Web Single Sign-On: Federated Identity Dan Houser, MBA, CISSP, CCP Security Architect Nationwide Houserd1@nationwide.com

Nationwide Fortune 500 company A leading US financial company & insurer Life Insurance Automobile Insurance Property & Casualty Insurance Liability Insurance Annuities Retirement Products Investment Services Mortgages

Objectives How a Fortune 500 company implemented SAML for cross-company authentication (CCA) Under the covers: how artifact and signed SAML authentication works between business partners Building an extensible, enterprise architecture implementation with alpha and beta tools Lessons learned, challenges, and surprises when extending authentication and authorization to 3rd parties Identity, cryptography, and assertions, oh my! Web services authentication and authorization challenges

Web services Phenomenal Business acceleration since 1990 Transformation of business: From business at the club to EDI brokering From book binding to e-books to books on demand Supply chain management Rapid changes in business and trust models Outsourcing, resourcing, insourcing Hosting, co-location, managed services, ASPs Intense, cyclical Acquisition & Divestiture activity Global markets & economies

Web services (2) Generations of the Internet 1st Gen: Isolation Research 2nd Gen: Information Storefront 3rd Gen: Transaction eCommerce 4th Gen: Integration Web Services

Quick Web services primer Uses open, lightweight protocols: Provides a direct connection to business logic and core objects through Internet protocols Instead of COM, DCOM and RPC, now invoke a Web service over HTTP HTTP XML SOAP WSDL UDDI

Federated identity What is federated identity? The agreements, standards and technologies that make identity and entitlements portable across autonomous domains.§ Cross-company authentication (CCA) Authentication & authorization between organizations and companies. Essentially, same thing under the covers § Source: RSA Security, http://www.rsasecurity.com/go/google/fed_id/redirect.html

Federated identity Use case 1: Travel model Internet / Internet / B intranet intranet 3rd-party Business Logic End user HTTP Web Page HTTP XML SOAP Web Services B2B, B2C, B2E Provider A conducts business with B on behalf of end user Traditional back-office functions, but in real time Reference model: Travelocity®

Federated identity Use case 2: Portal model B provides service or collaborative content for A Transparent to the end user. Reference model: MapQuest® in Yahoo!® portal HTTP B Internet / intranet Web Page End user HTTP XML SOAP B2B, B2C, B2E Internet / intranet B Business Logic 3rd-party Web Services Provider

Federated identity Use case 3: Single sign-on model A redirects user to B B trusts A’s authentication “Single sign-on” (a.k.a. Cross-company authentication, federated identity.) Reference model: Private label banking HTTP XML SOAP SAML HTTP XML SOAP SAML HTTP XML SOAP SAML

Web services implications Extensible access portals for legacy business logic and processes Ability to react to the market very quickly Changes to core business applications are immediately available to trading partners, vendors, customers and regulators Business velocity without roadblocks of building extensive GUI presentation layers

Web services introduces Cross-company authentication For selected interfaces: Other business partners trust your authentications, and… Your organization trusts the authentications provided by others.

SAML provides framework for cross-company authentication SAML: Security Assertions Markup Language Lightweight protocol to exchange security assertions & artifacts Can be signed for self-validating assertion Permits partners to exchange assertions about authentication and authorization of users

SAML SAML has 4 major components: Assertions Authentication assertions Attribute assertions Authorization decision assertions Request / response protocol – SOAP over HTTP Bindings – how SAML requests maps to transport protocols (such as SOAP) Profiles – how SAML assertions are embedded or transported between parties

SAML (2) POST /SamlService HTTP/1.1 Host: www.example.com Content-Type: text/xml Content-Length: nnn SOAPAction: http://www.oasis-open.org/committees/security <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”> <SOAP-ENV:Body> <samlp:Request xmlns:samlp:=”…” xmlns:saml=”…” xmlns:ds=”…”> <ds:Signature> … </ds:Signature> <samlp:AuthenticationQuery> … </samlp:AuthenticationQuery> </samlp:Request> </SOAP-ENV:Body> </SOAP-ENV:Envelope> Source: OASIS - http://www.oasis-open.org/committees/security/docs/cs-sstc-bindings-00.doc

SAML provides transaction trust Protocols providing trust Enterprise Line of business No existing protocol Business function Session SSL / TLS / IPsec / Kerberos Session SAML / WS-Security XML-DSig / Passport Messages / Transactions

Nationwide & CCA timeline 2000-2001 Implemented several federated identity solutions Used proprietary artifacts & communication session solutions Worked well, but…. Unique “one-off” solutions Lacked standards for standard implementation, extensive re-work

Nationwide & CCA timeline (2) 2002 Resolved to adopt a standards-based federated identity solution Investigated several federated identity standards SAML selected as best SSO authentication solution at the time Joined Liberty Alliance as Associate Member

Nationwide & CCA Timeline (3) 2002 Determined three viable directions: Web Access Mgmt (WAM) middleware Adding SAML parsing to existing application(s) Building own assertion generator & parser Investigated the market for vendor best suited to deliver SAML-based solution Established contract with WAM vendor Built first SAML implementation for SSO

Nationwide: First SAML cross-company SSO Launched January, 2003 First commercial use of SAML for SSO Three business partners Nationwide provides portal, authentication & authorization for both other partners Internet / intranet Nationwide End user B2B, B2C, B2E 1 Link redirect 2 4 redirect 3 AuthN AuthZ Financial Aggregator Financial Services Company

Nationwide: First SAML cross-company SSO Launched January, 2003 First commercial use of SAML for SSO Three business partners Nationwide provides portal, authentication & authorization for both other partners. Nationwide 3 4 redirect Internet / 1 intranet 6 redirect Link 2 5 End user AuthN AuthZ B2B, B2C, B2E Financial Aggregator Financial Services Company

Challenges Complexity Business issues Federation Weakest link Business trust models

Complexity Corporate 3-tier Web architectures are already complex Federated SSO adds significant complexity in coupling: Existing infrastructure Web Access Mgmt (WAM) middleware Web services interfaces New infrastructure Cross-company functionality

Complexity (2) Complexity requires technical sophistication on both sides of the relationship Developers need to understand: SAML Web services WAM Encryption Architects need to understand: Identity Management Authentication/authorization models

Complexity (3) Complexity extends to privacy and identity issues Privacy policy aggregation, demarcation Need to involve CPO, General Counsel Identity management issues Legal contract & business agreement: Roles & responsibilities Vendor management Procedures for validating trust

Business issues The technology is moderately complex. Trust & policies are harder. Closer to a wedding than a business relationship Nationwide’s solution: Certification & accreditation process Reference Architecture Strong 3-tier infrastructure architecture Forward-looking standards for trust governance

Federation Interoperability of identity frameworks Tough to do between existing corporate legacy applications Even tougher between disparate organizations Deep dive on assumptions, standards, vetting Must scale and scope to business context

Weakest link Security posture differences must be determined & governed. Alignment of reference architecture Policy & standards matrix comparison Establishment of CCA standards SLA & performance weakest link If your SLA is 7x24, and your partner’s SLA is 5x10, how will you provide 7x24?

SAML provides transaction trust Protocols providing trust Enterprise Line of business No existing protocol Business function Session SSL / TLS / IPsec / Kerberos Session SAML / WS-Security XML-DSig / Passport Messages / Transactions

Web services introduces cross-company authentication For selected interfaces: Other business partners trust your authentications, and… Your organization trusts the authentications provided by others.

What now? The Interconnectedness of all things…

Business trust models Recognized needs: Result: CCA standards Ongoing contractual compliance Continual determination of trustworthiness Legal implications of trust model Result: CCA standards Development of XotaSM protocol XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

XotaSM Combination of protocol & methodology Permits determination of trustworthiness in real time between business partners Trust governance at the transaction level Continuous assessment of contractual and regulatory compliance Nationwide is establishing a consortium XotaSM is a service mark of Nationwide Mutual Insurance Company. Patent Pending.

Surprises Troubleshooting with ½ the data Missing standards & solutions Interoperability Human factors

Troubleshooting SAML consists of HALF transactions: Asserting party  Relying party Troubleshooting with only half the data! Complexity and cross-disciplinary issues Coordinated helpdesk an issue Log sharing, aggregation Time synchronization an issue

Missing standards & solutions SAML has some gaps No SAML session management No support for timeout, logoff “rollup” Had to develop own session management and session timeout protocol Middleware gaps No signed SAML support in middleware Lack of 3-tier architecture support

Session management issues Cookie forces session timeout – user must re-authenticate User is redirected back to Nationwide gets SAML assertion Goes through SAML authentication process again Nationwide 3 4 redirect Internet / 1 intranet 6 redirect Link 2 5 End user AuthN AuthZ B2B, B2C, B2E Financial Aggregator Financial Services Company

Interoperability Authentication & authorization required for both the business partners and users SAML provides user authentication No protocol support for partner connection authentication, authorization Each partner connection model unique Bleeding-edge implementation preceded Web services protocol standards

Human factors Communications Issues Users unaware of SSO implementation: Sensitive to performance lag Multiple resubmits Question lack of sign-on – “Is security broken?” Deep bookmarking Users will bookmark relying party sites Persistent cookie that identifies user as CCA user?

Lessons learned Have a good partner relationship with WAM vendor(s) Business issues as significant as technology issues Lightweight implementation toolkit required for smaller partners Trust modeling important consideration

Benefits achieved Federated identity provides flexible, adaptable solutions for SSO Ability to use infrastructure for affiliates, other contexts If you build it, they will come Federated identity works reliably Use of standards, such as SAML, pays off in 2nd, 3rd implementations

Q&A Questions?

OASIS http://xml.coverpages.org/saml.html Further information Best resources: OASIS http://xml.coverpages.org/saml.html Liberty Alliance http://projectliberty.org Contact information: Dan Houser, MBA, CISSP, CCP Security Architect Nationwide (614) 249-6639 houserd1@nationwide.com

Thank you. Questions, comments? Mr. Houser will not be available to answer questions at the Ask-the-Experts booth in the Exhibit Hall. Please send question to jglossner@techtarget.com.