Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3....
Transcript of Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3....
![Page 1: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/1.jpg)
1
Ajay DaryananiMiddleware Engineer, RedIRIS / Red.es
Kopaonik, 13th March 2007
Introduction to Identity Management Systems
1
![Page 2: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/2.jpg)
2
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
2
![Page 3: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/3.jpg)
3
Peter Steiner. The New Yorker, 5th July 1993
3
![Page 4: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/4.jpg)
4
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
4
![Page 5: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/5.jpg)
5
Reasons for IdM: User’s view
• Users WANT to:
Check their reports Use the email Register for a course Borrow a book from the library Use university’s Internet connection Read the documentation of a course …
5
![Page 6: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/6.jpg)
6
Reasons for IdM: User’s view
• … and they WANT all this:
Easily Safely Quickly In a flexible way Remotely Personalized any more?
6
![Page 7: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/7.jpg)
7
Reasons for IdM: Admin’s view
• System administrators HAVE to:
Provide advanced services to their customers Safely Quickly Within the budget In a flexible way Improving corporative image … and according to national laws!
7
![Page 8: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/8.jpg)
8
Reasons for IdM: Admin’s view
• …and for this, they HAVE to:
Manage hundreds/thousands of entries Manage several services Map users to services (1..N, 1..M) Use standards Include all possible use cases Understand and apply the law … without losing their private lifes :-D
8
![Page 9: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/9.jpg)
9
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
9
![Page 10: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/10.jpg)
10
IdM Roadmap: First steps
• The simplest case
- Few users
- One application
- Solutions:
- DB
- Whitelist
- BasicAuth
10
![Page 11: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/11.jpg)
11
IdM Roadmap: Childhood
• Growing up a bit
- Several users
- One/more applications
- May require different access roles (admin, student, professor)
- Solution: directories
11
![Page 12: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/12.jpg)
12
IdM Roadmap: Maturity
• And more…
- Several users
- Several applications
- Same login for all services: Unified Login
- Avoiding re-authentication: Single Sign-On
12
![Page 13: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/13.jpg)
13
IdM Roadmap: Going beyond
• And more… (out of scope of this workshop)
- Several users / apps
- Several domains
- Example: different universities, same country
- Solution: federations
13
![Page 14: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/14.jpg)
14
IdM Roadmap: The last border (?)
• And even more… (far beyond this workshop)
- Several users / apps / domains
- Several federations
- Example: different countries
- Solution: “con-federations”
14
![Page 15: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/15.jpg)
15
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
15
![Page 16: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/16.jpg)
16
Definitions: (Digital) Identity
• Represents the digital personality of a subject
• Subject represents a user (human/machine)
• Personality is defined by means of attributes
• MUST be unique for a given domain• MUST preserve user privacy!• It’s your key for accessing the digital world
16
![Page 17: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/17.jpg)
17
Definitions: (Digital) Credentials
• Identity is proved through credentials• Examples:
Real life: Birth certificateFingerprint
Digital life:PasswordX.509 certificate
17
![Page 18: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/18.jpg)
18
Definitions: Attribute
• Models a characteristic of the subject’s personality
• It is often viewed as a name/value(s) pair• Valid attribute names (and values) are defined in
a schema• Used for access control, personal information,
privacy, …• Example:
namespace: urn:mace:terena:org:schac Attribute name: schacsn1 Attribute value: Daryanani
18
![Page 19: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/19.jpg)
19
Definitions: Authentication
• Process of proving that a subject is who he claims to be
• It verifies user identity • Conveyed by means of credentials…• … and obtaining authentication token(s)• Example of tokens:
Real life: ID cardPassport
Digital life:CookieKerberos ticket
19
![Page 20: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/20.jpg)
20
Definitions: Authorization
• Process of deciding if a user A is entitled to access service B
• 3 main profiles: Authentication = authorization Identity + attributes Negotiation on attributes to be exchanged
• Authorization can be simple… Profile 1 If (group = X) then accept
• Or as complex as you want
20
![Page 21: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/21.jpg)
21
Definitions: Unified Login
• System that allows using the same identity for several services
• Does not imply unified authentication• Example: Using same username/password for
webmail and Intranet• Improves usability• Eases identity management• Targeted mainly for intra-domain services
21
![Page 22: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/22.jpg)
22
Definitions: SSO
• Single Sign-On (SSO) is the process of authenticating once for all the accessible services
• Can also be interpreted as the mechanism for not reauthenticating Between sessions on same application Between different applications
• Authentication status is usually maintained through cookies (in web environment)
22
![Page 23: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/23.jpg)
23
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
23
![Page 24: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/24.jpg)
24
Components: Simple picture
Borrowed from: JISC (UK)
24
![Page 25: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/25.jpg)
25
Components: Complex picture
Borrowed from: JISC (UK)
25
![Page 26: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/26.jpg)
26
Components: Identity Management Architecture
Borrowed from: Enterprise directory implementation Roadmap, NMI (US)
26
![Page 27: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/27.jpg)
27
Components: Metadirectory
• Used to synchronize information from different data sources
• Provides unified view of records maintained at data sources
• Feeds the directory/directories• Other features
Control flow of information Data transformation Data correlation Person identification
27
![Page 28: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/28.jpg)
28
Components: Directory
• Centralized information repository Deep hierarchy Optimized for read access Can provide different views of the same
information
• Directories need Schema Attribute values Identifiers
28
![Page 29: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/29.jpg)
29
Components: Data Sources
• Repositories where data is actually written• An institution may have several sources
Alumni Payroll Departamental DBs
• Relational databases are an example of data sources Offer better write/update perfomance (vs.
directories)
29
![Page 30: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/30.jpg)
30
Components: Provisioning
• Its the process of managing an identity• Includes
Adding an account Modifying Suspending Resuming
• De-provisioning implies ending the lifecycle of an identity
• Resources can also be provisioned
30
![Page 31: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/31.jpg)
31
Components: Trust
• Do not trust anyone…• … until it proves to be trustworthy!• Should be maintained between a user and
his identity holder• But also between your identity holder and
identity consumers• Implies:
Dependance on the trusted party Reliability of the trusted party Risk!!!
31
![Page 32: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/32.jpg)
32
Components: Management Interfaces
• Administrators also have needs!• Provide means for information
homogeneization Component from different parties are not
always meant for cooperating with others Administrators may need tailored functionality IdM can be overwhelming :-D
• Allow users to manage (partially) their data => self-service
32
![Page 33: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/33.jpg)
33
Components: Diagnostics
• What if something fails?• IdM comprises different data sources and
interaction between them• Useful mechanisms for diagnostics are auditing
and logging• IdMs lack features on diagnostics
Although some propietary solutions include diagnostic tools
Recommendations:Log, log, log!!!Create custom management interfacesDo a good design
33
![Page 34: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/34.jpg)
34
Components: Security and usability
• IdMs enhance security For identities
ARPsData protection rules
For applicationsTrustCryptography
• De-provision• But users are humans (and make mistakes:
phishing!)• IdMs improve user experience and satisfaction
34
![Page 35: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/35.jpg)
35
Components: AAIs
• Authentication and Authorization Infrastructures (AAIs)
• All we have seen up to now is now viewed as an IdP (Identity Provider) …
• As an opposition to an SP (Service Provider)
• New actor: Attribute Authorities• AAIs include communication protocols and
profiles to connect these components Usually include SSO, federation capabilities…
35
![Page 36: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/36.jpg)
36
Components: AAIs
• No user registration and user data maintenance at resource needed
• Single login process for the users• Enlarged user communities for resources• Efficient implementation of inter-
institutional access
36
![Page 37: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/37.jpg)
37
Outline
1. Reasons for IdM
2. IdM Roadmap
3. Definitions
4. Components and features
5. Tools and protocols
37
![Page 38: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/38.jpg)
38
Tools and protocols: Provisioning
• Resource provisioning is the provisioning of identities to systems and services where the identity has access to use
• SPML Open standard protocol for the integration and
interoperation of service provisioning requests It’s an OASIS standard http://www.oasis-open.org/ http://www.openspml.org/
38
![Page 39: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/39.jpg)
39
Tools and protocols: Trust
• Public Key Infrastructures (PKIs)• Certificates are based on public key• Enables for a digital certificate identifying an individual or
an organization to be: Issued Revoked Validated
• Composed of: Root CA Certificate Authority (CA) Registration Authority (RA) Directory to store user certificates Certificate revocation lists (CRLs)
39
![Page 40: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/40.jpg)
40
Tools and protocols: Feds and more
• Software for building federations Shibboleth: http://shibboleth.internet2.edu/ PAPI: http://papi.rediris.es A-Select: http://a-select.surfnet.nl Liberty Alliance protocols
http://www.projectliberty.org/
• Federation interoperability software eduGAIN
http://www.terena.nl/activities/eurocamp/april06/slides/day2/eduGAIN.ppt
40
![Page 41: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/41.jpg)
41
Tools and protocols: IdM suites
• Sun Microsystems http://www.sun.com/software/products/identity/
offerings.jsp
• Oracle http://www.oracle.com/products/middleware/identity-
management/identity-management.html
• IBM http://www-306.ibm.com/software/sw-bycategory/
• Novell http://www.novell.com/solutions/securityandidentity/
41
![Page 42: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/42.jpg)
42
IdM References
• The Open Group: Identity Management http://www.opengroup.org/projects/idm/uploads/
40/9784/idm_wp.pdf• Identifiers, Authentication, and Directories: Best
Practices for Higher Education http://middleware.internet2.edu/internet2-mi-best-
practices-00.html
• Wikipedia http://en.wikipedia.org/wiki/Identity_management
• … and Google, of course
42
![Page 43: Introduction to Identity Management Systems · 2 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and features 5. Tools and protocols 2](https://reader030.fdocuments.us/reader030/viewer/2022040620/5f31dc7482721c257d591b1b/html5/thumbnails/43.jpg)
43Edificio BroncePlaza Manuel Gómez Moreno s/n28020 Madrid. España
Tel.: 91 212 76 20 / 25Fax: 91 212 76 35www.red.es
43