Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Single Sign-On: Federated Identity

Published byCeleste Summerson Modified over 10 years ago

Similar presentations

Presentation on theme: "Web Single Sign-On: Federated Identity"— Presentation transcript:

1 Web Single Sign-On: Federated Identity
Dan Houser, MBA, CISSP, CCP Security Architect Nationwide

2 Nationwide Fortune 500 company
A leading US financial company & insurer Life Insurance Automobile Insurance Property & Casualty Insurance Liability Insurance Annuities Retirement Products Investment Services Mortgages

3 Objectives How a Fortune 500 company implemented SAML for cross-company authentication (CCA) Under the covers: how artifact and signed SAML authentication works between business partners Building an extensible, enterprise architecture implementation with alpha and beta tools Lessons learned, challenges, and surprises when extending authentication and authorization to 3rd parties Identity, cryptography, and assertions, oh my! Web services authentication and authorization challenges

4 Web services Phenomenal Business acceleration since 1990
Transformation of business: From business at the club to EDI brokering From book binding to e-books to books on demand Supply chain management Rapid changes in business and trust models Outsourcing, resourcing, insourcing Hosting, co-location, managed services, ASPs Intense, cyclical Acquisition & Divestiture activity Global markets & economies

5 Web services (2) Generations of the Internet
1st Gen: Isolation Research 2nd Gen: Information Storefront 3rd Gen: Transaction eCommerce 4th Gen: Integration Web Services

6 Quick Web services primer
Uses open, lightweight protocols: Provides a direct connection to business logic and core objects through Internet protocols Instead of COM, DCOM and RPC, now invoke a Web service over HTTP HTTP XML SOAP WSDL UDDI

7 Federated identity What is federated identity?
The agreements, standards and technologies that make identity and entitlements portable across autonomous domains.§ Cross-company authentication (CCA) Authentication & authorization between organizations and companies. Essentially, same thing under the covers § Source: RSA Security,

8 Federated identity Use case 1: Travel model
Internet / Internet / B intranet intranet 3rd-party Business Logic End user HTTP Web Page HTTP XML SOAP Web Services B2B, B2C, B2E Provider A conducts business with B on behalf of end user Traditional back-office functions, but in real time Reference model: Travelocity®

9 Federated identity Use case 2: Portal model
B provides service or collaborative content for A Transparent to the end user. Reference model: MapQuest® in Yahoo!® portal HTTP B Internet / intranet Web Page End user HTTP XML SOAP B2B, B2C, B2E Internet / intranet B Business Logic 3rd-party Web Services Provider

10 Federated identity Use case 3: Single sign-on model
A redirects user to B B trusts A’s authentication “Single sign-on” (a.k.a. Cross-company authentication, federated identity.) Reference model: Private label banking HTTP XML SOAP SAML HTTP XML SOAP SAML HTTP XML SOAP SAML

11 Web services implications
Extensible access portals for legacy business logic and processes Ability to react to the market very quickly Changes to core business applications are immediately available to trading partners, vendors, customers and regulators Business velocity without roadblocks of building extensive GUI presentation layers

12 Web services introduces Cross-company authentication
For selected interfaces: Other business partners trust your authentications, and… Your organization trusts the authentications provided by others.

13 SAML provides framework for cross-company authentication
SAML: Security Assertions Markup Language Lightweight protocol to exchange security assertions & artifacts Can be signed for self-validating assertion Permits partners to exchange assertions about authentication and authorization of users

14 SAML SAML has 4 major components: Assertions
Authentication assertions Attribute assertions Authorization decision assertions Request / response protocol – SOAP over HTTP Bindings – how SAML requests maps to transport protocols (such as SOAP) Profiles – how SAML assertions are embedded or transported between parties

15 SAML (2) POST /SamlService HTTP/1.1 Host: Content-Type: text/xml Content-Length: nnn SOAPAction: <SOAP-ENV:Envelope xmlns:SOAP-ENV=” <SOAP-ENV:Body> <samlp:Request xmlns:samlp:=”…” xmlns:saml=”…” xmlns:ds=”…”> <ds:Signature> … </ds:Signature> <samlp:AuthenticationQuery> </samlp:AuthenticationQuery> </samlp:Request> </SOAP-ENV:Body> </SOAP-ENV:Envelope> Source: OASIS -

16 SAML provides transaction trust
Protocols providing trust Enterprise Line of business No existing protocol Business function Session SSL / TLS / IPsec / Kerberos Session SAML / WS-Security XML-DSig / Passport Messages / Transactions

17 Nationwide & CCA timeline
Implemented several federated identity solutions Used proprietary artifacts & communication session solutions Worked well, but…. Unique “one-off” solutions Lacked standards for standard implementation, extensive re-work

18 Nationwide & CCA timeline (2)
2002 Resolved to adopt a standards-based federated identity solution Investigated several federated identity standards SAML selected as best SSO authentication solution at the time Joined Liberty Alliance as Associate Member

19 Nationwide & CCA Timeline (3)
2002 Determined three viable directions: Web Access Mgmt (WAM) middleware Adding SAML parsing to existing application(s) Building own assertion generator & parser Investigated the market for vendor best suited to deliver SAML-based solution Established contract with WAM vendor Built first SAML implementation for SSO

20 Nationwide: First SAML cross-company SSO
Launched January, 2003 First commercial use of SAML for SSO Three business partners Nationwide provides portal, authentication & authorization for both other partners Internet / intranet Nationwide End user B2B, B2C, B2E 1 Link redirect 2 4 redirect 3 AuthN AuthZ Financial Aggregator Financial Services Company

21 Nationwide: First SAML cross-company SSO
Launched January, 2003 First commercial use of SAML for SSO Three business partners Nationwide provides portal, authentication & authorization for both other partners. Nationwide 3 4 redirect Internet / 1 intranet 6 redirect Link 2 5 End user AuthN AuthZ B2B, B2C, B2E Financial Aggregator Financial Services Company

22 Challenges Complexity Business issues Federation Weakest link
Business trust models

23 Complexity Corporate 3-tier Web architectures are already complex
Federated SSO adds significant complexity in coupling: Existing infrastructure Web Access Mgmt (WAM) middleware Web services interfaces New infrastructure Cross-company functionality

24 Complexity (2) Complexity requires technical sophistication on both sides of the relationship Developers need to understand: SAML Web services WAM Encryption Architects need to understand: Identity Management Authentication/authorization models

25 Complexity (3) Complexity extends to privacy and identity issues
Privacy policy aggregation, demarcation Need to involve CPO, General Counsel Identity management issues Legal contract & business agreement: Roles & responsibilities Vendor management Procedures for validating trust

26 Business issues The technology is moderately complex.
Trust & policies are harder. Closer to a wedding than a business relationship Nationwide’s solution: Certification & accreditation process Reference Architecture Strong 3-tier infrastructure architecture Forward-looking standards for trust governance

27 Federation Interoperability of identity frameworks
Tough to do between existing corporate legacy applications Even tougher between disparate organizations Deep dive on assumptions, standards, vetting Must scale and scope to business context

28 Weakest link Security posture differences must be determined & governed. Alignment of reference architecture Policy & standards matrix comparison Establishment of CCA standards SLA & performance weakest link If your SLA is 7x24, and your partner’s SLA is 5x10, how will you provide 7x24?

29 SAML provides transaction trust
Protocols providing trust Enterprise Line of business No existing protocol Business function Session SSL / TLS / IPsec / Kerberos Session SAML / WS-Security XML-DSig / Passport Messages / Transactions

30 Web services introduces cross-company authentication
For selected interfaces: Other business partners trust your authentications, and… Your organization trusts the authentications provided by others.

31 What now? The Interconnectedness of all things…

32 Business trust models Recognized needs: Result: CCA standards
Ongoing contractual compliance Continual determination of trustworthiness Legal implications of trust model Result: CCA standards Development of XotaSM protocol XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

33 XotaSM Combination of protocol & methodology
Permits determination of trustworthiness in real time between business partners Trust governance at the transaction level Continuous assessment of contractual and regulatory compliance Nationwide is establishing a consortium XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

34 Surprises Troubleshooting with ½ the data
Missing standards & solutions Interoperability Human factors

35 Troubleshooting SAML consists of HALF transactions:
Asserting party  Relying party Troubleshooting with only half the data! Complexity and cross-disciplinary issues Coordinated helpdesk an issue Log sharing, aggregation Time synchronization an issue

36 Missing standards & solutions
SAML has some gaps No SAML session management No support for timeout, logoff “rollup” Had to develop own session management and session timeout protocol Middleware gaps No signed SAML support in middleware Lack of 3-tier architecture support

37 Session management issues
Cookie forces session timeout – user must re-authenticate User is redirected back to Nationwide gets SAML assertion Goes through SAML authentication process again Nationwide 3 4 redirect Internet / 1 intranet 6 redirect Link 2 5 End user AuthN AuthZ B2B, B2C, B2E Financial Aggregator Financial Services Company

38 Interoperability Authentication & authorization required for both the business partners and users SAML provides user authentication No protocol support for partner connection authentication, authorization Each partner connection model unique Bleeding-edge implementation preceded Web services protocol standards

39 Human factors Communications Issues
Users unaware of SSO implementation: Sensitive to performance lag Multiple resubmits Question lack of sign-on – “Is security broken?” Deep bookmarking Users will bookmark relying party sites Persistent cookie that identifies user as CCA user?

40 Lessons learned Have a good partner relationship with WAM vendor(s)
Business issues as significant as technology issues Lightweight implementation toolkit required for smaller partners Trust modeling important consideration

41 Benefits achieved Federated identity provides flexible, adaptable solutions for SSO Ability to use infrastructure for affiliates, other contexts If you build it, they will come Federated identity works reliably Use of standards, such as SAML, pays off in 2nd, 3rd implementations

42 Q&A Questions?

43 OASIS http://xml.coverpages.org/saml.html
Further information Best resources: OASIS Liberty Alliance Contact information: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide (614)

44 Thank you. Questions, comments?
Mr. Houser will not be available to answer questions at the Ask-the-Experts booth in the Exhibit Hall. Please send question to

Download ppt "Web Single Sign-On: Federated Identity"

Similar presentations

Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) 632-0294 January 09, 2007.

Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) January 09, 2007.
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
Page 1 Copyright © 2010 Data Access Technologies, Inc. Model Driven Solutions May 2009 Cory Casanave Architecture of Services SOA for E-Government Conference.

Page 1 Copyright © 2010 Data Access Technologies, Inc. Model Driven Solutions May 2009 Cory Casanave Architecture of Services SOA for E-Government Conference.
Interactive Financial eXchange www.IFXForum.Org XML Usage in Financial Services Mark Tiggas President, Interactive Financial eXchange Open Applications.

Interactive Financial eXchange XML Usage in Financial Services Mark Tiggas President, Interactive Financial eXchange Open Applications.
Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -

Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.

Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
SOA with Progress Philipp Walther Consultant. © 2007 Progress Software Corporation2 Agenda  SOA  Enterprise Service Bus (ESB)  The Progress SOA Portfolio.

SOA with Progress Philipp Walther Consultant. © 2007 Progress Software Corporation2 Agenda  SOA  Enterprise Service Bus (ESB)  The Progress SOA Portfolio.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
B2B e-commerce standards for document exchange In350: week 13: Nov. 19,2001 Judith A. Molka-Danielsen.

B2B e-commerce standards for document exchange In350: week 13: Nov. 19,2001 Judith A. Molka-Danielsen.
A summary of ebXML (the new World Standard for e-Business) Dave Welsh Collaborative Domain Corporation.

A summary of ebXML (the new World Standard for e-Business) Dave Welsh Collaborative Domain Corporation.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

Similar presentations

Ads by Google