1 / 15

Liberty ID Federation Framework Web Services Framework

This document explores the concept of identity federation, highlighting its role in enabling organizations to cooperate for mutual business benefit. It discusses issues related to user privacy and protocols for exchanging information within the federation. The goals of identity federation, including single sign-on, decentralized authentication, and user-controlled information sharing are explained. Additionally, parameters for trust communities, stakeholder perspectives, and functional requirements for frameworks like Liberty ID are presented to provide a comprehensive overview of identity federation in modern web services.

tavita
Download Presentation

Liberty ID Federation Framework Web Services Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Liberty IDFederation FrameworkWeb Services Framework Kailash Bhoopalam Dept. of Computer Science Old Dominion University

  2. Some Concepts • What is a federation? A union of organizations (M-W), that co-operate for the sole purpose of maximizing their business. • E.g., Airlines cooperate with hotels and rental cars to maximize revenues or distribute risk. • Issues • User information privacy • Protocol to exchange user information in the federation

  3. An Example Federation. ID Provider (VeriSign) Jimmy

  4. Liberty ID - Goals • Enable consumers (a.k.a. web users) to protect privacy and manage their network identity • Enables businesses to provide(or) advertise more value based services by leveraging the customer’s behavior in a trust community • Provides a single sign-on standard to include decentralized authentication and authorization • Create a controlled network-identity sharing mechanism that would be supported and would support current and emerging network access devices (use SSL, XML, X.509)

  5. Premise for the Goals • Id of the user is fractured in the WWW across a number of service providers(sp) (banks, utlities, entertainment, etc) • No Process Policy or Technology Standard that informs the user about the following • To which sp’s is the identity shared • What information is being shared • Policy practices of identity providers(who ever they are) • WWW attributes become cumbersome when user attributes change • When partnerships between service providers exist, it is harder to maximize the utility of services • Provide anonymity to users when using certain services

  6. Stakeholders views of liberty Views • Business (Service Provider) View • Framework to form circles of trust based on common interests • Allows for the registration of services • Support for anonymous services, usage directives • Support for gathering consent from the user. • User Views • Control over privacy information • Probable better service from service providers • Less fractured identity information

  7. Trust Community! Circle of trust! why? why? why? • By logical reasoning and some empirical evidence its has been agreed that a GUIDs, do not work when used in large numbers! • GUIDs (A unique certificate for every person) • Verification is expensive in large hierarchies. • Certificate revocation is difficult to communicate. • An IBM employee working in USA gets a discount at Vodofone and Harrods! • If the US govt was the authority on the principal’s ID, would harrod’s or the british govt always believe in it? • It makes more sense to have IBM, vodofone and harrods form a trust circle by exchanging keys, CPS, and IDS endpoints.

  8. Liberty ID Specifications • Federation Framework (FF) • Communication of identity information • Authentication • Single Sign On • Global logout • Web Services Framework (WSF) • Service registration • Service Discovery • Gathering user consent • Usage Directives

  9. Functional Requirements (FF) • Protocols for Identity Federation • Provide user notice of id federation and defederation • SPs and IDS providers notify each other of id-federation • Notification of ID providers to SPs about account termination • User awareness of federated id’s • Temporary identity/ Anonymity for services • Authentication • Authentication of IDS Providers • Mutual Authentication of IDS, SP and Principal. • Confidentiality and Integrity of information • Support for multiple authentication methods. • Exchange of Authentication status, instant, method, pseudonym. • Re-authentication/ Multi-level authentication • Transitive authentication • Single Sign On, Global Logout

  10. Architecture (FF) • Delegated Authentication/Authorization using Web Redirection • HTTP based redirection to ID providers • Limits of URL size • Content of URL (cleartext vs. encrypted) • Storing Authentication information state • Usage of session cookies if necessary (but not often)

  11. Architecture (FF) contd. • Single Sign-On • Id federation and defederation • 1 ID and many SPs • 1 SP and many Ids • Linking of IDSs to enable re-authentication. • Metadata and Schema • Id as opaque handle (linked – UIs) • Multiple authentication mechanisms • Allow for apriori exchange of X509 certs, service endpoint information, CPSs etc.

  12. Functional Requirements (WSF) • Service Discovery • Mechanism for SPs to query discovery services for relevant providers of services or attribute classes within a service for a particular principal • User prompt by the discovery service during registration • Registration of Service • Allows service providers to register( deregister) with discovery service a list of services and service attributes

  13. Functional Requirements (WSF) contd. • Support for Gathering Consent • Mechanisms for SPs to utilize LECP communications channel for querying and obtaining principal consent and response. • Mechanism to share (after user consent) a subset of principal’s attributes with other providers • Mechanism to partially fulfill requests for attributes if consent not given for all requested attributes.

  14. Functional Requirements (WSF) contd. • Support for Anonymous Services • Ability for an SP to make anonymous attribute requests and receive anonymous attribute responses • Ability to share attributes without disclosing identity. • Mechanism to prevent pseudonyms with Principal Ids • Usage Directives • Communicate intended usage of attributes • Communicate agreed upon usage of attributes • Mechanism that allows an RP SP to list the usage directives to an authorizing SP if required

  15. References • Liberty Alliance http://www.projectliberty.org/specs/index.html • Advanced Web Services Framework http://www-106.ibm.com/developerworks/webservices/library/ws-secure/ (WS Security) http://www-106.ibm.com/developerworks/webservices/library/ws-fed/ (WS Federation) http://www-106.ibm.com/developerworks/library/ws-polfram/ (WS Policy) http://www-106.ibm.com/developerworks/library/ws-trust/ (WS Trust)

More Related