Presentation on theme: "OASIS SAMLv2.0 and Liberty WSFv2.0 Deployment Notes circa Mid-2006."— Presentation transcript:
OASIS SAMLv2.0 and Liberty WSFv2.0 Deployment Notes circa Mid-2006
OASIS SAMLv2.0 and Liberty WSFv2.0 Deployment Notes More that 1 Billion Identities Likely you use it for: –Banking –University –Government (DoD) –Mobile data (esp. Asia, Europe)
Certified Implementations, through U.S. Government, Ping Identity, or Liberty Alliance Programs Over 60 products have received certification or been otherwise validated for conformance or interoperability. These include SAML and Liberty ID-FF and ID-WSF products from the largest, and some smaller, identity management vendors. One consequence is that a significant majority of enterprises around the world already have the potential to run such services, through plug-ins and such to existing systems.
Adoption in other standards and recommendations This family of technologies have been adopted in a wide-ranging variety of technologies, from mobile services, to digital television broadcasting, and in healthcare. It is part of the trusted mobile platform, and is incorporated in ebXML Registry and the Globus Toolkit (OGSA). Notably, Microsoft and Sun have created an interoperability profile to bridge technologies. In addition, Microsoft has adopted SAMLv2.0 in its forthcoming InfoCard system.
Open Source or Developer Tools Several open source implementations are available, and range from deployment domains that are platform-focused to those that are global in scope. One such is the Shibboleth implementations of SAMLv1.1, with SAMLv2.0 imminent. Several of these are certified for interoperability
Wide-ranging Deployments General applications range from network devices to mobile handsets, and include consumer services and hardened smart cards. Several of these are deployments in the 10s of millions. Infrastructure and embedded systems implementations Education, Government, Defence, eHealth and Regulatory domains Financial services, both for consumers, through corporates, and within the banking and payment infrastructures Airlines and related businesses, ranging from maintenance to travel services Supply chain management, and ERP and HR systems
Protocol gateways and bridging systems These represent an important step in interoperability, and they also signify an increasing maturity in the marketplace
Implementations Certified for SAMLv1.0 Artifact Profile in U.S. eGov E-Authentication Program Entegrity, Entrust, Hewlett-Packard, IBM, CA/Netegrity, Novell, Oblix (Oracle), RSA Security, Sun Microsystems, Trustgenix (HP), DataPower (IBM)
Conformance-Tested Implementations of SAMLv2 (for various web single sign-on and SOAP profiles) Electronics and Telecommunications Research Institute (ETRI), Ericsson, Hewlett-Packard, IBM, NEC, NTT, Novell, Oracle, Reactivity, RSA Security, Sun Microsystems, Symlabs, Trustgenix (HP)
Conformance-Tested Implementations of ID-WSF1.0 and ID-WSF1.1 Hewlett-Packard, Nokia, Novell, NTT, Sun Microsystems, Symlabs, Trustgenix (HP)
Adoption in other standards and recommendations ID-WSF1.1 in OMA (Open Mobile Alliance) in Web Services Enabler Releases, TV-Anytime Forum for AdvEPG (and therefore by the DVB Project) in Europe, Asia and Americas (possibly U.S.); Liberty ID-FF1.2 in SAMLv2.0 SAMLv2.0 in ebXML Registry v3.0, in WS-Security SAML Token Profile 1.1 (to be proposed), HIMSS IHE XUA for XDS (Global healthcare interoperability specification, cross-domain authentication including extended profiles), and in Liberty ID-WSF2.0 SAMLv1.1 in Trusted Mobile Platform Microsoft and Sun Microsystem’s convergence profile of ID-FF1.2 (therefore SAMLv1.1) and WS-Federation in Web SSO Interop Profile and WS-MetadataExchange in Web SSO MEX Microsoft InfoCard (use of SAMLv2.0, now in demonstration, forthcoming in Vista, 4Q06) Globus Tookit for Grid Security Infrastructure (use of SAMLv1.1 in OGSA; and GridShib Shib-to-glob attribute gateway)
Open Source or Developer Tools Entr’Overt Lasso (ID-FF1.2) for eGovernment; OpenSAML (SAMLv1.1, soon SAMLv2.0) PingIdentity (SAML and ID-FF, and toolkit) Sun Microsystems (ID-FF, and toolkit) Shibboleth (SAMLv1.1, SAMLv2.0 imminent) Oracle (toolkit) NTT for vendor integration; Guanxi and Samuel (SAML1.1 and Shibboleth)
ID-WSF Deployments including discovery and interaction services AOL Axalto, Hewlett- Packard, Nokia (including in retail handsets), Novell, NTT, Sun Microsystems, Juniper Networks (embedded in VPN appliances), Symlabs, Trustgenix (HP)
Infrastructure and Embedded Implementations Ericsson, Alcatel, Elios, Nokia, Trustgenix (HP), France Telecom/Orange, IBM, Sun Microsystems, NEC, NTT, NTT DoCoMo, Vodafone, Turkcell
Education, Government, eHealth and Regulatory U.S. Government eGov E-Authentication (SAMLv1.0) for 14 major government agencies (The Danish Government have adopted this program, in SAMLv2.0); BIPAC (ID-FF1.2) for regulatory-compliant employee participation in government independent of employer; EduMart (ID-WSF1.1) in Japan for 98 public schools and 24 content providers; HAKA Federation (Shibboleth) of Finnish universities, polytechnics, and research institutions; Juniper Networks application at Catholic Health Systems in New York, NY; InCommon (Shibboleth) 18 higher institutions of higher- education throughout the US, including the University of California, Cornell, Ohio State, University of Chicago, and several content providers, such as Elsevier ScienceDirect, as well as products such as Blackboard, WebCT, WebAssign, EBSCO, JSTOR, and SFX; InQueue (Shibboleth) over 100 institutions across the Americas, Europe, and Asia in trial; Joint Warrior Interoperability Demonstration (JWID) 2003 with Canada, Australia, New Zealand, United States, United Kingdom, and Norway using ID-FF1.1; SDSS (Shibboleth Development and Support Services) for Edima at Edinburgh University Data Liberty for a large collection of UK academic online resources (Shibboleth); SWITCH Swiss education and Research Network (Shibboleth); U.S. Department of Labor Mine Safety and Health Administration (likely SAMLv1.0)
Financial Services and related Fidelity Investments, in a corporate setting 401(k) management application, uses Liberty ID-FF, with identity services discovery techniques, and Liberty Identity Services Personal Profiles, to isolate corporate from personal persona; Communicator’s SecuritiesHub (Citigroup, Credit Suisse First Boston, Goldman Sachs, JPMorgan Case & Co, Lehman Brothers, Merrill Lynch, Morgan Stanley, UBS Warburg) for over 24,000 institutional investors in 60 countries co- mingling 800 analysts results; ACS Electronic Land Records Exchange (eRX) electronic recordation; Nationwide Insurance throughout the producer channel; Niteo, for the Financial Services Technology Consortium (FSTC), JPMorgan Chase, Wachovia, and Bank of America; Workscape Inc. and Sun Microsystems providing General Motors’ 401(k) services portal; XConnect’s partnership with eBIZ.mobility Federated Payment for fixed and mobile payments; Other financial services companies thought to be active at some stage (Wells Fargo, AmericanExpress)
Airlines and related Star Alliance (Lufthansa, United Airlines, SAS Scandinavian Airlines, Thai Airways International, Air Canada and 10 more), for authentication and resources, with Novell; JAL Online (travel planning, check-in, expenses and reimbursement to credit cards) with NTT Data; Boeing in two applications, one for 500,000 former employees and beneficiaries, another for MyBoeingFleet for customer access to fleet operation and maintenance information
Supply Chain Management Proctor & Gamble (also an employee gateway); Covisint (using RSA Security FIM, for Ford, DaimlerChrysler, Delphi, Visteon, Freightliner, Metaldyne, Mitsubishi); ??Oracle implies PeopleSoft and Siebel; ??SAP’s wide use of
Protocol gateways and bridging Trustgenix (HP), PingIdentity, Sun Microsystem, BMC Software
Other Siemens HiPath DirX Access Federation (SAMLv1.0 and SAMLv1.1); BEA, a SAMLv1.1 gateway on WebLogic Server; Adobe in LiveCycle, SAMLv1.x, might be SAMLv2; Evidian, with Deutsche Post on SAMLv1.1? (c. 2003) and Liberty id- ff1.2?.