Presentation on theme: "Web Single Sign-On: Federated Identity"— Presentation transcript:
1Web Single Sign-On: Federated Identity Dan Houser, MBA, CISSP, CCPSecurity ArchitectNationwide
2Nationwide Fortune 500 company A leading US financial company & insurerLife InsuranceAutomobile InsuranceProperty & Casualty InsuranceLiability InsuranceAnnuitiesRetirement ProductsInvestment ServicesMortgages
3ObjectivesHow a Fortune 500 company implemented SAML for cross-company authentication (CCA)Under the covers: how artifact and signed SAML authentication works between business partnersBuilding an extensible, enterprise architecture implementation with alpha and beta toolsLessons learned, challenges, and surprises when extending authentication and authorization to 3rd partiesIdentity, cryptography, and assertions, oh my!Web services authentication and authorization challenges
4Web services Phenomenal Business acceleration since 1990 Transformation of business:From business at the club to EDI brokeringFrom book binding to e-books to books on demandSupply chain managementRapid changes in business and trust modelsOutsourcing, resourcing, insourcingHosting, co-location, managed services, ASPsIntense, cyclical Acquisition & Divestiture activityGlobal markets & economies
5Web services (2) Generations of the Internet 1st Gen: Isolation Research2nd Gen: Information Storefront3rd Gen: Transaction eCommerce4th Gen: Integration Web Services
6Quick Web services primer Uses open, lightweight protocols:Provides a direct connection to business logic and core objects through Internet protocolsInstead of COM, DCOM and RPC, now invoke a Web service over HTTPHTTPXMLSOAPWSDLUDDI
7Federated identity What is federated identity? The agreements, standards and technologies that make identity and entitlements portable across autonomous domains.§Cross-company authentication (CCA)Authentication & authorization between organizations and companies.Essentially, same thing under the covers§ Source: RSA Security,
8Federated identity Use case 1: Travel model Internet /Internet /Bintranetintranet3rd-partyBusinessLogicEnd userHTTPWeb PageHTTPXMLSOAPWeb ServicesB2B, B2C, B2EProviderA conducts business with B on behalf of end userTraditional back-office functions, but in real timeReference model:Travelocity®
9Federated identity Use case 2: Portal model B provides service or collaborative content for ATransparent to the end user.Reference model:MapQuest® in Yahoo!® portalHTTPBInternet /intranetWeb PageEnd userHTTPXMLSOAPB2B, B2C, B2EInternet /intranetBBusinessLogic3rd-partyWeb ServicesProvider
10Federated identity Use case 3: Single sign-on model A redirects user to BB trusts A’s authentication“Single sign-on” (a.k.a. Cross-company authentication, federated identity.)Reference model:Private label bankingHTTPXMLSOAPSAMLHTTPXMLSOAPSAMLHTTPXMLSOAPSAML
11Web services implications Extensible access portals for legacy business logic and processesAbility to react to the market very quicklyChanges to core business applications are immediately available to trading partners, vendors, customers and regulatorsBusiness velocity without roadblocks of building extensive GUI presentation layers
12Web services introduces Cross-company authentication For selected interfaces:Other business partners trust your authentications, and…Your organization trusts the authentications provided by others.
13SAML provides framework for cross-company authentication SAML: Security Assertions Markup LanguageLightweight protocol to exchange security assertions & artifactsCan be signed for self-validating assertionPermits partners to exchange assertions about authentication and authorization of users
14SAML SAML has 4 major components: Assertions Authentication assertionsAttribute assertionsAuthorization decision assertionsRequest / response protocol – SOAP over HTTPBindings – how SAML requests maps to transport protocols (such as SOAP)Profiles – how SAML assertions are embedded or transported between parties
17Nationwide & CCA timeline Implemented several federated identity solutionsUsed proprietary artifacts & communication session solutionsWorked well, but….Unique “one-off” solutionsLacked standards for standard implementation, extensive re-work
18Nationwide & CCA timeline (2) 2002Resolved to adopt a standards-based federated identity solutionInvestigated several federated identity standardsSAML selected as best SSO authentication solution at the timeJoined Liberty Alliance as Associate Member
19Nationwide & CCA Timeline (3) 2002Determined three viable directions:Web Access Mgmt (WAM) middlewareAdding SAML parsing to existing application(s)Building own assertion generator & parserInvestigated the market for vendor best suited to deliver SAML-based solutionEstablished contract with WAM vendorBuilt first SAML implementation for SSO
20Nationwide: First SAML cross-company SSO Launched January, 2003First commercial use ofSAML for SSOThree business partnersNationwide providesportal, authentication & authorization for both other partnersInternet /intranetNationwideEnd userB2B, B2C, B2E1Linkredirect24redirect3AuthNAuthZFinancialAggregatorFinancialServicesCompany
21Nationwide: First SAML cross-company SSO Launched January, 2003First commercial use ofSAML for SSOThree business partnersNationwide providesportal, authentication & authorization for both other partners.Nationwide34redirectInternet /1intranet6redirectLink25End userAuthNAuthZB2B, B2C, B2EFinancialAggregatorFinancialServicesCompany
22Challenges Complexity Business issues Federation Weakest link Business trust models
23Complexity Corporate 3-tier Web architectures are already complex Federated SSO adds significant complexity in coupling:Existing infrastructureWeb Access Mgmt (WAM) middlewareWeb services interfacesNew infrastructureCross-company functionality
24Complexity (2)Complexity requires technical sophistication on both sides of the relationshipDevelopers need to understand:SAMLWeb servicesWAMEncryptionArchitects need to understand:Identity ManagementAuthentication/authorization models
26Business issues The technology is moderately complex. Trust & policies are harder.Closer to a wedding than a business relationshipNationwide’s solution:Certification & accreditation processReference ArchitectureStrong 3-tier infrastructure architectureForward-looking standards for trust governance
27Federation Interoperability of identity frameworks Tough to do between existing corporate legacy applicationsEven tougher between disparate organizationsDeep dive on assumptions, standards, vettingMust scale and scope to business context
28Weakest linkSecurity posture differences must be determined & governed.Alignment of reference architecturePolicy & standards matrix comparisonEstablishment of CCA standardsSLA & performance weakest linkIf your SLA is 7x24, and your partner’s SLA is 5x10, how will you provide 7x24?
32Business trust models Recognized needs: Result: CCA standards Ongoing contractual complianceContinual determination of trustworthinessLegal implications of trust modelResult:CCA standardsDevelopment of XotaSM protocolXotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.
33XotaSM Combination of protocol & methodology Permits determination of trustworthiness in real time between business partnersTrust governance at the transaction levelContinuous assessment of contractual and regulatory complianceNationwide is establishing a consortiumXotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.
34Surprises Troubleshooting with ½ the data Missing standards & solutionsInteroperabilityHuman factors
35Troubleshooting SAML consists of HALF transactions: Asserting party Relying partyTroubleshooting with only half the data!Complexity and cross-disciplinary issuesCoordinated helpdesk an issueLog sharing, aggregationTime synchronization an issue
36Missing standards & solutions SAML has some gapsNo SAML session managementNo support for timeout, logoff “rollup”Had to develop own session management and session timeout protocolMiddleware gapsNo signed SAML support in middlewareLack of 3-tier architecture support
37Session management issues Cookie forces session timeout – user must re-authenticateUser is redirected back to Nationwide gets SAML assertionGoes through SAML authentication process againNationwide34redirectInternet /1intranet6redirectLink25End userAuthNAuthZB2B, B2C, B2EFinancialAggregatorFinancialServicesCompany
38InteroperabilityAuthentication & authorization required for both the business partners and usersSAML provides user authenticationNo protocol support for partner connection authentication, authorizationEach partner connection model uniqueBleeding-edge implementation preceded Web services protocol standards
39Human factors Communications Issues Users unaware of SSO implementation:Sensitive to performance lagMultiple resubmitsQuestion lack of sign-on –“Is security broken?”Deep bookmarkingUsers will bookmark relying party sitesPersistent cookie that identifies user as CCA user?
40Lessons learned Have a good partner relationship with WAM vendor(s) Business issues as significant as technology issuesLightweight implementation toolkit required for smaller partnersTrust modeling important consideration
41Benefits achievedFederated identity provides flexible, adaptable solutions for SSOAbility to use infrastructure for affiliates, other contextsIf you build it, they will comeFederated identity works reliablyUse of standards, such as SAML, pays off in 2nd, 3rd implementations