Process-based Identity & Access Management · 2008-04-28 · Dennis Attinger, Stuart Boardman...
Transcript of Process-based Identity & Access Management · 2008-04-28 · Dennis Attinger, Stuart Boardman...
Dennis Attinger, Stuart Boardman
Philips/CGI
München, 24 April 2008
Process-based Identity & Access
Management
Challenges in an extended enterprise model
•Dennis Attinger (Philips)
•Stuart Boardman (CGI)
Philips/CGI, DAT/SBO, München, 24 April 2008 2
What you can expect from us
• Present the problem domain
• Compare solutions and architectural options
• Present the concept and solution approach
• Present 1st phase of pilot and experiences
• Compare with alternative solution for the concept
• Future Phases
Philips/CGI, DAT/SBO, München, 24 April 2008 3
Assumptions and Principles
• The business paradigm is Extended Enterprise
• The design paradigm is Service Oriented Architecture. No assumptions
on technology.
• Objective is:
– to realize the SOA “promise of Agility”
– to have Security as an integral part of Architecture and not as an
“after-thought”
Philips/CGI, DAT/SBO, München, 24 April 2008 4
Capabilities
Business Processes
The Extended Enterprise
Directed
By
Services
Agents
The Extended Enterprise
Employees
Customers
Partners
Delivered
By
Suppliers
PartnersPartners Suppliers
Partners
Philips/CGI, DAT/SBO, München, 24 April 2008 5
SOA in the Real-World
• Service-Oriented Architecture as the architectural style:
– Promise of Agility:
• Mirror real-world activities
• Boundaryless Information Flow
• Re-use
– Design on Business Process level
– Implement by using Open Standards
Philips/CGI, DAT/SBO, München, 24 April 2008 6
Service-Oriented Architecture
Service
HW: PC cards (on a PC-bus)
SW: code with a defined function (on an
Enterprise Service Bus)
Business: activity (as part of a process)
A service is a logical representation of a repeatable business
activity that has a specified outcome
Services are coupled
with each other
in an orchestrated
Process chain
PO
creation
Customer
Login/check
Customer
approval
Process
Order
Process
Order
Process
OrderRelease
For
Shipping
Philips/CGI, DAT/SBO, München, 24 April 2008 7
Service-Oriented Architecture:
getting complex along the way
User
Role n
User
Role n
User
Role 2
User
Role 2
User
Role 1
User
Role 2
Process
1
Process
2
Process
1
Process
2
Process
1
Process
2
Composite
1
Composite
2
Composite
n
Composite
1
Composite
2
Composite
n
Composite
1
Composite
2
Composite
n
Service
1
Service
2
Service
n
Service
1
Service
2
Service
n
Service
1
Service
2
Service
n
Composite
1
Composite
2
Composite
n
Process
1
Process
2
Service
1
Service
2
Service
n
User
Role 1
User
Role 2
User
Role n
Source: Rob Hailstone IDC
Philips/CGI, DAT/SBO, München, 24 April 2008 8
Extended Enterprise and SOA:
Real-World Issues for IAM
• Two requirements in tension:
– Security view:
• Controlling who is actually entitled to use what
– Compliance view:
• Ensuring traceability and legitimacy of all transactions
• Current “afterthought” approaches:
– Security as an afterthought
• Each user and its credentials must be known to each service
– Architecture as an afterthought
• Multiple access mechanisms managing the “same” entities
Philips/CGI, DAT/SBO, München, 24 April 2008 9
Problem Statement
• If security or architecture is an afterthought these issues arise:
– Services are coupled to security functionality – forget re-use
– Identities propagated to all access mechanisms – forget agility
• Complexity – performance, maintenance and governance risk – can
lead to security risks
• Managing growing numbers of identities across eCommerce, SOA and
legacy apps
• Why give all users access rights to those back end systems?
• We’re looking for:
– a solution that closely follows the A in SOA thinking
– a solution which is extensible (well adapted to change)
Philips/CGI, DAT/SBO, München, 24 April 2008 10
Line of Thinking
• Services are coupled with each other in an orchestrated Process chain…..
– Process view in SOA taken as conceptual starting point
– Promise of Agility largely based on a Processes focus
1. Identity propagation takes the service as the point of authorisation
2. Taking the process as the point of authorisation is the architectural approach
Philips/CGI, DAT/SBO, München, 24 April 2008 11
Process as the point of authorization
Identity flow
PO
creation
Customer
Login/check
Customer
approval
Process
Order
Process
Order
Process
OrderRelease
For
Shipping
Conceptual Solution
Agent based, PEP/PDP solution
Two identity contexts – user and service
Identities exist only in relevant contexts
Access control rights driven
No identity (or role) mapping required
Audit compliance per transaction based on transaction characteristics
Requires correlation across multiple logs
Philips/CGI, DAT/SBO, München, 24 April 2008 12
Business Services
Application Services
Business Process Services
Service - Layering
Business Process Services
Task Oriented Business Services
Entity Oriented Business ServicesInfrastructure Services
Application Services
Utility Services
Component Services
Enterprise
Business
Applications
Partners Customers Suppliers Agents
Philips/CGI, DAT/SBO, München, 24 April 2008 13
Current Thinking: decoupled security architecture
Policy Enforcement Point
Application Service
Business service
Portal
ID Assertion
Policy Enforcement Point
Policy
Decision
Point
Policy Enforcement Point
ID & Attribute
Assertion
Application Service
• Policies can be changed centrally and rolled
out without touching business logic
• Developing standards can be rolled out
centrally
Identity Management
and
Policy Management
• Many ready to use agents (policy
enforcement points) available
•Move security out of service design and
into deployment
Philips/CGI, DAT/SBO, München, 24 April 2008 14
Component View of Service and IAM
Application Services
Business Services
Enterprise
Business
Applications
Service
Identity
Context
User
Identity
Context
Portal
Policy Enforcement Point
User
Provisioning
Policy Enforcement Point
Authentication / Register /
Authorization
Assertion
(token, roles, claims)
Federation
Id - Provider
Authorization,
Insertion
ESBBPMS
Business Process Services
CorrelationAudit
Log
Audit
Log
Po
licy D
ecis
ion
Po
int
Audit
Log
Partners Customers Suppliers Agents
Philips/CGI, DAT/SBO, München, 24 April 2008 15
Component View Solution
Enterprise
Business
Applications
Service
Identity
Context
User
Identity
Context
Web ServerFederation
ESBBPMS
Portal Server
Policy Server User
Provisioning
Engine
Policy
Decision
Point
Policy
Administration
Policy Enforcement
Point
Repo-
sitory
Policy Enforcement
Point
Policy Enforcement
Point
Policy Enforcement
Point
Partners Customers Suppliers Agents
Application Services
Business Services
Business Process Services
Philips/CGI, DAT/SBO, München, 24 April 2008 16
Component View Solution
Enterprise
Business
Applications
Service
Identity
Context
User
Identity
Context
Policy Server User
Provisioning
Engine
Policy
Decision
Point
Policy
Administration
Repo-
sitory
Co
rre
lati
on
& R
ep
ort
ing
En
gin
e
(SIM
)
Log
Log
Log
Log
Log
Log
Log
Service id Process id
Policy Enforcement
Point
Token, process id, service id
ESB
Token, process id
Portal Server
BPMS
Token, process id
User id / token
Web Server
Partners Customers Suppliers Agents
Application Services
Business Services
Business Process Services
Philips/CGI, DAT/SBO, München, 24 April 2008 17
The Fulfillment Process
Policy
Enforcement
Point
Policy
Decision
Point
Order Products (BPS)
Capture Order (BS)
Validate Order (BS)
Place Order (BS)
Manage Order (BS)
Order from LOB 1 (AS)
Order from LOB 2 (AS)
User Id / token
Token (user)
Log
User Id / token,
Provider (service)
Token, Consumer (Service), Provider
Token, Consumer, Provider, Order #
Consumer (Service) Id, Provider,Order #
Consumer (Service) Id, Provider, Order #
Consumer (Service) Id,
LOB Order #
Correlator
LOB Order #
LOB Order #
Philips/CGI, DAT/SBO, München, 24 April 2008 19
Deployment View – Phase 1
JBoss
(App) Order Products
JCAPS
JBoss
JBoss JBoss
ApacheAgent (PEP)
ApacheAgent (PEP)
(WS) Place Order
(WS) Validate Order
(WS) Manage Order
Ap
ac
he
Agent (P
EP
)BPM ESB
(WS) Order from LOB1
App “SAP 1”
(WS) Order from LOB2
App “SAP 2”
CA SOA Security Mgr
PDP
Apache HTTP Server
CA SOA Security Manager
JBOSS Application Server
Sun JCAPS 5.3
CGI Octopus BAM (Correlation)
SAP
Philips/CGI, DAT/SBO, München, 24 April 2008 20
An example log
16:16:22,750 INFO (- 127.0.0.1 -) [PlaceOrderAction] place_order process started (date=1204125382750) [place_order:1204125382750:127.0.0.1]
16:16:22,881 INFO (- place_order:1204125382750:127.0.0.1 -) [PlaceOrderAction] Placing order...
16:16:22,911 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderPlacerWeb] Passing control to OrderValidator
16:16:22,931 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderValidatorWeb] Order has been validated
16:16:22,941 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderPlacerWeb] Passing control to OrderManager
16:16:23,462 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Managing order for
16:16:23,482 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Electric Shaver (1)
16:16:23,512 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Flat TV (LCD, 32") (1)
16:16:23,662 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] to be sent to Herr Joe Bloggs at Niederkasseler Lohweg 175, Düsseldorf
40549
16:16:23,662 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Passing control to LOB002
16:16:23,682 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderFromLOB2Web] Placing order with SAP
16:16:23,712 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] Placing order for
16:16:23,712 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] Electric Shaver (1)
16:16:23,712 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] to be sent to Herr Joe Bloggs at Niederkasseler Lohweg 175, Düsseldorf 40549
16:16:23,722 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderFromLOB2Web] Order successfully placed. Assigned Order No. dd9cb66d-29d2-4f17-81b8-
5df84d2b2905
16:16:23,722 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Passing control to LOB001
16:16:23,732 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderFromLOB1Web] Placing order with SAP
16:16:23,752 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] Placing order for
16:16:23,752 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] Flat TV (LCD, 32") (1)
16:16:23,752 INFO (- place_order:1204125382750:127.0.0.1 -) [SAP] to be sent to Herr Joe Bloggs at Niederkasseler Lohweg 175, Düsseldorf 40549
16:16:23,762 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderFromLOB1Web] Order successfully placed. Assigned Order No. 5413d8
b8-b162-4f04-ae4f-ad73dcc95b16
16:16:23,762 INFO (- place_order:1204125382750:127.0.0.1 -) [OrderManagerWeb] Order successfully managed. Assigned Order No. 83ae304d-39c5-4783-9362-
58cb8711a861
16:16:23,772 INFO (- place_order:1204125382750:127.0.0.1 -) [PlaceOrderAction] Order has been placed (Order No.:83ae304d-39c5-4783-9362-58cb8711a861)
16:16:23,772 INFO (- 127.0.0.1 -) [PlaceOrderAction] place_order process terminated (date=1204125383772) [place_order:1204125382750:127.0.0.1]
Portal log file Services log file SAP log file
Philips/CGI, DAT/SBO, München, 24 April 2008 21
Technical aspects
• Process ID: place_order:6098504983:joebloggs
• HTTP; SOAP; WS-Security; WSDL stack
– Consumer identity in HTTP header
– Provider address in HTTP header
– Process ID in SOAP header
• PEP currently only inspects HTTP
• ESB requires proxy WSDL
• Introduction of BPEL – pros and cons
Philips/CGI, DAT/SBO, München, 24 April 2008
Groenendael 30-10-2007
22
Another Viewpoint – Finance Sector Company
• Stricter view of user domain – stops at Business Process Service
• All user management external – identity provider created
– User management looks outward
– Possible collaboration with other enterprises
– Service to consumers
• Strongest possible Identity 2.0 approach – using InfoCard
• Company specific scenario:
– Many external parties – customers, partners, agents
– Existing federated governance
– No real Business Service layer (BPS -> AS -> legacy)
• But well adapted to changing business models
Philips/CGI, DAT/SBO, München, 24 April 2008 23
Alternative Solution (NL Finance Co.)
Enterprise
Business
Applications
Service
Identity
Context
User
Identity
Context
Web Server
BPM/ESB
Portal Server
Policy Server
Policy
Decision
Point
Policy
Administration
Policy Enforcement
Point
Partners Customers Suppliers Agents
Application Services
Business Process Services
Identity Provider
User
Provisioning
Engine
Repo-
sitory
Policy Enforcement
Point
Philips/CGI, DAT/SBO, München, 24 April 2008 24
Future Phases
• Phase 2
– Introduce real SAP applications in place of the stubbed components.
– Enhance Services to ensure sufficient and correct information passed to (and received from) SAP
– Introduce a Correlation Engine.
• Phase 3
– Implement a “real” ordering scenario with more services
– Enhance usability if necessary
– Implement BPMS
– Introduce a real portal
– Finalize configuration framework
• Phase 4
– Stress testing – scale up LDAP and transaction volume
Philips/CGI, DAT/SBO, München, 24 April 2008 25
Deployment View – Phase 2
JBoss
(App) Order Products
JCAPS
JBoss
JBoss JBoss
ApacheAgent (PEP)
ApacheAgent (PEP)
(WS) Validate Order
(WS) Manage Order
Ap
ac
he
Agent (P
EP
)
BPMESB
(WS) Order from LOB1
SAP LOB 1
(WS) Order from LOB2
SAP LOB 2
CA SOA Security Mgr
PDP
(WS) Place Order
CGI Octopus
Correlation
Philips/CGI, DAT/SBO, München, 24 April 2008 26