Identity Management Standards

1
Identity Management Standards

• Conor P. Cahill
• Principal Engineer
• Intel Corporation

2
Agenda

• SSO and Federation
• Web Services
• Advanced Clients

3
SSO and Federation

• Introduction
• SAML
• WS-Federation
• OpenID

4
Single Sign On

• User browses to a Service Provider (SP)
• The SP determines who the Identity Provider (IdP)
  for Jan is and sends authentication request to
  IdP
• Optionally, the IdP interacts with Jane to
  authenticate her (not necessary if shes already
  authenticated)
• IdP responds with token for user at GE

3
4
2
1
5
Federation Pseudonymity
JaneJones
Jane
What did Jane do there
PuppiesRUs
123
Jane
Jane
456
AuctionsRUs
IdentityIsMe
Jane
789
BooksRUs
6
SAML 2.0

• OASIS Standard 2005
• Single Sign On
• Browser ECP Profile
• Authentication Context
• IDP Discovery
• Active Passive
• Pseudonymity
• Single Log Out
• Federation
• Establishment
• Management
• Metadata
• Implementations
• Many, especially in enterprise

7
WS-Federation

• Part of WS- suite from MS IBM
• Built atop WS-Trust
• Passive and Active Profiles
• Currently in Standardization process in OASIS
• Implementations
• Microsoft Active Directory (older version)

8
OpenID

• Created to reduce blog SPAM (2006)
• Easy to implement, minimal solution
• Open source available
• Lots of press and lots of buzz
• AOL added OpenID for all users
• MS agreed to support in the future
• Working on extensions to add missing features
• Implementations
• Numerous, especially in blogosphere

9
SSO/Federation Timeline
SAML 1.0 Nov 2002
Liberty ID-FF 1.0 Jul 2002
WS-Fed Draft 1 Jul 2002
Shibboleth OpenSAML 1.0 Jun 2003
SAML 1.1 Sept 2003
Liberty ID-FF 1.1 Jan 2003
Shibboleth OpenSAML 1.1 Aug 2003
Liberty ID-FF 1.2 Oct 2003
SAML 2.0 March 2005
OpenID 1.0 May 2006
WS-Fed Draft 2 Dec 2006
WS-Fed In Progress
OpenID 2.0 In Progress
Concordia Just Starting
10
Identity based Web Services

• Liberty ID-WSF
• WS-

11
SSO Web Services
Its Jane
SAML
ID-WSF
SAML The SP interacts with the IdP through
Janes browser to obtain the identity credential
for Jane.
SP/WSC
WSP
WSP
IdP
DS
ID-WSF The SP (acting as a WSC) interacts with
the DS and Janes WSPs in order to invoke
services at the WSPs on Janes behalf..
12
Sample ID-WSF Invocation Session
Authentication
Discovery
Authorization
Radio Service
13
Radio Application Authentication

• Radio Client (RC) contacts the Authentication
  service (AS) to authenticate the user Jim
• The RC and AS exchange a series of messages to
  authenticate the user depending upon the
  authentication algorithm being used (e.g. PLAIN,
  CRAM-MD5)
• The AS validates the credential, locates the
  users identity at the AS (LUID 123) and
  generates a security token (T1) for the session
  and provides the client with both the token and
  information on how to get to the Discovery
  Service (DS). The security token includes
• User Identity at AS (LUID 123)
• Issuer AS
• Issued for AS
• Issued to (null)

Authentication
2
3
1
Discovery
Authorization
Radio Service
14
Radio Application Discovery

• The RC submits a discovery request for the Radio
  Service (RS) to the DS, including the security
  token (T1) obtained from the AS.
• The DS looks up the users RS and submits a
  request to the AS for a security token that the
  client can use to invoke the RS, including the
  security token (T1) provided by RC.
• The AS looks up the LUID for the user at the RS
  and generates a security token for the RS and
  returns it to the DS. The security token
  includes
• User Identity of user at RS
• Issuer AS
• Issued for RS
• Issued to (null)
• The DS returns the token (T2) plus the
  information needed for the RC to access the RS.

Authentication
6
4
5
Discovery
7
Authorization
Radio Service
15
Radio Application Service Invocation

• The RC submits a radio service call to the RS
  including the security token (T2) obtained from
  the DS.
• The RS, sends a discovery request to the DS for
  the Authorization Service (AZS), including the
  security token (T2) it received from the RC.
• The DS looks up the users AZS and submits a
  request to the AS for a security token that the
  client can use to invoke the RS, including the
  security token (T2) provided by RS.
• The AS looks up the users LUID at the AZS and
  generates a security token (T3) for the AZS and
  returns it to the DS. The security token
  includes
• User Identity at AZS (LUID 789)
• Issuer AS
• Issued for AZS
• Issued to RS
• The DS returns the token (T3) plus the
  information needed for the RS to access the AZS.
• The RS invokes the AZS using the information and
  security token (T3) returned by the DS.
• The AZS returns authorization book (AB) to the RS
• The RS processes AB, figures out appropriate
  response for RC and returns appropriate results
  for query as well as a replacement security token
  (T4) to be used on subsequent calls

Authentication
11
10
Discovery
12
Authorization
8
9
13
14
Radio Service
15
16
Radio Application Subsequent Invocation

• The RC submits another radio service call to the
  RS including the replacement security token (T4)
  obtained from the RS.
• The RS sees that it already has current
  authorization information, processes the request
  and sends a response back to the RC.

Authentication
Discovery
Authorization
1
Radio Service
2
17
WS-

• Collection of composable standards driven by
  Microsoft IBM
• Developed internally, then submitted to standards
  body
• W3C WS-Addressing, WS-Policy
• OASIS WS-Security, WS-Federation, WS-Trust,
  WS-SecureConversation, WS-Security Policy, etc.

18
Liberty and WS-
19
Liberty WS- futures

• Liberty uses standardized specs
• WS-Security
• WS-Addressing
• Concordia
• Liberty initiated supported
• Cross-industry (not just Liberty) membership
• Use case agreement
• Drive/support industry convergence where
  appropriate

20
The Advanced Client
21
Evolution of Liberty related Clients

• Phase 1 Liberty Enabled Client/Proxy (LECP)
• Phase 2 Active Client
• Phase 3 Advanced Client (aka Intelligent Client)
• Phase 4 Robust Client

22
Evolution LECP

• Liberty Enabled Client/Proxy
• Facilitate SSO and Federation operations
• Especially IDP Discovery
• Authentication Request Direction
• Browser plug-in and/or Proxy server
• Incorporated into SAML 2.0 as ECP

23
Evolution Active Client

• AKA LUAD
• Local Web Services Consumer (WSC)
• Radio Service client
• Calendar Service client
• Liberty ID-WSF Authentication Service
• SOAP profile of SASL
• Supports any authentication protocol
• Enabled SSO into Web Services

24
In Progress Advanced Client

• The client as an extension of the IdP
• Off-line and privacy enabling modes
• Strong local authentication
• Locally hosted/managed services
• Reporting

25
Intels Identity Capable Platform

• An Intel Research Project
• Examining how use of Advanced Client technologies
  can improve both security and usability

26
The Identity Capable Platform
Device/Computer
Operating System
Browser
App(s)
Secure Partition
Identity Capable Platform
Identity Manager
iMID
iMID
iMID
27
Provisioning an Identity in the ICP
Device/Computer
Operating System

• The Identity Provider registers the Identity to
  be provisioned at the Provisioning Service
• The Identity Provider sends a reference to the
  identity to the browser with instructions to send
  the reference to the Identity Manager.
• The browser submits the identity reference to the
  Identity manager
• The Identity manager dereferences the identity at
  the Provisioning service and gets back the
  Identity
• The Identity Manager instantiates the Identity
  within the ICP.

2
Browser
1
3
App(s)
Secure Partition
Identity Capable Platform
4
Identity Manager
5
iMID
28
More Information

• Liberty http//www.projectliberty.org
• OpenID http//openid.net
• My blog http//conorcahill.blogspot.com
• Email Conor.P.Cahill at - intel.com