All Contents © 2003 Burton Group. All rights reserved. Federating Identity Management: Standards, Technologies and Industry Trends November 20, 2003 Daniel Blum Senior VP, Research Director

2 Federated Identity Management Thesis What? Parallel efforts from OASIS, Liberty Alliance, Web access management vendors, and platform vendors are gaining momentum and will ultimately converge Perhaps not without some pain “Identity networks” are needed to scale ubiquitous operation Why? By meeting business requirements for loosely coupled security between autonomous domains, federated identity extends identity management When? Now. Federated identity has many early adopters across multiple industries; products and tools are available; ROI and competitive advantage are in sight

3 Identity Management and Federation Agenda Federated Identity Concepts Industry Trends Recommendations

4 Identity Management and Federation Agenda Federated Identity Concepts Industry Trends Recommendations

5 Federated Identity Concepts The challenge: Managing many identities Internal Systems & Data Less-knownPartner or xSP Loosely-coupled, Federated exterior systems Customers Tightly-coupled or loosely coupled, Integrated or federated interior systems Employees Unknown Extranets The Internet

6 Federated Identity Concepts What is federated identity management? Agreements, standards, technologies that make identity and entitlements portable across autonomous domains Authentication assertions (federated sign on) Authorization assertions Attribute assertions Identity linking procedures Trust relationships Business, legal agreements

7 Federated Identity Concepts Federated authentication between domains Company A: Identity Provider (IDP) access point Company A Identity repository 1) User authenticates Company B: Service Provider (SP) access point 2) Check User’s id/credential Company B resource 3) User requests resource 5) Co. B requests identity assertion for User 6) Co. A sends identity assertion 7) User gets access! User Internet 4) Check policy

8 Federated Identity Concepts Federation concepts Federated sign on Authentication requests, assertions Session management Federated identity mapping Account linking Privacy protections Link account to role (or persistent policy) Federated identity information Attribute requests, assertions Privacy protections Federated authorization Authorization requests, assertions Management Business, legal agreements Trust relationships Audit services

9 Federated Identity Concepts Risks Federated identity creates new risks Relying on external party for identity assertions Forensics and record retention must span boundaries Slippery slope of transitive trust - trust failures could propagate, cross-over attacks are possible …but reduces other risks Pushes IdM and accountability to most responsible party High security domains can be autonomous, but still interoperate Lessens reliance on a large scale, centralized security infrastructure (shifts complexity)

10 Identity Management and Federation Agenda Federated Identity Concepts Industry Trends Recommendations

11 Industry Trends What infrastructure is needed for federated identity? Identity Networks Federated Identity Standards Base Security Capabilities (Mostly) Used Within Domains Used between Or within Products/ Domains Public identity services, or other communities Ping Id. NET Passport Verified By Visa Shibboleth Others SAML Liberty WS-Security OthersXACML WS-Federation Kerberos X.509 LDAP Others ID /Pwd Token

12 Industry Trends Security Assertion Markup Language (SAML) SAML provides authentication, authorization, and attribute assertions between loosely coupled domains Meant to be complemented by XACML and other specs SAML 2.0 will converge with donated Liberty Alliance Phase I work, add user to role mapping, better session management, perhaps credentials collection

13 Industry Trends Liberty Alliance Consortium of over 160 organizations: enterprises, service providers, and vendors In 2002, developed Identity Federation Framework (ID- FF) using opt in account linking on top of SAML In 2003, developing Identity Web Services Framework (ID-WSF), permission based attribute sharing and additional capabilities User Linked account Domain A (IDP) Domain B (SP) SAML Assertion Linked account Browser redirect Or Web service Circle of Trust

14 Industry Trends Federated identity products and adoption SAML early adoption gaining momentum Multiple Web access management and other security products in various stages of release or development Open source solutions and toolkits available Growing customer adoption across multiple industries Liberty entering early adoption Head start by encouraging end user membership, adopting SAML, and putting Liberty Phase I into OASIS Products and early implementations underway But some Web access management vendors are not yet implementing Liberty standards

15 Industry Trends Federated identity: A growing stack of converging standards with common foundations WS-Policy WS-Trust WS-Secure Conversation WS- Federation WS- Authorization, WS-Privacy SAML Liberty ID-FF Federated Sign on Liberty Alliance – Ph 2 (ID-WSF, ID-SIS) Liberty Phase 2: Permission based attribute sharing Foundation Web Standards: WSDL, SOAP, XML, HTTP, HTML WS-Security Microsoft, IBM, etc. unpublished OASIS - published Liberty Alliance – Phase 1 (ID-FF) Microsoft, IBM, etc. published OASIS - new work KEYKEY XML Signature, XML Encryption, XML Key Management Services (XKMS) SPML XrML XACML

16 Industry Trends SAML, Liberty Alliance, and WS-* Where they agree WS-Security and WS-* carry SAML and Liberty assertions OASIS, Liberty Alliance developing WS-Security bindings Microsoft says it will support SAML in Authorization Manager; IBM supports SAML, says it will support Liberty WAM vendors will support both Where they disagree Microsoft, IBM won’t join Liberty Alliance WS-Federation has a different profile for browser based users than SAML and Liberty Microsoft promoting XrML, not SAML and XACML

17 Industry Trends SAML, Liberty Alliance, and WS-* : What to expect A standards race of “The Tortoise and the Hare” SAML and/or Liberty “hare” racing ahead with federated identity specific initiatives, well into early adoption WS-* “tortoise” will need a few years to be fully standardized, built, and broadly deployed But Microsoft, IBM and partners can push a lot of software into the channel SAML and Liberty Alliance likely to converge with WS-* over the next 5 years for a relatively comfortable coexistence

18 Industry Trends Technology availability and adoption waves SAML Liberty ID-FF WS-Security WS-*, New Liberty specs, SAML 2.0 Components, timing variable subject to standardization and convergence

19 Industry Trends Identity networks today Centralized.NET Passport and AOL Screen Name Service Industry-based, proprietary SecuritiesHub, Verified by Visa, others SAML-powered Shibboleth, multiple corporate networks Liberty-powered Corporate B2E projects underway PingID and Neustar (eRX Land Records Exchange Network) Financial networks (SecuritiesHub, others) Mobile communications networks

20 Identity Networks Federation implies a poly-centric environment Many islands will emerge Industry-specific solutions are likely How will they converge? Identity networks could emerge to link the islands Identity networks may be centralized (like Passport), member-owned (as in the ATM, credit-card worlds), provide common governance and policy frameworks, or other models Identity Network A Identity Network B Identity domains Identity peering

21 Identity Networks Federated Identity and Web services network types Pair-wise, internal federation Trusted third party enabled federation Communities (hub optional) Identity Networks

22 Identity Management and Federation Agenda Federated Identity Concepts Industry Trends Recommendations

23 Recommendations Early adopter lessons learned If you build it, they will come Partner interest cascades… Return on investment (ROI) is out there Federated identity is flexible, it works, and its reliable But You have to pay to play SAML protocol has some gaps Browsing issues and performance bottlenecks arise The infrastructure must be secure Users will always surprise you

24 Recommendations Lessons learned from early deployments Technical issues not so difficult Web developers prefer standards based SAML or Liberty approach to point integration solutions Some enterprises have written their own XML based federation layer Others purchasing Web access management (WAM) support for IDP operations, WAM or toolkit to accept assertions as SP Business issues more complicated than technical ones Build in time to get business application owners on board, and work through arrangements with partners Some enterprises mandating federated IdM for suppliers Create “workbooks” or other collaterals that help early partners understand federated IdM (trading “hubs” can drive adoption) Leverage existing industry associations, identity networks

25 Recommendations Today: Implement SAML, Liberty, and conventional IdM at appropriate architecture tiers Future: Integrate federated identity with secure Web services

26 Recommendations Deployment considerations Use consolidation, integration to build base camp to federate from (continue cleaning the identity house) Consider SAML and/or Liberty for current projects, augmenting conventional IdM Monitor WS-* for future opportunity to deploy secure, Web services solutions; seek convergent solutions Prepare for breaches on either side of your federations by adding business agreements for cooperative risk management and dispute resolution Brief the purchasing department, security department, and legal department to get their buyoff

27 Conclusion Federated identity management is a strategic capability that will solve real problems SAML and Liberty provide federated identity to the current generation of Web-enabled computing Next generation of Web services computing taking shape, will include federated identity In the long run, federated identity will converge across both generations of computing Identity networks will link partners - internal and external, large and small