509

SAMLServices

CorporateSun ONEDirectory

AccessServer

Boeing Plugin

3rd PartyWeb ServerContent

WSSOProxyServices

Login Hub

Login Hub

AllPeople

Boeing Plugin

LogonPIN

LogonPIN

OblixPolicy

Groups

Customers,Suppliers

CustomerAuthenticatorService

PIN

Authentication

DMZ

wsso protected components

Internal Boeing

External third party suppliers

WSSO-protected Components

Identity

And

Policy Stores

WebGate

Login Hub

BoeingReverseProxy

WebBrowser

LogonW2KMyInfoCertificate

AD

RemoteAccessService

RACF

WebGate

Web ServerContent

Web ServerContent

WebBrowser

X.509

SAMLServices

CorporateSun ONEDirectory

AccessServer

Boeing Plugin

3rd PartyWeb ServerContent

WSSOProxyServices

Login Hub

AllPeople

Boeing Plugin

LogonPIN

OblixPolicy

Groups

Customers,Suppliers

CustomerAuthenticatorService

PIN

Authentication

DMZ

wsso users

Internal employees

External employees, retirees, customers, suppliers

WSSO Users

Identity

And

Policy Stores

WebGate

Login Hub

BoeingReverseProxy

WebBrowser

LogonW2KMyInfoCertificate

AD

RemoteAccessService

RACF

WebGate

Web ServerContent

WebBrowser

WebBrowser

X.509

SAMLServices

CorporateSun ONEDirectory

AccessServer

Boeing Plugin

3rd PartyWeb ServerContent

WSSOProxyServices

Login Hub

AllPeople

Boeing Plugin

LogonPIN

OblixPolicy

Groups

Customers,Suppliers

CustomerAuthenticatorService

PIN

Authentication

DMZ

milestones

We Are Here

Milestones
  • Started RFP 3/2001
  • Vendor selection 8/2001
  • Production 12/2001
  • 100,000 logins per day 2/2003
  • 100+ applications in production 4/2003
  • 3rd party web site integration 5/2003
  • External user integration 5/2003
  • SAML production 6/2003
  • Role-based access control Q3/2003
  • Complete deployment (1000+ applications) End 2004-2005
saml participants
SAML Participants

The Boeing Company

A leading manufacturer of commercial airplanes, space technology, defense aircraft and systems, and communication systems.

Southwest Airlines

A major domestic airline that provides primarily shorthaul, high-frequency, point-to-point, low-fare service. Southwest operates over 350 Boeing 737 aircraft in 58 cities.

Oblix Inc.

A leading developer of identity-based security solutions for e-Business networks. The company's flagship product, Oblix NetPoint, is an enterprise identity management and Web access solution that provides an identity infrastructure for dynamic e-Business environments.

saml deployment objectives
SAML Deployment Objectives
  • Significantly increase the user base of MyBoeingFleet, the secure web portal that provides Boeing customers access to all of the information required to operate and maintain their fleets
  • Embed MyBoeingFleet more deeply in Airline’s businessprocess. Facilitate the deployment of MyBoeingFleet contentdirectly to the customer maintenance hanger
  • User will authenticate to their local intranet, click on a link to MyBoeingFleet, and seamlessly access the data and services without a secondary Boeing authentication request
  • Role-based access control targeted for next year
the saml flow

2.4

The SAML Flow

DOMAIN A: swacorp.com

2.0

1

2.1

2.1

2.2

SWA Portal

SWA User

SAML Services

2.3

3

DOMAIN B: Boeing.com

DMZ

DMZ

SAML Server

Reverse Proxy

2.5

4

INTERNAL

INTERNAL

Target Resource:MyBoeingFleet.com

Access Server

web access management general challenges
Web Access ManagementGeneral Challenges
  • Managing
    • Executive expectation
    • User experience
    • Hundreds of applications with even more policies
  • Complexity and reliability
    • Browsers, web servers, networks, directories, libraries, versions, custom code
  • Session management
    • Existing applications typically have imbedded session management
    • Anomalies arise from inconsistent session state
    • Global “logout” is problematic (hurray for SAML 2.0!)
  • Security
    • Vulnerability assessment and risk mitigation where possible is appropriate
saml deployment considerations
SAML Deployment Considerations
  • Assertions may need to be constrained to a domain
    • Boeing defined the authentication mechanism to include both user identity and SAML issuer ID
  • Support for direct bookmarks
    • For each web session, prior to a SAML transfer, bookmarks and URL references may not work
    • Oblix-provided solution creates a persistent “SAML Provider” cookie and implements redirection through SAML services for unauthenticated users
    • Not a part of SAML standard.
  • SAML only provides the “introduction”
    • Boeing content resides inside the Boeing security perimeter.
    • Had to integrate ObssoCookie intelligence into perimeter before users could actually get to content.
    • Security considerations of interactions across the Internet AFTER the SAML exchange were significant
recommendations
Recommendations
  • Focus on communication and marketing
    • Manage expectations
    • Educate users
    • Thoroughly understand and plan user experience (within product capabilities)
  • Consider limiting scope
    • Integration of legacy technologies can be costly
    • Each component integrated adds to complexity and impacts overall reliability
  • Consider adjusting infrastructure to support IAM
    • Integration to existing infrastructure required significant custom code
    • Use of a virtual directory could simplify deployment, but probably with an impact to performance
standards wish list
Standards Wish List
  • Support for direct bookmarks
    • Bookmarks and URL references (“deep links”) should work, even prior to the initial SAML transfer.
  • Global logout
    • Provide the user with an intuitive logout facility that would ensure complete termination of all application sessions and authentication credentials.
  • Domains of federated security
    • Users have need for multiple, disconnected federated security domains. For example, separation of business and personal. (Selective logout?)
  • Security strength of public Internet technologies
    • Industry needs to deliver technology that prevents cookie vulnerabilities (hijack and replay).
  • Support for individual application session timeout settings
    • Several of our application environments consider a session timeout setting (idle time) mandatory.
  • Authentication State Visibility
    • It is important for the user to always be aware of their authentication state. Are they authenticated, and to what?