Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Published byBuck Burke Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing."— Presentation transcript:

1 Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing Director Archistry Limited

2 Public Information 2 Copyright 2006 Archistry Limited. All Rights Reserved. Agenda  Definitions  Business drivers for federated identity  Approaches to providing federated identity  Technical considerations  Questions

3 Public Information 3 Copyright 2006 Archistry Limited. All Rights Reserved. Definitions  Federated system – integrates existing, possibly heterogeneous systems while preserving their autonomy  Association autonomy – the ability of a component system to decide whether and how to share its operations and resources with other systems  Federated identity – a shared name identifier agreed between partner services in order to share information about the user across organizational boundaries

4 Public Information 4 Copyright 2006 Archistry Limited. All Rights Reserved. Business Drivers  What are you trying to do? Provide single sign-on (SSO)? Support dynamic collaboration? Provide a central point of access to distributed services?  Who are the other participants? Services controlled by a single organization? Services provided by trading partners? Parties with whom you have no formal relationship?

5 Public Information 5 Copyright 2006 Archistry Limited. All Rights Reserved. Additional Considerations  Privacy and consent Will the users use the system? How will their privacy be protected? How will you respond to a right to access request?  Accountability What mechanisms will be used for identity proofing? What mechanisms will ensure non- repudiation of authentication? How will you respond to claims of fraudulent access?

6 Public Information 6 Copyright 2006 Archistry Limited. All Rights Reserved. Approaches  Don’t federate  Federated identity  Chain of trust  Federated authorization

7 Public Information 7 Copyright 2006 Archistry Limited. All Rights Reserved. Federated Identities  Leverages the identification/authentication of a trusted member of the federation (e.g. SAML IdP)  May or may not require local accounts at all service providers  Requires out-of-band business agreements between members of the federation  Does nothing more than assert a claim as to the identity of a user or request within a given context

8 Public Information 8 Copyright 2006 Archistry Limited. All Rights Reserved. Example: US Government E-Authentication Framework

9 Public Information 9 Copyright 2006 Archistry Limited. All Rights Reserved. Chain of Trust  Each participant responsible for authenticating only the members directly communicating with it  Information integrity must be assured by the information producer  Requires out-of-band business agreements between members of the federation  Each member of the chain is authenticated to the next— any other credential information is opaque  Ensures a sequence of participants can exchange information, but does not directly authenticate (or may not even identify) the original information producer

10 Public Information 10 Copyright 2006 Archistry Limited. All Rights Reserved. Example: Irish Government’s Reach Project

11 Public Information 11 Copyright 2006 Archistry Limited. All Rights Reserved. Federated Authorization  Federation defines the semantics of a particular set of profile attributes  Service provider association and access control is based on the presence of one or more attributes  Can be used in conjunction with federated identities or without them for dynamic collaboration  Still requires out-of-band business agreements between members of the federation  Can be used for more flexible and dynamic collaborations, but attribute negotiation may have privacy implications

12 Public Information 12 Copyright 2006 Archistry Limited. All Rights Reserved. Example: EU Driving License Regulations

13 Public Information 13 Copyright 2006 Archistry Limited. All Rights Reserved. Technical Considerations  How will the business agreements be managed electronically (Proprietary XML, SAML, XACML, WS-Policy or something else)?  Are the services provided asynchronously or synchronously?  What is the temporal coupling between the services?  Are the services provided to interactive users or automated agents?  How much information is necessary to identify the user to the local service?  Will the local services also support authentication and management of their own user identities?  Which is most important: the identity of the principal making the request or the identity of the principal to which the request refers?  Who (or what) is actually making the request?

14 Public Information 14 Copyright 2006 Archistry Limited. All Rights Reserved. References  US E-Government Authentication Framework and Programs, IT Professional, May/June 2003, http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/it/&toc=comp/mags/it/2003 /03/f3toc.xml&DOI=10.1109/MITP.2003.1202230 http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/it/&toc=comp/mags/it/2003 /03/f3toc.xml&DOI=10.1109/MITP.2003.1202230  Technical Approach for the Authentication Service Component, Version 1.0.0, GSA (2004), http://www.cio.gov/eauthentication/documents/TechApproach.pdf http://www.cio.gov/eauthentication/documents/TechApproach.pdf  SAML V2.0 Technical Overview, Working Draft 10, http://www.oasis- open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdfhttp://www.oasis- open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf  Liberty ID-WSF Web Services Framework Overview, Version 2.0, http://www.projectliberty.org/liberty/content/download/889/6243/file/liberty-idwsf-overview-v2.0.pdf http://www.projectliberty.org/liberty/content/download/889/6243/file/liberty-idwsf-overview-v2.0.pdf  Access Control Management in a Distributed Environment Supporting Dynamic Collaboration, Shafiq, B. et al (2005), http://portal.acm.org/citation.cfm?id=1102503http://portal.acm.org/citation.cfm?id=1102503  Implementing a Federated Architecture to Support Supply Chains, Chadha, B. (2003), http://www.coensys.com/files/federation%20white%20paper%2003.PDF http://www.coensys.com/files/federation%20white%20paper%2003.PDF  A Distributed Trust Model, Abdul-Rahman, A., S. Hailes (1997), http://portal.acm.org/citation.cfm?id=283739 http://portal.acm.org/citation.cfm?id=283739  Access Control in Federated Systems, De Capitani di Vimercati, S. and Samarati, P. (1996), http://portal.acm.org/citation.cfm?id=304871 http://portal.acm.org/citation.cfm?id=304871

15 Public Information 15 Copyright 2006 Archistry Limited. All Rights Reserved. Turning innovation into business value TM Archistry Limited 33 Pearse Street Suite 115 Dublin 2, Ireland www.archistry.com Phone +353 86 996 2490 Fax +353 865 996 2490 Email info@archistry.com

Download ppt "Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?

DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
ECHO: NASA’s E os C learing HO use Integrating Access to Data Services Michael Burnett Blueprint Technologies, 7799 Leesburg.

ECHO: NASA’s E os C learing HO use Integrating Access to Data Services Michael Burnett Blueprint Technologies, 7799 Leesburg.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
The Need for Trusted Credentials Information Assurance in Cyberspace Judith Spencer Chair, Federal PKI Steering Committee www.cio.gov/fpkisc.

The Need for Trusted Credentials Information Assurance in Cyberspace Judith Spencer Chair, Federal PKI Steering Committee
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Similar presentations

Ads by Google