Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Web Single Sign-On: Federated Identity.

Similar presentations


Presentation on theme: "Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Web Single Sign-On: Federated Identity."— Presentation transcript:

1 Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Web Single Sign-On: Federated Identity

2 Nationwide Fortune 500 company A leading US financial company & insurer Life Insurance Automobile Insurance Property & Casualty Insurance Liability Insurance Annuities Retirement Products Investment Services Mortgages

3 Objectives How a Fortune 500 company implemented SAML for cross-company authentication (CCA) Under the covers: how artifact and signed SAML authentication works between business partners Building an extensible, enterprise architecture implementation with alpha and beta tools Lessons learned, challenges, and surprises when extending authentication and authorization to 3rd parties Identity, cryptography, and assertions, oh my! Web services authentication and authorization challenges

4 Web services Phenomenal Business acceleration since 1990 Transformation of business: From business at the club to EDI brokering From book binding to e-books to books on demand Supply chain management Rapid changes in business and trust models Outsourcing, resourcing, insourcing Hosting, co-location, managed services, ASPs Intense, cyclical Acquisition & Divestiture activity Global markets & economies

5 Web services (2) Generations of the Internet 1 st Gen:IsolationResearch 2 nd Gen:InformationStorefront 3 rd Gen:TransactioneCommerce 4 th Gen:IntegrationWeb Services

6 Quick Web services primer Web Services Uses open, lightweight protocols: Provides a direct connection to business logic and core objects through Internet protocols Instead of COM, DCOM and RPC, now invoke a Web service over HTTP HTTPXMLSOAP WSDLUDDI

7 Federated identity What is federated identity? The agreements, standards and technologies that make identity and entitlements portable across autonomous domains. § Cross-company authentication (CCA) Authentication & authorization between organizations and companies. Essentially, same thing under the covers § Source: RSA Security,

8 A Federated identity Use case 1: Travel model A conducts business with B on behalf of end user Traditional back-office functions, but in real time Reference model: Travelocity ® Internet / intranet End user B2B, B2C, B2E Web Page Internet / intranet B 3rd-party Web Services Provider Business Logic HTTP XML SOAP HTTP

9 Federated identity Use case 2: Portal model B provides service or collaborative content for A Transparent to the end user. Reference model: MapQuest ® in Yahoo! ® portal Business Logic HTTP XML SOAP End user B2B, B2C, B2E Internet / intranet A Web Page B 3rd-party Web Services Provider B Internet / intranet

10 Federated identity Use case 3: Single sign-on model A redirects user to B B trusts As authentication Single sign-on (a.k.a. Cross-company authentication, federated identity.) Reference model: Private label banking HTTP XML SOAP SAML HTTP XML SOAP SAML HTTP XML SOAP SAML

11 Web services implications Extensible access portals for legacy business logic and processes Ability to react to the market very quickly Changes to core business applications are immediately available to trading partners, vendors, customers and regulators Business velocity without roadblocks of building extensive GUI presentation layers

12 Web services introduces Cross-company authentication For selected interfaces: Other business partners trust your authentications, and… Your organization trusts the authentications provided by others.

13 SAML provides framework for cross-company authentication SAML: Security Assertions Markup Language Lightweight protocol to exchange security assertions & artifacts Can be signed for self-validating assertion Permits partners to exchange assertions about authentication and authorization of users

14 SAML SAML has 4 major components: 1.Assertions Authentication assertions Attribute assertions Authorization decision assertions 2.Request / response protocol – SOAP over HTTP 3.Bindings – how SAML requests maps to transport protocols (such as SOAP) 4.Profiles – how SAML assertions are embedded or transported between parties

15 SAML (2) POST /SamlService HTTP/1.1 Host: Content-Type: text/xml Content-Length: nnn SOAPAction: … … Source: OASIS -

16 SAML provides transaction trust Messages / Transactions Session Business function Line of business Enterprise Session No existing protocol Protocols providing trust SSL / TLS / IPsec / Kerberos SAML / WS-Security XML-DSig / Passport

17 Nationwide & CCA timeline Implemented several federated identity solutions Used proprietary artifacts & communication session solutions Worked well, but…. Unique one-off solutions Lacked standards for standard implementation, extensive re-work

18 Nationwide & CCA timeline (2) 2002 Resolved to adopt a standards-based federated identity solution Investigated several federated identity standards SAML selected as best SSO authentication solution at the time Joined Liberty Alliance as Associate Member

19 Nationwide & CCA Timeline (3) 2002 Determined three viable directions: Web Access Mgmt (WAM) middleware Adding SAML parsing to existing application(s) Building own assertion generator & parser Investigated the market for vendor best suited to deliver SAML-based solution Established contract with WAM vendor Built first SAML implementation for SSO

20 Nationwide AuthN AuthZ Nationwide: First SAML cross-company SSO End user B2B, B2C, B2E Financial Aggregator Launched January, 2003 First commercial use of SAML for SSO Three business partners Nationwide provides portal, authentication & authorization for both other partners Internet / intranet redirect Financial Services Company Link

21 Nationwide: First SAML cross-company SSO End user B2B, B2C, B2E Internet / intranet Nationwide Financial Aggregator Financial Services Company redirect Link redirect 5 AuthN AuthZ 6 Launched January, 2003 First commercial use of SAML for SSO Three business partners Nationwide provides portal, authentication & authorization for both other partners.

22 Challenges Complexity Business issues Federation Weakest link Business trust models

23 Complexity Corporate 3-tier Web architectures are already complex Federated SSO adds significant complexity in coupling: Existing infrastructure Web Access Mgmt (WAM) middleware Web services interfaces New infrastructure Cross-company functionality

24 Complexity (2) Complexity requires technical sophistication on both sides of the relationship Developers need to understand: SAML Web services WAM Encryption Architects need to understand: Identity Management Authentication/authorization models

25 Complexity (3) Complexity extends to privacy and identity issues Privacy policy aggregation, demarcation Need to involve CPO, General Counsel Identity management issues Legal contract & business agreement: Roles & responsibilities Vendor management Procedures for validating trust

26 The technology is moderately complex. Trust & policies are harder. Closer to a wedding than a business relationship Nationwides solution: Certification & accreditation process Reference Architecture Strong 3-tier infrastructure architecture Forward-looking standards for trust governance Business issues

27 Federation Interoperability of identity frameworks Tough to do between existing corporate legacy applications Even tougher between disparate organizations Deep dive on assumptions, standards, vetting Must scale and scope to business context

28 Weakest link Security posture differences must be determined & governed. Alignment of reference architecture Policy & standards matrix comparison Establishment of CCA standards SLA & performance weakest link If your SLA is 7x24, and your partners SLA is 5x10, how will you provide 7x24?

29 SAML provides transaction trust Messages / Transactions Session Business function Line of business Enterprise Session No existing protocol Protocols providing trust SSL / TLS / IPsec / Kerberos SAML / WS-Security XML-DSig / Passport

30 Web services introduces cross-company authentication For selected interfaces: Other business partners trust your authentications, and… Your organization trusts the authentications provided by others.

31 What now? The Interconnectedness of all things…

32 Business trust models Recognized needs: Ongoing contractual compliance Continual determination of trustworthiness Legal implications of trust model Result: CCA standards Development of Xota SM protocol Xota SM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

33 Xota SM Combination of protocol & methodology Permits determination of trustworthiness in real time between business partners Trust governance at the transaction level Continuous assessment of contractual and regulatory compliance Nationwide is establishing a consortium Xota SM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

34 Surprises Troubleshooting with ½ the data Missing standards & solutions Interoperability Human factors

35 Troubleshooting SAML consists of HALF transactions: Asserting party Relying party Troubleshooting with only half the data! Complexity and cross-disciplinary issues Coordinated helpdesk an issue Log sharing, aggregation Time synchronization an issue

36 Missing standards & solutions SAML has some gaps No SAML session management No support for timeout, logoff rollup Had to develop own session management and session timeout protocol Middleware gaps No signed SAML support in middleware Lack of 3-tier architecture support

37 Session management issues End user B2B, B2C, B2E Internet / intranet Nationwide Financial Aggregator Financial Services Company redirect Link redirect 5 AuthN AuthZ 6 Cookie forces session timeout – user must re- authenticate User is redirected back to Nationwide gets SAML assertion Goes through SAML authentication process again

38 Interoperability Authentication & authorization required for both the business partners and users SAML provides user authentication No protocol support for partner connection authentication, authorization Each partner connection model unique Bleeding-edge implementation preceded Web services protocol standards

39 Human factors Communications Issues Users unaware of SSO implementation: Sensitive to performance lag Multiple resubmits Question lack of sign-on – Is security broken? Deep bookmarking Users will bookmark relying party sites Persistent cookie that identifies user as CCA user?

40 Lessons learned Have a good partner relationship with WAM vendor(s) Business issues as significant as technology issues Lightweight implementation toolkit required for smaller partners Trust modeling important consideration

41 Benefits achieved Federated identity provides flexible, adaptable solutions for SSO Ability to use infrastructure for affiliates, other contexts If you build it, they will come Federated identity works reliably Use of standards, such as SAML, pays off in 2 nd, 3 rd implementations

42 Q&A Questions?

43 Further information Contact information: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide (614) Best resources: OASIShttp://xml.coverpages.org/saml.html Liberty Alliancehttp://projectliberty.org

44 Thank you. Questions, comments? Mr. Houser will not be available to answer questions at the Ask-the-Experts booth in the Exhibit Hall. Please send question to


Download ppt "Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Web Single Sign-On: Federated Identity."

Similar presentations


Ads by Google