Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

NRL Security Architecture: A Web Services-Based Solution

DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

ECHO: NASA’s E os C learing HO use Integrating Access to Data Services Michael Burnett Blueprint Technologies, 7799 Leesburg.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

The Need for Trusted Credentials Information Assurance in Cyberspace Judith Spencer Chair, Federal PKI Steering Committee

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Service Standards, Security & Management Chris Peiris

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

SUNY System Administration Federation Overview Gavin Hogan July 15th, 2009 A work in progress….

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Electronic identity management for eGovernment Conceptual framework and objectives Frank Robben General manager Crossroads Bank for Social Security Strategic.

Kevin Novak, Chair W3C Electronic Government Interest Group April 17, 2009.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

Integrating Federated Identity and Web services in the RHIO Environment John Richardson Vice-Chair, Liberty Alliance eHealth SIG Intel Corporation Digital.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

An XML based Security Assertion Markup Language

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Shibboleth: An Introduction

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

State of e-Authentication in Higher Education August 20, 2004.

E-Authentication in Higher Education April 23, 2007.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

April, 2005 ebSOA Based on FERA Reference Model Vasco Drecun Collaborative Product Development Associates, LLC Goran Zugic ebXMLsoft Inc.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

Fidelity Feedback on SAML 1.X and ID-FF 1.X Patrick Harding Enterprise Architecture Fidelity Investments.

Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt

© 2015 California Association of Health Information Exchanges Licensed under a Creative Commons Attribution Share-Alike 3.0 LicenseCreative Commons Attribution.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Access Policy - Federation March 23, 2016

Secure Single Sign-On Across Security Domains

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

PASSHE InCommon & Federated Identity Workshop

Public Services Broker

Appropriate Access InCommon Identity Assurance Profiles

The Attribute and the ecosystem

Presentation transcript:

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing Director Archistry Limited

Public Information 2 Copyright 2006 Archistry Limited. All Rights Reserved. Agenda  Definitions  Business drivers for federated identity  Approaches to providing federated identity  Technical considerations  Questions

Public Information 3 Copyright 2006 Archistry Limited. All Rights Reserved. Definitions  Federated system – integrates existing, possibly heterogeneous systems while preserving their autonomy  Association autonomy – the ability of a component system to decide whether and how to share its operations and resources with other systems  Federated identity – a shared name identifier agreed between partner services in order to share information about the user across organizational boundaries

Public Information 4 Copyright 2006 Archistry Limited. All Rights Reserved. Business Drivers  What are you trying to do? Provide single sign-on (SSO)? Support dynamic collaboration? Provide a central point of access to distributed services?  Who are the other participants? Services controlled by a single organization? Services provided by trading partners? Parties with whom you have no formal relationship?

Public Information 5 Copyright 2006 Archistry Limited. All Rights Reserved. Additional Considerations  Privacy and consent Will the users use the system? How will their privacy be protected? How will you respond to a right to access request?  Accountability What mechanisms will be used for identity proofing? What mechanisms will ensure non- repudiation of authentication? How will you respond to claims of fraudulent access?

Public Information 6 Copyright 2006 Archistry Limited. All Rights Reserved. Approaches  Don’t federate  Federated identity  Chain of trust  Federated authorization

Public Information 7 Copyright 2006 Archistry Limited. All Rights Reserved. Federated Identities  Leverages the identification/authentication of a trusted member of the federation (e.g. SAML IdP)  May or may not require local accounts at all service providers  Requires out-of-band business agreements between members of the federation  Does nothing more than assert a claim as to the identity of a user or request within a given context

Public Information 8 Copyright 2006 Archistry Limited. All Rights Reserved. Example: US Government E-Authentication Framework

Public Information 9 Copyright 2006 Archistry Limited. All Rights Reserved. Chain of Trust  Each participant responsible for authenticating only the members directly communicating with it  Information integrity must be assured by the information producer  Requires out-of-band business agreements between members of the federation  Each member of the chain is authenticated to the next— any other credential information is opaque  Ensures a sequence of participants can exchange information, but does not directly authenticate (or may not even identify) the original information producer

Public Information 10 Copyright 2006 Archistry Limited. All Rights Reserved. Example: Irish Government’s Reach Project

Public Information 11 Copyright 2006 Archistry Limited. All Rights Reserved. Federated Authorization  Federation defines the semantics of a particular set of profile attributes  Service provider association and access control is based on the presence of one or more attributes  Can be used in conjunction with federated identities or without them for dynamic collaboration  Still requires out-of-band business agreements between members of the federation  Can be used for more flexible and dynamic collaborations, but attribute negotiation may have privacy implications

Public Information 12 Copyright 2006 Archistry Limited. All Rights Reserved. Example: EU Driving License Regulations

Public Information 13 Copyright 2006 Archistry Limited. All Rights Reserved. Technical Considerations  How will the business agreements be managed electronically (Proprietary XML, SAML, XACML, WS-Policy or something else)?  Are the services provided asynchronously or synchronously?  What is the temporal coupling between the services?  Are the services provided to interactive users or automated agents?  How much information is necessary to identify the user to the local service?  Will the local services also support authentication and management of their own user identities?  Which is most important: the identity of the principal making the request or the identity of the principal to which the request refers?  Who (or what) is actually making the request?

Public Information 14 Copyright 2006 Archistry Limited. All Rights Reserved. References  US E-Government Authentication Framework and Programs, IT Professional, May/June 2003, /03/f3toc.xml&DOI= /MITP /03/f3toc.xml&DOI= /MITP  Technical Approach for the Authentication Service Component, Version 1.0.0, GSA (2004),  SAML V2.0 Technical Overview, Working Draft 10, open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdfhttp:// open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf  Liberty ID-WSF Web Services Framework Overview, Version 2.0,  Access Control Management in a Distributed Environment Supporting Dynamic Collaboration, Shafiq, B. et al (2005),  Implementing a Federated Architecture to Support Supply Chains, Chadha, B. (2003),  A Distributed Trust Model, Abdul-Rahman, A., S. Hailes (1997),  Access Control in Federated Systems, De Capitani di Vimercati, S. and Samarati, P. (1996),

Public Information 15 Copyright 2006 Archistry Limited. All Rights Reserved. Turning innovation into business value TM Archistry Limited 33 Pearse Street Suite 115 Dublin 2, Ireland Phone Fax