Identity Management Technology

1
Identity Management Technology

• Version 1.0

Dr. Horst Walther, SiG Software Integration GmbH,
2004-10-20 Lefkosia / Cyprus
2
Technology

• Evolution how did we get here?
• Directory services
• Metadirectory services
• Virtual directory services
• Provisioning systems
• Web Access Tools
• Standards

3
Evolution of Identity Management.

• Historically 3 independent streams ...
• The idea of a public key infrastructure (PKI) for
  a certificate base strong authentication can be
  tracked back to 1976,
• The CCITT1 today ITU-T2 published its 1st
  specification of a X.500- directory service in
  1988.
• Today common directory services are influenced by
  this development.
• 5 years later the NIST3 startet its work on
  role based access control (RBAC)4.
• Later mechanisms for role based access are based
  on these works.
• 1 Comite Consultatif Internationale de
  Télégraphie et Téléphonie
• 2 International Telecommunications
  Union-Telecommunication
• 3 National Institute of Standards Technology
• 4 RABC Role Based Access Control

• Independent sources

1988 X.500
1993 RBAC
1996 PKI
2001 IDM

• Components show a considerable functional overlap
  and cant easily be combined to form a full
  function Identity Management Infrastructure.

4
An Identity Management Architecture

5
The need for integration

• The typical Fortune 500 company reports that it
  maintains over 180 directories, like address
  repositories, phonebooks ... (Source Forrester
  Research).
• Many Applications and Systems maintain their own
  Identity-stores ...
• Operating systems Windows NT, 2003, XP, ...
• Database management systems ORACLE, DB2, ..
• Mail-Systems Outlook, Lotus NOTES, ...
• Service-Systems RACF, Firewalls, ...
• E-business-Systems Internet-Portals,
  e-Banking-Systems, ...
• Home-grown business applications.

6
Specialisations of database systems

• OLTP- database systems
• Transaction processing
• frequent Updates,
• short records,
• OLAP-database systems
• Analysis of pre-consolidated, redundant bulk data
  
• Directory Services,
• frequent read accesses,
• Special-DBMS optimised to (short) single record
  look-up.

• Despite all confusion on what directory services
  really are They are just specialised Database
  systems.

7
Integration via directory services

• A directory service offers a unified view on
  Identity Information

• The directory ...
• Used by many applications
• Enables the maintenance of Information at a
  single point.
• Offers a universal, easily usableinterface for
  access.
• Is the backbone of Intranet applications.

• Many systems maintain their own directory
• SAP HR, User management, accounts payable,
  accounts receivable, etc.
• RACF administration of privileges, Identities
  and Roles.
• Windows Active Directory / MS Exchange
• Lotus Notes Notes name and address book, ACLs
  per Notes-DB..

8
Evolution of directory services

• Triggers for further development ...
• In early times the Implementation was too
  demanding for the existing Hardware.
• Result Lightweight-DAP (X.500-access protocol),
  LDAP.
• Later war Hardware became less a bottleneck.
• A large amount of the identity information was
  stored in non-LDAP-Repositories already.
• Chance for virtual directory services ...
• Deliberately skipping the read optimisation.
• The directory access is simulated only
• The original data sources are accessed instead
• Increasing bandwidth of public networks led to a
  decreasing relevance of X.500-Protocols like DSP
  or DISP.
• Today XML-Dialects may turn out as an competitors
  to LDAP.

• Most Directory services originate from auf the
  X.500-Standards.

9
X.500 and LDAP How did it happen?

• LDAP offers
• 90 of the DAP-functionality at
• 10 of the Costs
• LDAP advantages over X.500-DAP are
• Runs directly over TCP eliminating the overhead
  of the OSI session and presentation layers
  required by DAP.
• Simplifies the X.500 functional model ,
• Uses string encoding rather than the ASN.1
  notation
• Frees clients from the burden of chasing
  referrals .
• LDAP hence offers
• A unifies access and
• A unified communication with directory services

10
X.500 vs. LDAP

• X.500 ...
• The first standard - published in 1993.
• Is a ISO- (International Standards Organisation)
  und ITU- (International Telecommunications Union)
  Standard.
• Defines how global directories should be
  structured.
• Follows a hierarchical organisation e.g.
  country, city, organisational unit, ...
• Supports X.400 Systems.
• Is the result of a long-winded work in the
  standardisation boards of the national Telecoms.
  
• (top-down-approach)

• LDAP ...
• The pragmatic approach of the Internet-community
  towards X.500.
• Stands for Lightweight Directory Access Protocol
  .
• Replaces X.500 / DAP.
• Was developed to enable access to X.500 to lean
  Clients (PCs).
• Skips X.500s communication basis, the (mighty)
  OSI-Protocol
• Uses the widely used TCP/IP.
• Is taken care by the Internet Engineering Task
  Force (IETF).
• They communicate via RFPs.
• (Bottom-Up- approach)

• The all encompassing standard -- vs. -- The easy
  access

11
X.500 - The Standards-Series

• X.500 11/93 Overview over Concepts, Models and
  Services
• X.501 11/93 Models
• X.509 11/93 Authentication-Framework
• X.511 11/93 Abstract Service Definition
• X.518 11/93 Services for distributed processing
• X.519 11/93 Protocol Specification
• X.520 11/93 Selected Attribute Types
• X.521 11/93 Selected Object Classes
• X.525 11/93 Replication
• X.581 11/95 Directory-Access Protocol
• X.582 11/95 Directory-System Protocol
• Source http//www.itu.ch/itudoc/itu-t/rec/x/x50
  0up.html

In use outside theX.500-world too.
Auch außerhalb von
12
Evolution of the Standards
RFC2251 LDAPv3RFC2252 Attribute Syntax
DefinitionRFC2253 UTF-8 String Representation of
DNRFC2254 String Representation for Search
FiltersRFC2255 URL FormatRFC2256 X.500 User
Schema for use with LDAPv3
X.500 Concepts, Models and ServicesX.501
ModelsX.509 Authentication-FrameworkX.511
Services DefinitionX.518 Distributed
ProcessingX.519 Protocol SpecificationX.520
Attribute TypesX.521 Object ClassesX.525
Replication
RFC2164 X.500/LDAP MIXER address
mappingRFC2247 Domains in X.500/LDAP DN
RFC2307 LDAP as Network Information Service
RFC2559 X.509 - LDAPv2
DRAFT LDIF inetOrgPerson
X.530 Access Protocol
RFC1487 X.500 LDAP v1RFC1488 String
Representation
Working Group LDUP
RFC1777 LDAP v2RFC1788 String Representation for
AttributesRFC 1779 String Representation for DN
Working Group LDAPext
RFC1823 LDAP API
RFC1959 LDAP URLRFC1960 String Representation
for Search Filters
1995
1996
1997
1998
1994
1993
1999
2000
13
Data and Directory Integration

• The Data and Directory Integration solution also
  serves as the foundation for security
  applications, such as
• Single Sign-On
• Password Management
• PKI Digital Certificate Services
• User Provisioning
• The consolidation of user data stores could
  result in increases in consistency by 44,
  accuracy by 36 and actual security by 33.META
  Group

14
Synchronisation of directory services (1)
HorizontalCoordination
No automated synchronisation amongDirectories(ef
fort rises exponential)
Non coordinatedSchemas
z.B.SunOne
Tivoli,TME10
LotusNotes
IBMRACFSec.Way
SAPR/3
MSADS
C/S
Host
Unix
Netw./SystemManagement
15
Synchronisation of directory services(2)
HorizontalCoordination
mutual synchronisation amongDirectories (effort
rises quadratically)
CommonSchema
. . .
CommonSchema plus.system specificExtensions
z.B.SunOne
Tivoli,TME10
LotusNotes
IBMRACFSec.Way
SAPR/3
MSADS
C/S
Unix
Host
Netw./SystemManagement
16
Synchronisation of directory services(3)
HorizontalCoordination
Synchronisation viaMeta-Directory
CommonSchema
CommonSchema plussystem specificExtensions
z.B.SunOne
Tivoli,TME10
LotusNotes
IBMRACFSec.Way
SAPR/3
MSADS
C/S
Unix
Host
Netw./SystemManagement
17
Architecture of an Identity Management System
Human Resource
Superior
Employee
applicants
Application workflow
Role Administration
central store for identities, groups, roles and
policies
ID Administration
Provisioning workflow
Audit Reconciliation
Target Systems
18
Integration via Federation

• Central-Model
• Network-Identity and user information in a single
  store,
• Centralised control,
• Single point of failure,
• Connects uniform Systems.

• Federated Model
• Network-Identity und user information in
  different stores
• No central Control
• No Single point of failure
• Connects uniform and non-uniform Systems

19
Federated Identity

• Managing and brokering trust relationships across
  multiple organizations with support for federated
  identities
• Federated scenarios
• Consumer convenience
• Related industry groupings
• Self-contained, highly
  distributed organizations
• Strategic B-to-B
  relationships

• Via opt-in to heterogeneous single sign on
  federation provides the link.

20
Questions, Suggestions, Hints?
Thank You !!
21
Stop, Appendix
From here on the back-up-slides follow ...