Revolutionising Public Sector Administration Through Identity Management

1. Revolutionising Public Sector Administration Through Identity Management • Simon Perry • VP Security Management EMEA

2. IAM Defined • Identity and Access Management is the set of processes and the supporting infrastructure for the creation, management and use of digital identities and enforcement of business policies • It enables you to answer the following:

3. Access Management Identity Management IAM Components Auditing and Reporting Security Information Management and Compliance

4. Identity Management Maturity 4 - Business-Driven Federated Identity Management 3 - Responsive Integrated Role & Entitlements Management 2 - Efficient Consolidated Identity Management 1 - Active Password Management

5. What is Identity Federation? A mechanism that establishes a linkage or portability (across security domains) of digital identities to provide seamless application access across the Internet • Clearly this is largely a security issue • Standards must play a large role • Naturally dependent on identity & access management

6. Case Study – Private SectorFederation at Large Insurance Company Corporate Credit Card Provider End-Points Corporate Customer www.Insurance.com Corporate Travel department Corporate Customer

7. What is Identity Federation? • Identity federation • Using standard browsers • Using XML documents through Web services flows • “Browser-federation” .vs. “Identity-based Web Services” • Both depend on linking or porting of identities across domains • Browser-based federation • End-user visits web sites hosted by business partners • Web services-based federation • Business partners communicate through XML documents used to obtain application services that depend on indentity • Focus on browser-based federation in this session

8. Partner A Partner B Internet Web Service Container Web Service Consumers XML/SOAP document Web Service B What is Identity Federation?Identity-Based Web Services

9. Why Federate?Browser-Based • Customer convenience • Improved user experience & eased application access with cross domain and cross service SSO • Support online delivery channel for public sector services • Competitive differentiation • Federated SSO as a differentiated feature of your service offerings • Reduced costs • Leveraging identity management practices of partner • Identity proofing • Credential issuance • Forgotten/lost credentials • Reduced password related Helpdesk costs • Increased usage of lower cost Web applications • Avoidance of federated SSO technology “one-offs”

10. Why Federate?Browser-Based • Enhanced security • Leveraging of “stronger” regularly used & better proofed credentials • Credential explosion is inherently insecure • Identity Provider controls user credential & thus access to Service Provider application • Former users immediately lose access to federated applications since they must come through the IdP • Use of enterprise class security building blocks • SAML, SSL, Web access management, PKI, digital signatures…

11. Who is Federating? • Government agencies worldwide for eGovernment • Ireland, Norway, Austria, New Zealand, USA… • Eased citizen access to government services • B->B • Health management, employee benefits, pension providers, travel services, web conferencing, payroll services, insurance, specific ASPs, & many others… • B->E (link internal portals around world) • Internal federation for large, geographically distributed organizations • B->C (consumer information services) • Via wireless phones & cable TV to premium content • Early stage projects

12. 1 1 HTTPS HTTPS HTTPS INTEGRATION MODULE INTEGRATION MODULE USER WEB SERVICE User Case StudyNorwegian eGovernment Portal 2 SECURITY SERVER SAML PKI A Minside.no PKI B PKI C SAML PKI D Altinn.no IINTEGRATION MODULE ARCHIVE INTERFACE • Expected user population of 1.5 million • Up to 1400 government services • Up to 30 million transaction per year 3 ARCHIVE

13. Browser-Based Federation Example For Employees Web Training Business Customers Corporate Customer #1 Web Travel SAML 1.1 www.Company.com Pension Manager Corporate Customer #2 eTrust SiteMinder With Federation SAML 1.0 WS-Fed ASP Service #1 SAML 2.0 Corporate Customer #3 Outsourcing ASP Service #2

14. Golden Rules of Federation • Consider Federation opportunities inside your business • Federation initiatives should be business led • Federate with your best (or most trusted) partners first • Remember to address the legal & contractual issues • Don’t get paralysed by federation standards evolution • Pick a vendor with a federation pedigree and one with a commitment to support the evolving standards • Federation should be part of your IAM architecture & strategy • Connect your Web services security & IAM strategy

15. Identity Federation Requirements • Define a technical framework built on industry standards • Data format, message structure, & protocols • Independent of specific technologies/implementations • Enable business partners to exchange user information in a secure way • Protect the privacy of users within a federation • Keep user identity information secret • Allow each company to manage identities of their users without relying on a centralized third-party • Provide way to establish trust among federation participants

16. Business Considerations • New partnering model • SP or IdP – which role better supports the goals of the business • Legal & contractual • Trust - Relying on identity proofing & security practices of partners • Security audit rights • What attributes are in SAML assertion? – Privacy implications • Ensuring quality user experience across domains • Finding the right (first) federation partners • State of your current identity management systems/processes • Coordination of internal resources (IT, Security, Legal, Management, Business, Marketing)

17. Technical Considerations • Is the current overall state of security capability a suitable foundation • Which standard / version to use? • How will federation partner be enabled? • Artifact or Post profile? • Is this a many-to-1 or 1-1 federation? • How to disambiguate the user? • How to activate/provision federated accounts? • Stronger authentication needed? • What attributes are in SAML assertion? • How long will SAML assertion live? • How to do standards version control with partners? • How to ensure minimum system-wide performance? • User volume projections? • Error & Fraud scenarios

18. Key Standards & Specifications • Security Assertion Markup Language (SAML) • Standard managed by OASIS • CA key contributor • Provides for the sharing of security information between domains • Using XML security tickets (assertions) & protocols • Protocol & ticket together enable federation • Cross-domain/cross-company SSO • Liberty Alliance • Alliance of many sponsor companies • Including CA • ID-FF – Portion of Liberty that enables browser-based federations • Leverages SAML assertion (ticket) • Officially merged with SAML with SAML 2.0 • WS-Federation • Microsoft has plans for ADFS implementing WS-Federation in late 2005 • CA is part of Microsoft ADFS beta program • ADFS support on roadmap

19. Glossary of Terms • Identity Provider (IP) • Site that conducts authentication, re-directs user, & produces security ticket for the user session • Service Provider (SP) • Site that provides desired application(s), receives browser re-direct, & consumes security ticket to create a user session • Security Ticket • XML document that includes information about the identity provider & user • SAML, Liberty-Id-FF, WS-Federation • Key identity federation specifications/standards • Account-to-account linking • Linking of an individual user account at IP & SP • Accounts connected using some uniquely shared user identifier • Contrasts with many-to-1 federations • Activation/Provisioning • The process of enabling user account(s) to be federated

20. Questions?