Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Similar presentations


Presentation on theme: "Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved."— Presentation transcript:

1 Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

2 2 Copyright © 2006, Quebec Inc. Proprietary and Confidential Overview Integration into enterprise I&AM Identity & Access Management Frameworks Liberty Alliance ID-FF / SAML 2.0 Liberty Alliance ID-WSF Microsoft InfoCard Open Standards SAML 2.0 XML Signature WS-Security WS-Trust Authentication Credentica implementations

3 3 Copyright © 2006, Quebec Inc. Proprietary and Confidential Integration into enterprise I&AM

4 4 Copyright © 2006, Quebec Inc. Proprietary and Confidential DC-enabling a legacy I&AM application WWWWWW AS IdS Internal RPs External RPs Federated RPs Credentica servers CIPS CIVSCAAS Token validation module Client Component X.509 Kerberos LDAP

5 5 Copyright © 2006, Quebec Inc. Proprietary and Confidential Identity & Access Management Frameworks

6 6 Copyright © 2006, Quebec Inc. Proprietary and Confidential Liberty Alliance ID-FF / SAML 2.0 DC used only to authenticate with IdP DC used for proactive SSO with SPs DC used for unlinkable authentication with IdP SPaSPb IdP User

7 7 Copyright © 2006, Quebec Inc. Proprietary and Confidential Liberty Alliance ID-WSF DC-based security mechanism for all message exchanges LUAD can manage authentication and attribute delivery “Certified” Data Service Authority issues DCs to Data Service during Create/Update Data Service uses DCs to prove Query results to requestors Data Service may be hosted on User device Note: we are addressing requirements together with Liberty Alliance TEG (we are a member)

8 8 Copyright © 2006, Quebec Inc. Proprietary and Confidential Microsoft “InfoCard” IC Issuer provides ic:InfoCard and DCs to User User device proves required claims to Relying Parties IC Issuer is out of the loop Note: we are currently exploring tight integration into InfoCard with Microsoft

9 9 Copyright © 2006, Quebec Inc. Proprietary and Confidential Open Standards

10 10 Copyright © 2006, Quebec Inc. Proprietary and Confidential SAML 2.0 Profiles of usage patterns involving multiple parties Bindings of their messages to specific communications mechanisms Protocols that define the messages themselves An Assertion format that conveys Statements about a Subject from an Issuer

11 11 Copyright © 2006, Quebec Inc. Proprietary and Confidential SAML Assertion May contain any number of Statements relating to An authentication event Some attributes An authorization decision Or any other app-specific information May contain usage Conditions and Advice May be signed by its issuer...which may create a digital wake

12 12 Copyright © 2006, Quebec Inc. Proprietary and Confidential DC-based SAML Assertion Subject can construct a SAML Assertion with: Statements derived from certified attributes Digital Credential public key Issuer's signature DC proof of Statements Relying party verifies DC proof No more digital wake

13 13 Copyright © 2006, Quebec Inc. Proprietary and Confidential XML Signature Holds a SignatureValue made using a key described by KeyInfo and computed using some SignatureMethod over a canonicalized SignedInfo holding one or more Reference elements that refer to...and hold digests of any data

14 14 Copyright © 2006, Quebec Inc. Proprietary and Confidential DC-based XML Signature KeyInfo can contain or refer to a DC public key New SignatureMethod Algorithm URI for DC-based signature

15 15 Copyright © 2006, Quebec Inc. Proprietary and Confidential WS-Security Provides security services for SOAP "Security tokens" in SOAP headers provide Message integrity Message confidentiality Digital Credential integrity protection using: DC-based SAML Assertion security token DC-based XML Signature over message

16 16 Copyright © 2006, Quebec Inc. Proprietary and Confidential WS-Trust Defines a Security Token Service Exchanges one kind of token for another Issuance binding to issue Digital Credentials Validation binding to verify DC showings

17 17 Copyright © 2006, Quebec Inc. Proprietary and Confidential Authentication

18 18 Copyright © 2006, Quebec Inc. Proprietary and Confidential Authentication at different layers Network Layer No changes required for applications DC used by VPN clients ISAKMP for IPsec Transport Layer May require changes to applications, but only to plumbing DC used by application clients TLS cert_type hello extension Application Layer Requires localized changes to applications SPKM for GSS-API – Integration into CORBAsec, GSS-API users, and SASL users Liberty Alliance SAEG TMa spec (“iClient” originating from Intel)

19 19 Copyright © 2006, Quebec Inc. Proprietary and Confidential Credentica implementations

20 20 Copyright © 2006, Quebec Inc. Proprietary and Confidential Implementations Now: Java Servlets for DC issuance and verification Nokia S60 Browser “filter” for DC issuance and use Java Applet for DC issuance and use Mozilla Firefox Extension (experimental) Future Possibilities: Internet Explorer Browser Helper Object Windows SSP/AP for local and network logon Authentication Modules for major I&AM suites – Sun Java System Access Manager – HP OpenView Select Access – Etc…


Download ppt "Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved."

Similar presentations


Ads by Google