Presentation is loading. Please wait.

Presentation is loading. Please wait.

All Contents © 2003 Burton Group. All rights reserved. Federating Identity Management: Standards, Technologies and Industry Trends November 20, 2003 Daniel.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "All Contents © 2003 Burton Group. All rights reserved. Federating Identity Management: Standards, Technologies and Industry Trends November 20, 2003 Daniel."— Presentation transcript:

1 All Contents © 2003 Burton Group. All rights reserved. Federating Identity Management: Standards, Technologies and Industry Trends November 20, 2003 Daniel Blum Senior VP, Research Director dblum@burtongroup.com www.burtongroup.com

2 2 Federated Identity Management Thesis What? Parallel efforts from OASIS, Liberty Alliance, Web access management vendors, and platform vendors are gaining momentum and will ultimately converge Perhaps not without some pain “Identity networks” are needed to scale ubiquitous operation Why? By meeting business requirements for loosely coupled security between autonomous domains, federated identity extends identity management When? Now. Federated identity has many early adopters across multiple industries; products and tools are available; ROI and competitive advantage are in sight

3 3 Identity Management and Federation Agenda Federated Identity Concepts Industry Trends Recommendations

4 4 Identity Management and Federation Agenda Federated Identity Concepts Industry Trends Recommendations

5 5 Federated Identity Concepts The challenge: Managing many identities Internal Systems & Data Less-knownPartner or xSP Loosely-coupled, Federated exterior systems Customers Tightly-coupled or loosely coupled, Integrated or federated interior systems Employees Unknown Extranets The Internet

6 6 Federated Identity Concepts What is federated identity management? Agreements, standards, technologies that make identity and entitlements portable across autonomous domains Authentication assertions (federated sign on) Authorization assertions Attribute assertions Identity linking procedures Trust relationships Business, legal agreements

7 7 Federated Identity Concepts Federated authentication between domains Company A: Identity Provider (IDP) access point Company A Identity repository 1) User authenticates Company B: Service Provider (SP) access point 2) Check User’s id/credential Company B resource 3) User requests resource 5) Co. B requests identity assertion for User 6) Co. A sends identity assertion 7) User gets access! User Internet 4) Check policy

8 8 Federated Identity Concepts Federation concepts Federated sign on Authentication requests, assertions Session management Federated identity mapping Account linking Privacy protections Link account to role (or persistent policy) Federated identity information Attribute requests, assertions Privacy protections Federated authorization Authorization requests, assertions Management Business, legal agreements Trust relationships Audit services

9 9 Federated Identity Concepts Risks Federated identity creates new risks Relying on external party for identity assertions Forensics and record retention must span boundaries Slippery slope of transitive trust - trust failures could propagate, cross-over attacks are possible …but reduces other risks Pushes IdM and accountability to most responsible party High security domains can be autonomous, but still interoperate Lessens reliance on a large scale, centralized security infrastructure (shifts complexity)

10 10 Identity Management and Federation Agenda Federated Identity Concepts Industry Trends Recommendations

11 11 Industry Trends What infrastructure is needed for federated identity? Identity Networks Federated Identity Standards Base Security Capabilities (Mostly) Used Within Domains Used between Or within Products/ Domains Public identity services, or other communities Ping Id. NET Passport Verified By Visa Shibboleth Others SAML Liberty WS-Security OthersXACML WS-Federation Kerberos X.509 LDAP Others ID /Pwd Token

12 12 Industry Trends Security Assertion Markup Language (SAML) SAML provides authentication, authorization, and attribute assertions between loosely coupled domains Meant to be complemented by XACML and other specs SAML 2.0 will converge with donated Liberty Alliance Phase I work, add user to role mapping, better session management, perhaps credentials collection

13 13 Industry Trends Liberty Alliance Consortium of over 160 organizations: enterprises, service providers, and vendors In 2002, developed Identity Federation Framework (ID- FF) using opt in account linking on top of SAML In 2003, developing Identity Web Services Framework (ID-WSF), permission based attribute sharing and additional capabilities User Linked account Domain A (IDP) Domain B (SP) SAML Assertion Linked account Browser redirect Or Web service Circle of Trust

14 14 Industry Trends Federated identity products and adoption SAML early adoption gaining momentum Multiple Web access management and other security products in various stages of release or development Open source solutions and toolkits available Growing customer adoption across multiple industries Liberty entering early adoption Head start by encouraging end user membership, adopting SAML, and putting Liberty Phase I into OASIS Products and early implementations underway But some Web access management vendors are not yet implementing Liberty standards

15 15 Industry Trends Federated identity: A growing stack of converging standards with common foundations WS-Policy WS-Trust WS-Secure Conversation WS- Federation WS- Authorization, WS-Privacy SAML Liberty ID-FF Federated Sign on Liberty Alliance – Ph 2 (ID-WSF, ID-SIS) Liberty Phase 2: Permission based attribute sharing Foundation Web Standards: WSDL, SOAP, XML, HTTP, HTML WS-Security Microsoft, IBM, etc. unpublished OASIS - published Liberty Alliance – Phase 1 (ID-FF) Microsoft, IBM, etc. published OASIS - new work KEYKEY XML Signature, XML Encryption, XML Key Management Services (XKMS) SPML XrML XACML

16 16 Industry Trends SAML, Liberty Alliance, and WS-* Where they agree WS-Security and WS-* carry SAML and Liberty assertions OASIS, Liberty Alliance developing WS-Security bindings Microsoft says it will support SAML in Authorization Manager; IBM supports SAML, says it will support Liberty WAM vendors will support both Where they disagree Microsoft, IBM won’t join Liberty Alliance WS-Federation has a different profile for browser based users than SAML and Liberty Microsoft promoting XrML, not SAML and XACML

17 17 Industry Trends SAML, Liberty Alliance, and WS-* : What to expect A standards race of “The Tortoise and the Hare” SAML and/or Liberty “hare” racing ahead with federated identity specific initiatives, well into early adoption WS-* “tortoise” will need a few years to be fully standardized, built, and broadly deployed But Microsoft, IBM and partners can push a lot of software into the channel SAML and Liberty Alliance likely to converge with WS-* over the next 5 years for a relatively comfortable coexistence

18 18 Industry Trends Technology availability and adoption waves 2003 2004 2005 2006 2007 SAML Liberty ID-FF WS-Security WS-*, New Liberty specs, SAML 2.0 Components, timing variable subject to standardization and convergence

19 19 Industry Trends Identity networks today Centralized.NET Passport and AOL Screen Name Service Industry-based, proprietary SecuritiesHub, Verified by Visa, others SAML-powered Shibboleth, multiple corporate networks Liberty-powered Corporate B2E projects underway PingID and Neustar (eRX Land Records Exchange Network) Financial networks (SecuritiesHub, others) Mobile communications networks

20 20 Identity Networks Federation implies a poly-centric environment Many islands will emerge Industry-specific solutions are likely How will they converge? Identity networks could emerge to link the islands Identity networks may be centralized (like Passport), member-owned (as in the ATM, credit-card worlds), provide common governance and policy frameworks, or other models Identity Network A Identity Network B Identity domains Identity peering

21 21 Identity Networks Federated Identity and Web services network types 2003 2004 2005 2006 2007 Pair-wise, internal federation Trusted third party enabled federation Communities (hub optional) Identity Networks

22 22 Identity Management and Federation Agenda Federated Identity Concepts Industry Trends Recommendations

23 23 Recommendations Early adopter lessons learned If you build it, they will come Partner interest cascades… Return on investment (ROI) is out there Federated identity is flexible, it works, and its reliable But You have to pay to play SAML protocol has some gaps Browsing issues and performance bottlenecks arise The infrastructure must be secure Users will always surprise you

24 24 Recommendations Lessons learned from early deployments Technical issues not so difficult Web developers prefer standards based SAML or Liberty approach to point integration solutions Some enterprises have written their own XML based federation layer Others purchasing Web access management (WAM) support for IDP operations, WAM or toolkit to accept assertions as SP Business issues more complicated than technical ones Build in time to get business application owners on board, and work through arrangements with partners Some enterprises mandating federated IdM for suppliers Create “workbooks” or other collaterals that help early partners understand federated IdM (trading “hubs” can drive adoption) Leverage existing industry associations, identity networks

25 25 Recommendations Today: Implement SAML, Liberty, and conventional IdM at appropriate architecture tiers Future: Integrate federated identity with secure Web services

26 26 Recommendations Deployment considerations Use consolidation, integration to build base camp to federate from (continue cleaning the identity house) Consider SAML and/or Liberty for current projects, augmenting conventional IdM Monitor WS-* for future opportunity to deploy secure, Web services solutions; seek convergent solutions Prepare for breaches on either side of your federations by adding business agreements for cooperative risk management and dispute resolution Brief the purchasing department, security department, and legal department to get their buyoff

27 27 Conclusion Federated identity management is a strategic capability that will solve real problems SAML and Liberty provide federated identity to the current generation of Web-enabled computing Next generation of Web services computing taking shape, will include federated identity In the long run, federated identity will converge across both generations of computing Identity networks will link partners - internal and external, large and small

Download ppt "All Contents © 2003 Burton Group. All rights reserved. Federating Identity Management: Standards, Technologies and Industry Trends November 20, 2003 Daniel."

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
Evolution of Identity Management May 15, 2008 For: CIPS Security Special Interest Group Presented by: Mike Waddingham, PMP President, Code Technology Corp.

Evolution of Identity Management May 15, 2008 For: CIPS Security Special Interest Group Presented by: Mike Waddingham, PMP President, Code Technology Corp.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia.

Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that Web services are likely.

A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that "Web services are likely.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google