Post on 05-Jan-2016
description
Copyright 2006 Archistry Limited. All Rights Reserved.
SOA Federated Identity Management
How much do you really need?
Andrew S. TownleyFounder and Managing DirectorArchistry Limited
Public Information2 Copyright 2006 Archistry Limited. All Rights Reserved.
Agenda
DefinitionsBusiness drivers for federated identityApproaches to providing federated identityTechnical considerationsQuestions
Public Information3 Copyright 2006 Archistry Limited. All Rights Reserved.
Definitions
Federated system – integrates existing, possibly heterogeneous systems while preserving their autonomy
Association autonomy – the ability of a component system to decide whether and how to share its operations and resources with other systems
Federated identity – a shared name identifier agreed between partner services in order to share information about the user across organizational boundaries
Public Information4 Copyright 2006 Archistry Limited. All Rights Reserved.
Business Drivers
What are you trying to do?• Provide single sign-on (SSO)?• Support dynamic collaboration?• Provide a central point of access to
distributed services?
Who are the other participants?• Services controlled by a single
organization?• Services provided by trading
partners?• Parties with whom you have no
formal relationship?
Public Information5 Copyright 2006 Archistry Limited. All Rights Reserved.
Additional Considerations
Privacy and consent• Will the users use the system?• How will their privacy be protected?• How will you respond to a right to
access request?
Accountability• What mechanisms will be used for
identity proofing?• What mechanisms will ensure non-
repudiation of authentication?• How will you respond to claims of
fraudulent access?
Public Information6 Copyright 2006 Archistry Limited. All Rights Reserved.
Approaches
Don’t federate
Federated identity
Chain of trust
Federated authorization
Public Information7 Copyright 2006 Archistry Limited. All Rights Reserved.
Federated Identities
Leverages the identification/authentication of a trusted member of the federation (e.g. SAML IdP)
May or may not require local accounts at all service providers
Requires out-of-band business agreements between members of the federation
Does nothing more than assert a claim as to the identity of a user or request within a given context
Public Information8 Copyright 2006 Archistry Limited. All Rights Reserved.
Example: US Government E-Authentication Framework
Public Information9 Copyright 2006 Archistry Limited. All Rights Reserved.
Chain of Trust
Each participant responsible for authenticating only the members directly communicating with it
Information integrity must be assured by the information producer
Requires out-of-band business agreements between members of the federation
Each member of the chain is authenticated to the next—any other credential information is opaque
Ensures a sequence of participants can exchange information, but does not directly authenticate (or may not even identify) the original information producer
Public Information10 Copyright 2006 Archistry Limited. All Rights Reserved.
Example: Irish Government’s Reach Project
Public Information11 Copyright 2006 Archistry Limited. All Rights Reserved.
Federated Authorization
Federation defines the semantics of a particular set of profile attributes
Service provider association and access control is based on the presence of one or more attributes
Can be used in conjunction with federated identities or without them for dynamic collaboration
Still requires out-of-band business agreements between members of the federation
Can be used for more flexible and dynamic collaborations, but attribute negotiation may have privacy implications
Public Information12 Copyright 2006 Archistry Limited. All Rights Reserved.
Example: EU Driving License Regulations
Public Information13 Copyright 2006 Archistry Limited. All Rights Reserved.
Technical Considerations
How will the business agreements be managed electronically (Proprietary XML, SAML, XACML, WS-Policy or something else)?
Are the services provided asynchronously or synchronously? What is the temporal coupling between the services? Are the services provided to interactive users or automated
agents? How much information is necessary to identify the user to the
local service? Will the local services also support authentication and
management of their own user identities? Which is most important: the identity of the principal making
the request or the identity of the principal to which the request refers?
Who (or what) is actually making the request?
Public Information14 Copyright 2006 Archistry Limited. All Rights Reserved.
References
US E-Government Authentication Framework and Programs, IT Professional, May/June 2003, http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/it/&toc=comp/mags/it/2003/03/f3toc.xml&DOI=10.1109/MITP.2003.1202230
Technical Approach for the Authentication Service Component, Version 1.0.0, GSA (2004), http://www.cio.gov/eauthentication/documents/TechApproach.pdf
SAML V2.0 Technical Overview, Working Draft 10, http://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf
Liberty ID-WSF Web Services Framework Overview, Version 2.0, http://www.projectliberty.org/liberty/content/download/889/6243/file/liberty-idwsf-overview-v2.0.pdf
Access Control Management in a Distributed Environment Supporting Dynamic Collaboration, Shafiq, B. et al (2005), http://portal.acm.org/citation.cfm?id=1102503
Implementing a Federated Architecture to Support Supply Chains, Chadha, B. (2003), http://www.coensys.com/files/federation%20white%20paper%2003.PDF
A Distributed Trust Model, Abdul-Rahman, A., S. Hailes (1997), http://portal.acm.org/citation.cfm?id=283739
Access Control in Federated Systems, De Capitani di Vimercati, S. and Samarati, P. (1996), http://portal.acm.org/citation.cfm?id=304871
Public Information15 Copyright 2006 Archistry Limited. All Rights Reserved.
Turning innovation into business valueTM
Archistry Limited33 Pearse StreetSuite 115Dublin 2, Irelandwww.archistry.com
Phone +353 86 996 2490Fax +353 865 996 2490Email info@archistry.com