SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an...
Transcript of SESAM - Federation Services for the Automotive Industry · 2008. 4. 28. · SESAM is also an...
EIC 2008Wolfgang JodlBMW GroupPage 1
SESAM – Services Standards for the Automotive: Federation Services.
Business Scenarios Leveraging Federation Services Standards
for the Automotive Industry.
Wolfgang Jodl
EIC 2008Wolfgang JodlBMW GroupPage 2
SESAM.Agenda.
The BMW Group
Challenges for the Automotive Industry
Business scenarios usingFederation Services
Technical Aspects and Influencesof Federation Services
Classification of Federation Scenarios –Federation Patterns
Discussion
EIC 2008Wolfgang JodlBMW GroupPage 3
BMW Group.Premium Brands BMW, MINI and Rolls-Royce.
EIC 2008Wolfgang JodlBMW GroupPage 4
BMW Group.Company Information.
2007 2006 2005
BMW Group workforce 107,539 106,575 105,798
BMW Group revenues (in Mio. €) 56,018 48,999 46,656
BMW Group car deliveries 1,500,678 1,373,970 1,327,992
BMW Group profit (in Mio. €) 3,873 4,124 3,287
EIC 2008Wolfgang JodlBMW GroupPage 5
3 GDCs (Americas/Asia/EMEA)
13 locations on all continents
Approx. 3,000 employees
80,000 clients, 40% Notebooks
More than 6,000 servers
3 mainframe installations
Thousands of (web-)applications
3 main portals (B2B, B2D, B2E)
Several federated/trustedlocal portal solutions
Facts
BMW Group.IT Community.
EIC 2008Wolfgang JodlBMW GroupPage 6
SESAM.Challenges.
Business processes and relationships are changing fast:
Trend towards Cooperations
Enormous efforts for developing new components (e.g. engines) Trend towards Components-based assembly & development Flexible usage of On-Demand capacities
Fast integration of Mergers & Acquisitions
Time-To: fast integration into existing Infrastructure/Processes In the past, this was mainly focused on integrating infrastructures, now it is a
question of process integration (what it should be).
Flexibility & Cost reduction
Fast service integration is a major topic SAAS promises flexibility without too tight integration
EIC 2008Wolfgang JodlBMW GroupPage 7
SESAM.Challenges & Consequences.
IT must be flexible and adaptive towards new business needs.
User-centric process chain integration with external partners, Online Services, or SAAS providers
Trend towards SAAS (software-As-A-Service) models
All of those challenges result in process-oriented integration of various systems, across different companies:
Collaborative engineering, design, development and manufacturing
X-As-A-Service Models Flexible Customer services …
Federation can help solving the user-centric process & application integration challenge.
EIC 2008Wolfgang JodlBMW GroupPage 8
SESAM.Federation Business Scenarios.
BMW
Process
Step
Partner
External
Process
Step
Process
Step
Process
Step
Process
Step
Federated SSO
Process
Step
User-centricprocess integration for
Joint Ventures & Cooperations
EIC 2008Wolfgang JodlBMW GroupPage 9
SESAM.Federation Business Scenarios.
External Service Provider
BMW Corporate Network
Internet
B2X-User
Internet
Login with
c-Account
LAAS
Login with
q-Account
Intranet
B2X-User
WS-Federation Token
Group Claims
Identity Claim
Custom Claims
User
Role Store
Mapping
FE
DE
RA
TIO
N T
RU
ST
Federation
Server
BMW
Federation
Services
Hosted Services & Applications(e.g. SAAS)
EIC 2008Wolfgang JodlBMW GroupPage 10
SESAM.Federation Business Scenarios.
BMW Corporate Network
B2X User
LDAP
Mapping
Windows User
FEDERATION TRUST
B2X User
Active
Directory
Internal Federation Gateways
EIC 2008Wolfgang JodlBMW GroupPage 11
SESAM.Federation Business Scenarios.
BMW Customer
BMW Customer
Online Services
BMW Vehicle
Online Services
BMW
Third Party
Service Provider
Application 1
Application 3
Application 2
Application 1
Application 2
Application 4
Application 1
Application 3
Application 4
Federated SSO Federated SSOApplication 4
Hosted Customer and Vehicle Online Services
EIC 2008Wolfgang JodlBMW GroupPage 12
SESAM.“Federation Services“ in Everyday Life.
EIC 2008Tobias FrechiC ConsultPage 13
SESAM.Speaker Change.
TOBIAS FRECH
iC Consult GmbHKeltenring 1482041 Oberhaching
EIC 2008Tobias FrechiC ConsultPage 14
Company A Company B
SESAM.Federation Services.
Identity
Provider
(IdP)
Service
Provider
(SP)FEDERATION TRUST
Identity
Management
SAML 1.x
SAML 2.0
WS-Federation
Application
Authentication Authorization
Federation Token
Employee
EIC 2008Tobias FrechiC ConsultPage 15
Identity
Provider
Service
Provider
SESAM.Federation Deployment Scenarios.
Single IdP to single SP Cooperation Joint-Ventures SSO Integration of different
security infrastructures
Many IdP to single SP Collaboration Platforms SAAS Platforms
Single IdP to many SP Portal Integration of
external Services External hosted Applications
Real Life Deployments Mixed infrastructures
with different federation products and protocols
Identity
Provider
Service
Provider
Identity
Provider
Identity
Provider
Identity
Provider
Identity
Provider
Service
Provider
Service
Provider
Service
Provider
Service
Provider
Company A
Company B
Identity
Provider
Service
Provider
Service
Provider
Company C
Identity
Provider
EIC 2008Tobias FrechiC ConsultPage 16
SESAM.Requirements and Federation Protocols.
Microsoft
Compatible
Open Source
SAML 2.0SAML 1.x
WS-Federation
Wide
Distributed
Enhanced
Security
Metadata Support
Enhanced
Features
SharePointOutlook
Web Access
What are the requirements?What fits best for your needs?
Most Common
Different FederationProtocols for differentrequirements
What protocols are supported by the partner?
EIC 2008Tobias FrechiC ConsultPage 17
Identity Management
Application Integration
Permission Management
User Helpdesk
Incident Management
Auditing
…
SESAM.Impact on IdM & Supporting Processes.
Standardizations for
Federation Integration
Requires…
for efficient federation
deployments
EIC 2008Tobias FrechiC ConsultPage 18
SP managed PermissionsIdP managed Permissions
SESAM.Federation Patterns.
Identity
ProviderService
Provider
Permission
Management
Permission
Management
Standardization with Patterns
EIC 2008Tobias FrechiC ConsultPage 19
SESAM.IdP managed Permissions.
Identity
ProviderService
Provider
Identity
Management
Permission
Management
Directory
Federation Token
Identity Claim
Attribute 1
Attribute 2
Attribute …
Permission 1
Permission 2
Permission …
Authorization
Application
EIC 2008Tobias FrechiC ConsultPage 20
SESAM.IdP managed Permissions.
Permissions transferred with Federation Token
Impact on IdP side: Permissions management for SP applications
Impact on SP side: No external accounts needed Requires strong trust relationship to IdP EAM infrastructure must handle federated user sessions
Typical scenario: External hosted Applications
EIC 2008Tobias FrechiC ConsultPage 21
SESAM.SP managed Permissions.
Identity
ProviderService
Provider
Federation Token
Identity
Management
Directory
Identity Claim
ApplicationPermission
Management
Identity
ManagementAuthorization
User Mapping
Directory
with Shadow-
Accounts
EIC 2008Tobias FrechiC ConsultPage 22
SESAM.SP managed Permissions.
Permissions are attached to Shadow Accounts at SP side
Impact on IdP side: Only Identity Claim is transferred with Federation Token
Impact on SP side: Requires Shadow-Account on SP side Permission management at Shadow-Account Identity Claim is mapped to Shadow-Account How to map identities: Account Mapping, Account Linking,
Pseudonym Linking, …
Typical scenario: Confidential Collaboration Platforms
EIC 2008Tobias FrechiC ConsultPage 23
SESAM.Other Federation Challenges.
Legal Issues and Requirements
Service Quality Contracts Security Policies
Organizational Issues
Support Responsibilities and Incident Management Monitoring of Federation Services How to organize incident management in federation
deployments? Different SLAs/Timezones, …
Technical Issues
How to transport authentication type/level (e.g. strong authentication)?
Session Handling (SSO, SLO, Timeouts) How to ensure privacy? (Pseudonyms, Encryption)
EIC 2008Wolfgang JodlBMW GroupPage 24
SESAM is also an official project at the Odette(www.odette.org). SESAM is about:
making Federation Services useful for the Automotive Industry. agreeing on names, trust, and organisational and legal best practices.
VTS “Virtual Team Spaces”:
Integrating internal portals with different security infrastructures and different identity stores.
External Hosted Dealer Applications
Integrating external applications into existing dealer portal, without tight application integration.
SESAM.BMW Federation Engagements & Projects.
EIC 2008Wolfgang JodlBMW GroupPage 25
SESAM.Contact.
Wolfgang [email protected]+49-(0)89-382-31997
Daniel [email protected]+49-(0)89-382-34954
EIC 2008Wolfgang JodlBMW GroupPage 26
Thank you for your attention.
Imprint:
Editor
BMW Group
Communication BMW Group IT
80788 München
Reproduction, even in parts, must be approved by
Bayerische Motorenwerke Aktiengesellschaft, München.
Patents may be pending on some concepts.
©2008 Bayerische Motorenwerke Aktiengesellschaft