1CS 6204, Spring 2005

Federated Identity Concept

Muhammad Abu-Saqer

Some definition and images are taken

1. from workshop slides by Tony Nadalin (IBM) and Chris Kaler (Microsoft)

2. http://msdn.microsoft.coml

3. http://www.cs.virginia.edu/~acw/security/

2CS 6204, Spring 2005

Paper Overview

♦The paper describe the issues around federated identity management and describes a comprehensive solution

3CS 6204, Spring 2005

Federation terminology♦ Federation

A collection of realms/domains that have established trust. Thelevel of trust may vary, but typically includes authentication and may include authorization. The technology and business arrangements necessary to interconnect users, applications, and systemsFederated systems can interoperate across organizational and technical boundaries (i.e., various operating systems or security platforms)

♦ Trust– Is the characteristic that one entity is willing to rely upon a second

entity to executes a set of actions and/or make set of assertionabout subjects and/or scopes.

♦ Single Sign On– An optimization of the authentication sequence to remove the

burden of repeating actions placed on the end user.

4CS 6204, Spring 2005

Federated ATM Network

Account Numberand PIN

Home Bank Network

Visiting Bank Network

Funds Network of Trust

5CS 6204, Spring 2005

The Federation Model

♦The appeal of federation is that they are intended to allow a user to seamlessly traverse different sites within a given federation.

♦When the trust relationships established between the federation participants, one participant is able to authenticate a user and then act as an issuing party.

♦Other federation participants became rely parties.

6CS 6204, Spring 2005

What is the federation identity management problem

♦ There is no single entity or company that can centrally manage or control identity information.

♦ In some cases businesses like to outsource some security functions to parties which mange identity but they cannot because:1. There is no third pray identity providers serving market.2. There is no business liability models which make it safe to rely

on.♦ Other businesses want to leverage the identity they

maintain to enable additional business interactions but – Establishing the trust mechanism to allow entities to be federated

across business is difficult– They are afraid of the risk of damming their reputation if any

security penetration occurred

7CS 6204, Spring 2005

Who has the federated management problem

♦ Medium and large organization that use identity information to provide service to customer like university (online service like order a transcript).

♦ Medium and large organization that do business with one another and need to exchange information about individuals identities (like airline and rental car agency ,hospital, health insurance provider).

♦ Organization that need to integrate business applications across the enterprise and chain of supplier and customer( and need to authorize employee to conduct transaction on behalf of the organization).

8CS 6204, Spring 2005

The Problem

9CS 6204, Spring 2005

The primary goals of federated identity service are:

♦ Reduce the cost of identity management by reducing duplication of effort.

♦ Leverage the work these existing identity mangers had already done by giving other parties access to the relevant identity information.

♦ Preserve the autonomy of all parties such that the identity mangers choice of operating system, network protocols,…should not impose the same choice on its partners.

♦ Respect business’s pre-existing trust structure and contracts.

♦ Protect individuals privacy by giving the user control over which attributes could other parties in the federation access

♦ Build an open standard to enable secure reliable transaction.

10CS 6204, Spring 2005

Advantages federation model

♦ Flexibility companies can easily build new services to deliver innovative business models or link their value-chin network to partners.

♦ Convenient navigation allow end-user and partner to navigate easily between websites without constantly authenticate themselves

♦ Less administration there will be need to administer a large and rapidly changing base of identities that are not under the control of the company.

♦ Safely satisfy the need of some business that unwilling to give their customers information to a business partner.

11CS 6204, Spring 2005

Three component enable the federation

♦ Identity provider simply means the entity that provides identity. (will precisely defined later).

♦ Attribute services provides away to federate access to authorized attributes for federated identities– The attributes owner has full control to decide which of

his attributes could exposed to other parties in the federation.

♦ The pseudonym service provides mapping mechanism which can be use to facilitate the mapping of trusted identities across federations to protect privacy and identity.

12CS 6204, Spring 2005

WS-Federation Terms

♦ Authorities– Security Token Service (STS) – Web service that issues

security tokens; makes assertions based on evidence that it trusts to whoever trusts it

– Identity Provider (IP) – Entity that acts as an authentication service to end requestors (an extension of a basic STS)

♦ Principles– Requestor– Resource– Other Services

13CS 6204, Spring 2005

Direct TrustToken Exchange

TrustTrust

Get identityGet identitytokentoken

Get accessGet accesstokentoken

11

33

22

IP/STS IP/STS

Requestor

Resource

14CS 6204, Spring 2005

Attribute Service

♦ Scenario: Suppose you visit a weather site for the current weather ; it provides a personalized response because it knows your zip code

♦ Why it worked: – Policy indicated an attribute service– Identity information was used to find zip code– Weather service was authorized to access zip code

♦ Specification defines the concept of an attribute service but not a specific interface

15CS 6204, Spring 2005

Attribute Service Example

♦ Attributes may have associated authorization rules (scope)♦ Each attribute may have its own access control and privacy

policy

16CS 6204, Spring 2005

Attribute Scoping

Zip: 12309Zip: 12309FN: FredFN: FredID: 3442 ID: 3442 Nick: Nick: FreddoFreddoID: FJ454ID: FJ454Nick: Nick: FredsterFredsterID: 3ID: 3--5555--3434……

(fabrikam123.com)(fabrikam123.com)

(business456.com)(business456.com)

((example.comexample.com))

Model allows for attributes to be scopedModel allows for attributes to be scoped

17CS 6204, Spring 2005

Pseudonym Service

♦ This service provides a mechanism for associating alternate identities

♦ Pseudonyms represent alternate identities– Depends on scope of request– Subject to authorization control– Can be integrated with IP/STS

18CS 6204, Spring 2005

Pseudonym Example

TrustTrust

““Fred” Fred” ““A123A123@B456.com@B456.com”” ““A123A123@B456.com@B456.com” ”

““FreddoFreddo@F123.com@F123.com””11

22

33

““A123A123@B456.com@B456.com””

B456.com

IP

Requestor Resource

B456.comPseudonym Service

19CS 6204, Spring 2005

References

♦ White paper titled “Federation of identities in a Web Services World– http://msdn.microsoft.com/library/default.asp?url=/libra

ry/en-us/dnglobspec/html/ws-federation-strategy.asp

♦ WS-Federation Feedback Workshop– http://www-106.ibm.com/developerworks/offers/WS-

Specworkshops/ws-fed200311.html

♦ Federation of Identities in a Web Services World– http://msdn.microsoft.com/ws-federation/