SOA Federated Identity Management

Copyright 2006 Archistry Limited. All Rights Reserved.

SOA Federated Identity Management

How much do you really need?

Andrew S. TownleyFounder and Managing DirectorArchistry Limited

Public Information2 Copyright 2006 Archistry Limited. All Rights Reserved.

Agenda

DefinitionsBusiness drivers for federated identityApproaches to providing federated identityTechnical considerationsQuestions


Definitions

Federated system – integrates existing, possibly heterogeneous systems while preserving their autonomy

Association autonomy – the ability of a component system to decide whether and how to share its operations and resources with other systems

Federated identity – a shared name identifier agreed between partner services in order to share information about the user across organizational boundaries


Business Drivers

What are you trying to do?• Provide single sign-on (SSO)?• Support dynamic collaboration?• Provide a central point of access to

distributed services?

Who are the other participants?• Services controlled by a single

organization?• Services provided by trading

partners?• Parties with whom you have no

formal relationship?


Additional Considerations

Privacy and consent• Will the users use the system?• How will their privacy be protected?• How will you respond to a right to

access request?

Accountability• What mechanisms will be used for

identity proofing?• What mechanisms will ensure non-

repudiation of authentication?• How will you respond to claims of

fraudulent access?


Approaches

Don’t federate

Federated identity

Chain of trust

Federated authorization


Federated Identities

Leverages the identification/authentication of a trusted member of the federation (e.g. SAML IdP)

May or may not require local accounts at all service providers

Requires out-of-band business agreements between members of the federation

Does nothing more than assert a claim as to the identity of a user or request within a given context


Example: US Government E-Authentication Framework


Chain of Trust

Each participant responsible for authenticating only the members directly communicating with it

Information integrity must be assured by the information producer

Requires out-of-band business agreements between members of the federation

Each member of the chain is authenticated to the next—any other credential information is opaque

Ensures a sequence of participants can exchange information, but does not directly authenticate (or may not even identify) the original information producer


Example: Irish Government’s Reach Project


Federated Authorization

Federation defines the semantics of a particular set of profile attributes

Service provider association and access control is based on the presence of one or more attributes

Can be used in conjunction with federated identities or without them for dynamic collaboration

Still requires out-of-band business agreements between members of the federation

Can be used for more flexible and dynamic collaborations, but attribute negotiation may have privacy implications


Example: EU Driving License Regulations


Technical Considerations

How will the business agreements be managed electronically (Proprietary XML, SAML, XACML, WS-Policy or something else)?

Are the services provided asynchronously or synchronously? What is the temporal coupling between the services? Are the services provided to interactive users or automated

agents? How much information is necessary to identify the user to the

local service? Will the local services also support authentication and

management of their own user identities? Which is most important: the identity of the principal making

the request or the identity of the principal to which the request refers?

Who (or what) is actually making the request?


References

US E-Government Authentication Framework and Programs, IT Professional, May/June 2003, http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/it/&toc=comp/mags/it/2003/03/f3toc.xml&DOI=10.1109/MITP.2003.1202230

Technical Approach for the Authentication Service Component, Version 1.0.0, GSA (2004), http://www.cio.gov/eauthentication/documents/TechApproach.pdf

SAML V2.0 Technical Overview, Working Draft 10, http://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf

Liberty ID-WSF Web Services Framework Overview, Version 2.0, http://www.projectliberty.org/liberty/content/download/889/6243/file/liberty-idwsf-overview-v2.0.pdf

Access Control Management in a Distributed Environment Supporting Dynamic Collaboration, Shafiq, B. et al (2005), http://portal.acm.org/citation.cfm?id=1102503

Implementing a Federated Architecture to Support Supply Chains, Chadha, B. (2003), http://www.coensys.com/files/federation%20white%20paper%2003.PDF

A Distributed Trust Model, Abdul-Rahman, A., S. Hailes (1997), http://portal.acm.org/citation.cfm?id=283739

Access Control in Federated Systems, De Capitani di Vimercati, S. and Samarati, P. (1996), http://portal.acm.org/citation.cfm?id=304871


Turning innovation into business valueTM

Archistry Limited33 Pearse StreetSuite 115Dublin 2, Irelandwww.archistry.com

Phone +353 86 996 2490Fax +353 865 996 2490Email [email protected]

SOA Federated Identity Management

Documents

Transcript of SOA Federated Identity Management