Abstract of the Core Concepts of S.A.F.E.: Standards for Federated Identity Management
|
|
- Martina Newton
- 8 years ago
- Views:
Transcription
1 Abstract of the Core Concepts of S.A.F.E.: Standards for Federated Identity Management Subject: Responsible: Secure Access to Federated E-Justice/E-Government Federal and State Authorities Commission for Data Processing and Rationalization in German Justice Version.Release: 1.1 Creation: Last Revision: State: in process / submitted / ready Number of Pages: 16 Authors: Filename: Abstract: Birger Streckel (Dataport) _SAFE_Abstact_V1-1.doc Short summary of the S.A.F.E. S.A.F.E. defines a technical framework for interoperable and safe usage of Digital Identities across administrative borders ( Trust-Domains ) and is set up from the Web Service Protocol Stack ( WS-* ) of OASIS and W3C. The selected standards are profiled for sake of interoperability. Contact: Working Group IT-Standards in Justice Jürgen Ehrmann Ministry of Justice of the state of Baden-Württemberg Telefon: ehrmann@jum.bwl.de Meinhard Wöhrmann Higher Regional Court in Düsseldorf Telefon: meinhard.woehrmann@olg-duesseldorf.nrw.de
2 Seite 2 von 16
3 Seite 3 von 16 1 STARTING POINT AND GOALS FUNCTIONAL REQUIREMENTS DESIGN GOALS IDENTITY MANAGEMENT IDENTITY MANAGEMENT IN E-GOVERNMENT/E-JUSTICE IDENTITY MANAGEMENT STANDARDS SAML 2.0, Liberty Alliance WS-Trust, WS-Federation Usage of standards in S.A.F.E THE S.A.F.E. CONCEPT ARCHITECTURAL OVERVIEW Attribute Service (AS) Provisioning Service (PS) Identity-Provider (IdP) CONCEPTUAL FEATURES LITERATURE...15
4 Seite 4 von 16 1 Starting point and goals The conference of justice ministers initiated a Deutschland Online -Project Einheitliche Verfahren für den elektronischen Rechtsverkehr (Standardized processes for the electronic justice), which was finally adopted on by the conference of prime ministers. The intention of this initiative is the advancement of the electronic communication infrastructure in justice with the goal of defining open, interoperable and internationally standardized interfaces for the participants that allow secure access to communication services as well as secure and reliable electronic communication. The S.A.F.E. concept aims at the secure registration, authentication and authorization as well as the secure storage of communication participants. Since these aims are of common interest for most E-Government services also beyond communication and beyond E-Justice, S.A.F.E. was developed as a concept consisting of two main documents. The first document Architecture and Interfaces for Federated Identity Management [1] defines a common standard for user management and registration for general E-Government services. A Web Service based Identity Management Infrastructure is defined, which can be used as a common standard for securing access to E-Government services. The standard is open and expandable to allow interoperability between different E-Government services and to provide Single-Sign-On (SSO) solutions for accessing different services with the same Digital Identity. The second document S.A.F.E. detailed technical concept [2] further specialises the general concept for its use in the concrete E-Justice communication scenario. While preserving the general concept further specializations and extensions are made to meet the demand of the concrete E-Justice application. The base concept can be customized by other E-Government applications. This generates an expanding pool of interoperable E-Government services with a common registration and authentication interface. 1.1 Functional requirements The main goals of the general concept for identity management are to provide an open and highly scalable architecture for Federated Identity Management (FIM) in E-Justice and E-Government. The primary objectives are:
5 Seite 5 von 16 Create a concept for medium-size identity management solutions with the possibility to use federation techniques to expand these to large scale, Federated Identity Management (FIM) enterprises Use Identity Management to provide secure access to E-Government services Define base services for a complete Identity Management Framework including authorisation, authentication, provisioning that are reusable by all kinds of E-Government applications Define minimum standards for security and information that must be fulfilled met by all services that are part of a S.A.F.E.-federation Be open to all kinds of registration and authentication procedures Support roles and rights concepts based on registration and authentication security Provide an address-book service that can be queried for lists of the managed identities The requirements regarding the detailed technical concept for identity management for in an electronic justice communication scenario are much more application-driven: Maintain an identity store with up to identities of legal practitioners, notaries, courts, ministries of justice, business companies, etc. Selective querying of the identity store with support of right and role management Self provisioning and administrative provisioning of these identities Secure access to E-Justice communication services Minimal effort in migrating the existing user database to the new identity management infrastructure 1.2 Design goals From the functional requirements the following design goals were derived: To be open to a variety of E-Government services the concept only defines interfaces and communication protocols between the different services and modules of the described framework, to guarantee interoperability. Realisation of the interfaces and concrete development of the services are left to the implementer. To minimize the implementation efforts and with this raise the acceptance it is necessary to base S.A.F.E. on open international standards, preferably standards with already available implementations. To provide interoperability between all applications implementing the S.A.F.E. concept, a minimum set of standard services and their communication interfaces are defined. These have to be implemented by every partner in a S.A.F.E.-federation.
6 Seite 6 von 16 To provide common security standards for all S.A.F.E. services, guidelines for administration, management and life cycle of digital identities (provisioning) are defined. Rules are established for authenticating an identity and for proving the correct authentication to service providers. A method is set that allows an individual to securely prove its verified identity. To provide common security standards for the identity data rules and interfaces for accessing and storing identity information and attributes are defined. Further conceptual goals are: Platform independence on client- and server-side High scalability to support large scale solutions as well Usage of open, vendor independent standards Possibility to integrate existing Identity Management Infrastructure Secure message exchange with Web Services Possibility to decentralize identity data for functional or spatial aspects with the opportunity of future cooperation (federation) Support of active Web Service oriented client server communication in service oriented architectures (SOAs) Possibility to integrate passive browser-clients for Single-Sign-On scenarios. 2 Identity Management Identity Management is a concept for managing identities. Identities can be individuals, legal persons or IT-components. An identity consists of information about the described individual. Each identity has a unique ID and descriptive attributes, such as address, , certificates. Identity Management is used to identify individuals in a system and to control their access to resources within that system by associating user rights and restrictions, based on the identities attributes, with the established identity. Identity Management covers: Handling of identities and their attributes Authentication of identities by trustworthy entities Authorization of identities to use (web-)resources Secure message transmission in the identity managed enterprise Provisioning of identities and management of identity lifecycles with registration, change and deletion of identities and attributes Management of roles and access rights Management of attribute access and visibility
7 Seite 7 von Identity Management in E-Government/E-Justice For the task of secure E-Justice communication it is necessary to provide a user management. This must at least include registration, provisioning and authentication of the communication users. A secure access to the communication services is needed and also some role management specifying the possible communication partners to prevent events like spamming or mass mailing. These requirements has to be met by a flexible, expandable system completely based on open, international and vendor independent standards. This guarantees the interoperability and expandability of the enterprise solution and ensures a seamless integration of components developed by different vendors. Identity Management is the discipline meeting all these requirements and leading to an open standard for user management and registration for general E-Government services also beyond E-Justice. By using the S.A.F.E.-standard identities for different E-Government applications are exchangeable. SSO solutions are possible, where the Identities are provided by local organisations and could be used to gain access to a wide range of different E-Government services. 2.2 Identity Management standards Currently different international standards in the field of digital identity management are existing. The two main standard families covering the necessary features for the described scenario are SAML 2.0/Liberty Alliance and WS-Trust/WS-Federation. Both are vendor independent, open and international standards and at least partially OASIS-ratified. Unfortunately both standard families are at least partially overlapping and incompatible to each other SAML 2.0, Liberty Alliance The SAML Standard, which is already several years in place, with its current version 2.0 [11], provides all necessary features for simple Identity Management solutions. While its main focus is browser-oriented passive federation, it also allows federation of Web Services. Open source implementations exist, but also here with the main focus on browser-sso. In this field it achieved quite some reputation over the last few years. The SAML standard is supplemented by several Liberty Alliance standards (ID-WSF standard family). These extend SAML by advanced features for federation of Web Services. In contrast to the SAML standard ID-WSF is not so widely accepted.
8 Seite 8 von WS-Trust, WS-Federation WS-Trust [7] and WS-Federation [8] are based on the stack of WS-* standards which define Web Services interoperability and are almost without alternative when implementing Web Service functionality. WS-Trust and WS-Federation are the logical continuation of the WS-* standard family and with this have their clear focus on Identity Management using Web Services. Quite some acceptance is noticeable and also implementations of the standards exist. WS-Federation provides also a solution for Browser-oriented passive federation, but is stronger in the field of Web Services Usage of standards in S.A.F.E. So far it is unknown, which of the two standard families will have the greater acceptance in the future. From todays point of view both standards will exist in coexistence. Instead of creating facts by deciding for one or the other standard family one main design goal was using the elements of the WS-* standards family to make it possible to support the SAML/Liberty Alliance standards family. Identity Management can be understood in an abstract way and the components building the Identity Management system could support both standards. Such a cross-protocol solution is called Identity- Meta-System and is a realistic goal for future development. Supporting both standard families in an initial implementation might be realistic but not cost-effective. While the given E-Justice communication scenario was clearly Web Service based, we had to support rich client applications resulting in using the standards having the greater acceptance in Web Service based Identity Management. We decided to use the following standards for the S.A.F.E.-concept focusing on the E-Justice communication scenario: SOAP 1.2 [3] WSDL 2.0 [4] for Web-Service communication for Web-Service description WS-Security 1.1 [5] WS-Policy 1.2 [6] for securing SOAP messages on the message layer for specification of the security concept WS-Trust 1.3 [7] for communication with the Identity Provider (IdP, see below)
9 Seite 9 von 16 WS-Federation 1.1 [8] WS-Secure- Conversation 1.3 [9] SPML 2.0 [10] SAML 2.0 (Assertion) [11] Liberty ID-SIS-PP [12] for federation of independent Trust Domains (TD, see below) for speeding up secure message exchange for communication to the Attribute Service (AS, see below) and the Provisioning Service (PS, see below) issued by the IdP to confirm a individuals identity for serializing identity information to XML 3 The S.A.F.E. Concept Table 1: Standards used in the S.A.F.E.-concept As described earlier, the S.A.F.E.-concept is based on the WS-* stack of standards, particularly on WS-Trust [7] and WS-Federation [8]. The S.A.F.E.-Standard is developed by profiling these standards. This means S.A.F.E. is constraining, extending and tailoring these standards and is hence fully conform to the original standards. The goal is to cut back these standards for easier interoperability and thus less implementation costs but to preserve enough flexibility to allow Federated Identity Management (FIM) for various E-Government services. High flexibility is also achieved by the deliberately inserted extensibility of the S.A.F.E.-base standard [1]. Every S.A.F.E.- conform implemented application should again profile the S.A.F.E.-base standard [1] in a similar way as described in the document [2]. This concept is shown schematically in Figure 1. The S.A.F.E.-base document Architecture and Interfaces for Federated Identity Management 1 is profiling the WS-* stack of standards shown at bottom of Figure 1 - to create a common Identity Management infrastructure for E-Government services. An implementation of this core FIM-infrastructure can be developed in.net 2 or JAVA. Then only small changes are necessary to migrate the core FIM-infrastructure to a concrete application. These steps are described in the S.A.F.E.-extension document S.A.F.E. detailed technical concept for the application of E-Justice communication 4. Other application scenarios 3 like GovernmentGateway or Bürgerportale could develop their own slim concepts adapting the FIM-infrastructure to their own application needs. All FIM-implementations based on the core FIM-infrastructure can be made interoperable and can be merged into a large scale federation with Single-Sign-On for different E-Government applications at hand.
10 Seite 10 von 16 SAFE for ejustice communication 4 Interoperability SAFE for GovernmentGatew ay SAFE for... solution Integration Migration Integration Migration Integration Migration SAFE-Concept (Document [2]) SAFE detailed technical concept 3 SAFE-Concept for GovernmentGatew ay SAFE application concept application specification Further Profiling Further Profiling Further Profiling FIM-infrastructure Open Source / Java 2 FIM-infrastructure.NET FIM-infrastructure Implementation Implementation Implementation SAFE-Concept (Document [1]) "Architecture and Interfaces for Federated Identity Management" 1 FIM-specification Profiling Metadata: WS- Policy WS- SecurityPolicy WS-Federation WS-SecureConversation WS-Trust WS-Security standards Messaging: SOAP, WS-Addressing XML Figure 1: S.A.F.E.-Trust-Domain with Services and Identity-Store
11 Seite 11 von Architectural overview The S.A.F.E. federation is organized in Trust-Domains (TD). All S.A.F.E.-TDs have a similar structure and have to provide identical services. The service interfaces are defined in the S.A.F.E.-concept. All subsystems and services in a trust domain maintain a trust relationship. This means, the services trust each other requests. A S.A.F.E.-TD is divided in three subsystems - Attribute Service (AS), Provisioning Service (PS) and Identity Provider (IdP) - each providing external interfaces. An additional internal subsystem is the identity database or Identity-Store, used by the other three subsystems but providing no external interfaces and thus is encapsulated. In Figure 2 the Trust-Domain and its services are depicted schematically. Requestor Trust-Domain Identity- Provider Service- Provider Attribute- Service Provision. Service Identity-Store Domain Identität Attribut x Attribut y Attribut z... Credential Figure 2: S.A.F.E.-Trust-Domain with Services and Identity-Store Attribute Service (AS) The Attribute Service provides information about identities and their attributes. The Attribute service can be queried for single identities or a group of identities. It can also be queried using search criteria, to provide a kind of address-book functionality. The AS provides read only access to the identities, no modification of identity or attribute data is possible.
12 Seite 12 von 16 The Attribute-Service is a realisation of the in WS-Federation [8] only conceptually described Attribute-Service. Its interface is a profiled version of the SPML-standard [10] (Service Provisioning Markup Language) and provides the SPML operations lookup and search. Identity data is transferred using the ID-SIS-PP standard [12], which defines syntax and semantics for serialising an identity with all its attributes into a defined XMLrepresentation. If more then one TD has to combine and federate their identity data a Virtual Attribute Service can be implemented. The Virtual AS queries the Attribute Services of the TDs and combines the identity data. The Virtual AS is transparent, that means it has an SPML interface identical to the interface of a TD-AS; it can query the TD-Attribute Services by only passing on the user query. The WS-Security [5] binding is used to secure the message exchange between client application and AS. Security is established by a symmetric key that is issued by the IdP Provisioning Service (PS) The Provisioning Service provides a consistent interface for data administration services. It allows administrators or users to add, modify or delete identity data. The interface implements the SPML-standard [10] and provides the SPML operations add, modify and delete. While administrators should have general rights to modify the data, users are only able to modify attributes, which were not checked in the registration process. Again a WS-Security [5] binding is used to protect the PS from fraud and provide safe authentication and authorisation via the IdP Identity-Provider (IdP) The Identity-Provider is the central instance for authentication in each TD. Registered users can use the IdP to prove their identity. The IdP confirms the correct authentication of the user by issuing a security token. These security tokens contain information about the identity and the attributes of the user. The user can use the token to claim his identity against a service. Because of the trust relationship between service and IdP the service can be sure of the users identity. Every service that belongs to a Trust Domain has to implement authentication via a security token, in particular also AS and PS.
13 Seite 13 von 16 The S.A.F.E.-IdP confirms authentication by issuing SAML 2.0 [11] assertions as security tokens. These SAML-tokens are profiled to contain the following information about the user: The unique identity descriptor Attributes, especially a role attribute Information about the registration procedure Information about the authentication procedure It is also defined, how this information is syntactically represented in the SAML-token. The implementation of the IdP strictly follows the WS-Trust standard [7]. 3.2 Conceptual features The described architecture was designed to meet specific conceptual features, especially the following: Platform independence - The described services can be implemented on different platforms like.net or JAVA. Interface centric design - S.A.F.E. primarily defines interfaces on the base of open international standards. This leaves a lot of freedom to the developer for the design of specific components but achieves the interoperability of components from different vendors. Scalability - Because S.A.F.E. is an open concept and not restricted to a particular application or subject a high scalability is absolutely necessary. By structuring Identity Management in Trust Domains it is possible to realise also large scale scenarios. Also distributed data ownership can be supported by grouping the Identities for their functional or spatial aspects. Consistent naming conventions for attributes - To maintain a federation it is necessary that all federation partners have the same understanding of the syntax and semantics of attributes. It is necessary for all federation partners to make use of the S.A.F.E. naming conventions. Attribute representations are defined for attribute representation in a SAML-token as well as for the ID-SIS-PP provisioning objects that are used to by AS and PS. Instructions show, how the set of attributes can be extended by new ones. OSCI 2.0 conformity - S.A.F.E. is compatible to the forthcoming transport-standard OSCI 2.0, and it extends OSCI by Identity Management aspects.
14 Seite 14 von 16 Open for various registration methods - In many Identity Management scenarios there is a strong focus set on the possible registration methods, for applying a digital identity and assuring the correctness of the attributes. Surely many different registration methods are possible, all of which have different security and integrity (correctness of the data). The S.A.F.E.-base concept however does not set any guidelines to the registration process; anything is allowed. Establishing a new registration process in a derived application concept, leads inevitably to the question about the security of the registration process. This security level of the registration process has to be put into the SAML-token, so every service can decide if the registration provides enough security for a possible access. Concrete registration methods are described in the derived concept [2] where the concrete services are defined and their demand for security can be evaluated. Registration methods could be: Online self registration without attribute check Registration via PostIdent Registration by a civil servant in presence of the individual Registration by electronically reading an epass Low security High security High security Normal security Table 2: Examples for registration methods Open for various authentication Methods - Like registration methods there are also different authentication methods that provide variable security. Passwords can be guessed, software certificates can be stolen, certificates stored on a smartcard provide higher security. Again concrete authentication methods are described in document [2]. Authentication Methods could be: Username/Password Software Certificates Smartcard Certificate with PIN CardSpace OpenID Normal security Normal security High security High security Normal security Table 3: Examples for authentication methods Confirmation of registration and authentication process - To be able to judge and to trust the information that the IdP confirms in the issued token, it is also necessary to know details about registration and authentication proc-
15 Seite 15 von 16 esses of an identity. The IdP thus has to provide information about these processes. By evaluating this information the accessed service can get an idea of how sure it can be that the IdP provided information is correct. Open design, expandability With the division of the S.A.F.E.-concept into two parts, it is possible and desirable that other concepts for E-Government applications set on top of the S.A.F.E.-base concept and thus first federable and later FIM scenarios are evolving in the whole German governmental sector. 4 Literature [1] S.A.F.E.-Feinkonzept - Dokument 1: System- und Schnittstellenspezifikation Föderiertes Identity-Management (Architecture and Interfaces for Federated Identity Management) [2] S.A.F.E.-Feinkonzept - Dokument 2: IT-Feinkonzept (S.A.F.E. detailed technical concept) [3] W3C, SOAP Version 1.2, 27 Apr ( [4] W3C, Web Services Description Language (WSDL) Version 2.0, 26 Jun ( [5] OASIS, SOAP Message Security 1.1 (WS-Security 2004), 1. Feb ( [6] W3C, Web Services Policy Framework (WS-Policy), 25 Apr ( [7] OASIS, WS-Trust 1.3, 19 Mär ( [8] Diverse, Web Services Federation Language 1.1 (WS-Federation), Dez ( [9] OASIS, WS-SecureConversation 1.3, 1. Mär ( [10] OASIS, Service Provisioning Markup Language (SPML) Version 2, 1. Apr (
16 Seite 16 von 16 [11] OASIS, Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, 15 Mar ( [12] Liberty Alliance Project, Liberty ID-SIS Personal Profile Service Specification V1.1 (
D.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID.
Seite 1 von 11 Distributed Identity Management The intention of Distributed Identity Management is the advancement of the electronic communication infrastructure in justice with the goal of defining open,
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationIDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation
IDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Author: Creation Date: Last Updated: Version: I. Bailey May 28, 2008 March 23, 2009 0.7 Reviewed By Name Organization
More informationThis Working Paper provides an introduction to the web services security standards.
International Civil Aviation Organization ATNICG WG/8-WP/12 AERONAUTICAL TELECOMMUNICATION NETWORK IMPLEMENTATION COORDINATION GROUP EIGHTH WORKING GROUP MEETING (ATNICG WG/8) Christchurch New Zealand
More informationFederation Proxy for Cross Domain Identity Federation
Proxy for Cross Domain Identity Makoto Hatakeyama NEC Corporation, Common Platform Software Res. Lab. 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa 211-8666, Japan +81-44-431-7663 m-hatake@ax.jp.nec.com
More informationDigital Identity and Identity Management Technologies.
I. Agudo, Digital Identity and Identity Management Technologies, UPGRADE - The European Journal of the Informatics Professional, vol. 2010, pp. 6-12, 2010. NICS Lab. Publications: https://www.nics.uma.es/publications
More informationFederated Identity Architectures
Federated Identity Architectures Uciel Fragoso-Rodriguez Instituto Tecnológico Autónomo de México, México {uciel@itam.mx} Maryline Laurent-Maknavicius CNRS Samovar UMR 5157, GET Institut National des Télécommunications,
More informationOPENIAM ACCESS MANAGER. Web Access Management made Easy
OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access
More informationIntroduction to Service Oriented Architectures (SOA)
Introduction to Service Oriented Architectures (SOA) Responsible Institutions: ETHZ (Concept) ETHZ (Overall) ETHZ (Revision) http://www.eu-orchestra.org - Version from: 26.10.2007 1 Content 1. Introduction
More informationThe Use of Service Oriented Architecture In Tax and Revenue
The Use of Service Oriented Architecture In Tax and Revenue Presented by: Bruce Baur & Adam Schaffer Revenue Solutions, Inc. Introduction Adam Schaffer Director, Revenue Administration Practice Line More
More informationNIST s Guide to Secure Web Services
NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:
More informationTrend of Federated Identity Management for Web Services
30 Trend of Federated Identity Management for Web Services Chulung Kim, Sangyong Han Abstract While Web service providers offer different approaches to implementing security, users of Web services demand
More informationSoftware Requirement Specification Web Services Security
Software Requirement Specification Web Services Security Federation Manager 7.5 Version 0.3 (Draft) Please send comments to: dev@opensso.dev.java.net This document is subject to the following license:
More informationCopyright 2012, Oracle and/or its affiliates. All rights reserved.
1 OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3 PARADIGM 4 Content What is SOA?
More informationSecure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact
Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact Robert C. Broeckelmann Jr., Enterprise Middleware Architect Ryan Triplett, Middleware Security Architect Requirements
More informationFederated Identity and Trust Management
Redpaper Axel Buecker Paul Ashley Neil Readshaw Federated Identity and Trust Management Introduction The cost of managing the life cycle of user identities is very high. Most organizations have to manage
More informationFederated Identity in the Enterprise
www.css-security.com 425.216.0720 WHITE PAPER The proliferation of user accounts can lead to a lowering of the enterprise security posture as users record their account information in order to remember
More informationOn A-Select and Federated Identity Management Systems
On A-Select and Federated Identity Management Systems Joost Reede August 4, 2007 Master s Thesis Information Systems Chair Computer Science Department University of Twente ii This thesis is supervised
More informationIntegration of Hotel Property Management Systems (HPMS) with Global Internet Reservation Systems
Integration of Hotel Property Management Systems (HPMS) with Global Internet Reservation Systems If company want to be competitive on global market nowadays, it have to be persistent on Internet. If we
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Executive Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities.
More informationPresented By: Muhammad Afzal 08May, 2009
Secure Web ServiceTransportation for HL7 V3.0 Messages Authors: Somia Razzaq, Maqbool Hussain, Muhammad Afzal, Hafiz Farooq Ahmad Presented By: Muhammad Afzal 08May, 2009 NUST School of Electrical Engineering
More informationOpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.
OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere. OpenAM, the only all-in-one open source access management solution, provides the
More informationEnabling SAML for Dynamic Identity Federation Management
Enabling SAML for Dynamic Identity Federation Management Patricia Arias, Florina Almenárez, Andrés Marín and Daniel Díaz-Sánchez University Carlos III of Madrid http://pervasive.gast.it.uc3m.es/ WMNC 2009
More informationALF SSO: Security Framework for Tool Integration. Brian Carroll, Eclipse ALF Project Lead bcarroll@serena.com
ALF SSO: Security Framework for Tool Integration Brian Carroll, Eclipse ALF Project Lead bcarroll@serena.com 2008 by Brian Carroll, Serena; made available under the EPL v1.0 March 2008 ALF: Is About Process
More informationT-Check in Technologies for Interoperability: Web Services and Security Single Sign-On
T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On Lutz Wrage Soumya Simanta Grace A. Lewis Saul Jaspan December 2007 TECHNICAL NOTE CMU/SEI-2008-TN-026 Integration
More informationBiometric Single Sign-on using SAML
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan CISSP Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand the importance of Single Sign-On
More informationA Federated Authorization and Authentication Infrastructure for Unified Single Sign On
A Federated Authorization and Authentication Infrastructure for Unified Single Sign On Sascha Neinert Computing Centre University of Stuttgart Allmandring 30a 70550 Stuttgart sascha.neinert@rus.uni-stuttgart.de
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationAuthentication and Single Sign On
Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication
More informationThe Primer: Nuts and Bolts of Federated Identity Management
The Primer: Nuts and Bolts of Federated Identity Management Overview For any IT department, it is imperative to understand how your organization can securely manage and control users identities. With so
More informationInteroperable Provisioning in a Distributed World
Interoperable Provisioning in a Distributed World Mark Diodati, Burton Group Ramesh Nagappan, Sun Microsystems Sampo Kellomaki, SymLabs 02/08/07 IAM 302 Contacts Mark Diodati (mdiodati@burtongroup.com)
More informationWEB SERVICES SECURITY
WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationNew Generation of Liberty. for Enterprise. Fulup Ar Foll, Sun Microsystems Fulup@sun.com
New Generation of Liberty TEG Federated Progress Architecture Update for Enterprise Fulup Ar Foll, Sun Microsystems fulup@sun.com 1 Identity Framework Problematic User Seamless (nothing is too simple)
More informationPrivacy in Cloud Computing Through Identity Management
Privacy in Cloud Computing Through Identity Management Bharat Bhargava 1, Noopur Singh 2, Asher Sinclair 3 1 Computer Science, Purdue University 2 Electrical and Computer Engineering, Purdue University
More informationWeb Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.
Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 1 Agenda Need for Identity-based Web services security Single Sign-On
More informationService Virtualization: Managing Change in a Service-Oriented Architecture
Service Virtualization: Managing Change in a Service-Oriented Architecture Abstract Load balancers, name servers (for example, Domain Name System [DNS]), and stock brokerage services are examples of virtual
More informationDistributed Identity Management Model for Digital Ecosystems
International Conference on Emerging Security Information, Systems and Technologies Distributed Identity Management Model for Digital Ecosystems Hristo Koshutanski Computer Science Department University
More informationBiometric Single Sign-on using SAML Architecture & Design Strategies
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan Java Technology Architect Sun Microsystems Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand
More informationOIO SAML Profile for Identity Tokens
> OIO SAML Profile for Identity Tokens Version 1.0 IT- & Telestyrelsen October 2009 Content > Document History 3 Introduction 4 Related profiles 4 Profile Requirements 6 Requirements 6
More informationHMA AWG Meeting Proposal for a Security Token Service - 29. September 2009 Marko Reiprecht con terra GmbH, Germany
HMA AWG Meeting Proposal for a Security Token Service - 29. September 2009 Marko Reiprecht con terra GmbH, Germany Goal Show the differences of two alternative federated user management specifications
More informationNationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance
Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Christina Stephan, MD Co-Chair Liberty Alliance ehealth SIG National Library of Medicine
More informationIVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0
International Virtual Observatory Alliance IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0 IVOA Proposed Recommendation 20151029 Working group http://www.ivoa.net/twiki/bin/view/ivoa/ivoagridandwebservices
More informationSAML and OAUTH comparison
SAML and OAUTH comparison DevConf 2014, Brno JBoss by Red Hat Peter Škopek, pskopek@redhat.com, twitter: @pskopek Feb 7, 2014 Abstract SAML and OAuth are one of the most used protocols/standards for single
More informationLes technologies de gestion de l identité
Commission Identité Numérique Groupe de travail Gestion des identités Les technologies de gestion de l identité ATELIER 1 Paul TREVITHICK, CEO de Parity Responsable projet Higgins Président Fondation Infocard
More informationSOA, case Google. Faculty of technology management 07.12.2009 Information Technology Service Oriented Communications CT30A8901.
Faculty of technology management 07.12.2009 Information Technology Service Oriented Communications CT30A8901 SOA, case Google Written by: Sampo Syrjäläinen, 0337918 Jukka Hilvonen, 0337840 1 Contents 1.
More informationIntroduction to Service-Oriented Architecture for Business Analysts
Introduction to Service-Oriented Architecture for Business Analysts This course will provide each participant with a high-level comprehensive overview of the Service- Oriented Architecture (SOA), emphasizing
More informationGuiding Principles for Technical Architecture
This document is a statement of the principles that will guide the technical development of the Kuali Student system. It will serve as a reference throughout the full lifecycle of the project. While these
More informationDeveloping a business model for Identity Management. Dr. Hellmuth Broda, VP Business Development, First Ondemand Spokesperson, Liberty Alliance
Developing a business model for Identity Management Dr. Hellmuth Broda, VP Business Development, First Ondemand Spokesperson, Liberty Alliance Life With An Identity Mess A typical intensive IT user has
More informationSAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog
SAML, The Liberty Alliance, and Federation* Eve Maler eve.maler@sun.com http://www.xmlgrrl.com/blog IIWb, Mountain View, CA, 4 December 2006 1 When you distribute identity tasks and information in the
More informationPrinciples and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)
Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards) Michael P. Papazoglou (INFOLAB/CRISM, Tilburg University, The Netherlands)
More informationIdentity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH
Identity opens the participation age Open Web Single Sign- On und föderierte SSO Dr. Rainer Eschrich Program Manager Identity Management Sun Microsystems GmbH Agenda The Identity is the Network Driving
More informationA Service Oriented Security Reference Architecture
International Journal of Advanced Computer Science and Information Technology (IJACSIT) Vol. 1, No.1, October 2012, Page: 25-31, ISSN: 2296-1739 Helvetic Editions LTD, Switzerland www.elvedit.com A Service
More informationSPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness
Interoperability Summit 2002 SPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness Gavenraj Sodhi Senior Technology Analyst Provisioning
More informationInteroperate in Cloud with Federation
Interoperate in Cloud with Federation - Leveraging federation standards can accelerate Cloud computing adoption by resolving vendor lock-in issues and facilitate On Demand business requirements Neha Mehrotra
More informationA Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems
Volume 1, Number 2, December 2014 JOURNAL OF COMPUTER SCIENCE AND SOFTWARE APPLICATION A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems Satish Kumar*,
More informationServer based signature service. Overview
1(11) Server based signature service Overview Based on federated identity Swedish e-identification infrastructure 2(11) Table of contents 1 INTRODUCTION... 3 2 FUNCTIONAL... 4 3 SIGN SUPPORT SERVICE...
More informationIdentity Management im Liberty Alliance Project
Rheinisch-Westfälische Technische Hochschule Aachen Lehrstuhl für Informatik IV Prof. Dr. rer. nat. Otto Spaniol Identity Management im Liberty Alliance Project Seminar: Datenkommunikation und verteilte
More informationExtending DigiD to the Private Sector (DigiD-2)
TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science MASTER S THESIS Extending DigiD to the Private Sector (DigiD-2) By Giorgi Moniava Supervisors: Eric Verheul (RU, PwC) L.A.M.
More informationIBM WebSphere Application Server
IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application
More informationWebLogic Server 7.0 Single Sign-On: An Overview
WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of
More informationWeb Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008
Web Services Security: What s Required To Secure A Service-Oriented Architecture An Oracle White Paper January 2008 Web Services Security: What s Required To Secure A Service-Oriented Architecture. INTRODUCTION
More informationJava Security Web Services Security (Overview) Lecture 9
Java Security Web Services Security (Overview) Lecture 9 Java 2 Cryptography Java provides API + SPI for crypto functions Java Cryptography Architecture Security related core classes Access control and
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationWhy Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)
Why Identity Management Identity Management Claudiu Duma Identity crisis Privacy concerns Identity theft Terrorist threat Department of Computer and Information Science cladu@ida.liu.se What We Cover Digital
More informationSAML 101. Executive Overview WHITE PAPER
SAML 101 Executive Overview Today s enterprise employees use an ever-increasing number of applications, both enterprise hosted and in the Cloud, to do their jobs. What s more, they are accessing those
More informationOracle Application Server 10g Web Services Frequently Asked Questions Oct, 2006
Oracle Application Server 10g Web Services Frequently Asked Questions Oct, 2006 This FAQ addresses frequently asked questions relating to Oracle Application Server 10g Release 3 (10.1.3.1) Web Services
More informationSecure Semantic Web Service Using SAML
Secure Semantic Web Service Using SAML JOO-YOUNG LEE and KI-YOUNG MOON Information Security Department Electronics and Telecommunications Research Institute 161 Gajeong-dong, Yuseong-gu, Daejeon KOREA
More informationFederated Identity Management. Willem Elbers (MPI-TLA) EUDAT training
Federated Identity Management Willem Elbers (MPI-TLA) EUDAT training Date: 26 June 2012 Outline FIM and introduction to components Federation and metadata National Identity federations and inter federations
More informationA Privacy-Preserving eid based Single Sign-On Solution
A Privacy-Preserving eid based Single Sign-On Solution Bernd Zwattendorfer, Arne Tauber, Thomas Zefferer E-Government Innovation Center Graz, Austria {Bernd.Zwattendorfer, Arne.Tauber, Thomas.Zefferer}@egiz.gv.at
More informationIAM Application Integration Guide
IAM Application Integration Guide Date 03/02/2015 Version 0.1 DOCUMENT INFORMATIE Document Title IAM Application Integration Guide File Name IAM_Application_Integration_Guide_v0.1_SBO.docx Subject Document
More informationSCUR203 Why Do We Need Security Standards?
SCUR203 Why Do We Need Security Standards? Cristina Buchholz Product Security, SAP Learning Objectives As a result of this workshop, you will be able to: Recognize the need for standardization Understand
More informationResolution Database Privacy preserving based Single-Signon
Resolution Database Privacy preserving based Single-Signon Solution S.S Dhanvantri Divi 1, T.Swapna 2, K.J.Sharma 3 1 Student, TRR ENGINEERING COLLEGE, PATANCHERU, HYDERABAD 2 Associate Professor, TRR
More informationInternet Single Sign-On Systems
Internet Single Sign-On Systems Radovan SEMANČÍK nlight, s.r.o. Súľovská 34, 812 05 Bratislava, Slovak Republic semancik@nlight.sk Abstract. This document describes the requirements and general principles
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationIdentity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September 2010. http://persons.unik.no/josang/
Identity Management Audun Jøsang University of Oslo NIS 2010 Summer School September 2010 http://persons.unik.no/josang/ Outline Identity and identity management concepts Identity management models User-centric
More informationAn Open Policy Framework for Cross-vendor Integrated Governance
An Open Policy Framework for Cross-vendor Integrated Governance White Paper Intel SOA Expressway An Open Policy Framework for Cross-vendor Integrated Governance Intel SOA Expressway delivers a pluggable
More informationIdentity Management for the Cloud
Identity Management for the Cloud New answers to old questions 10. Anwenderkonferenz Softwarequalität, Test und Innovationen 6. und 7. September 2012 Alpen-Adria-Universität Klagenfurt Dr. Horst Walther,
More informationUsing WS-Federation and WS-Security for Identity Management in Virtual Organisations
Using WS-Federation and WS-Security for Identity Management in Virtual Organisations Demchenko, Yu. , Universiteit van Amsterdam Abstracts The paper provides insight into one of key
More informationIdentity Management Challenges for Intercloud Applications
Identity Management Challenges for Intercloud Applications David Núñez 1, Isaac Agudo 1, Prokopios Drogkaris 2 and Stefanos Gritzalis 2 1 Department of Computer Science, E.T.S. de Ingeniería Informática,
More informationManisha R. Patil. Keywords Cloud service provider, Identity Provider, Enhanced Client Profile, Identity Management, Privacy, Trust Manager.
Volume 4, Issue 7, July 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Privacy and Dynamic
More informationSecuring Web Services Using Microsoft Web Services Enhancements 1.0. Petr PALAS PortSight Software Architect petrp@portsight.com www.portsight.
Securing Web Services Using Microsoft Web Services Enhancements 1.0 Petr PALAS PortSight Software Architect petrp@portsight.com www.portsight.com Agenda What is WSE and Its Relationship to GXA Standards
More information<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008
Oracle Security Developer Tools (OSDT) August 2008 Items Introduction OSDT 10g Architecture Business Benefits Oracle Products Currently Using OSDT 10g OSDT 10g APIs Description OSDT
More informationEnabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver
Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver SAP Product Management, SAP NetWeaver Identity Management
More informationAn Efficient Windows Cardspace identity Management Technique in Cloud Computing
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661, p- ISSN: 2278-8727Volume 16, Issue 3, Ver. VII (May-Jun. 2014), PP 61-66 An Efficient Windows Cardspace identity Management Technique
More informationAn Oracle White Paper Dec 2013. Oracle Access Management Security Token Service
An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
More informationUser-centric Mobile Identity Management Services 1
User-centric Mobile Identity Management Services 1 Tewfiq El Maliki and Jean-Marc Seigneur Abstract. Digital identity is the ground necessary to guarantee that the Internet infrastructure is strong enough
More informationSecurity Architecture for Open Collaborative Environment
Security Architecture for Open Collaborative Environment Yuri Demchenko¹, Leon Gommans¹, Cees de Laat¹, Bas Oudenaarde¹, Andrew Tokmakoff², Martin Snijders², Rene van Buuren² ¹ Universiteit van Amsterdam,
More informationMicrosoft and Novell - A Case Study in Identity Federation
Boosting interoperability and collaboration across mixedtechnology environments Standards-based identity federation solutions from Microsoft and Novell May 2009 Executive summary Despite remarkable gains
More informationSecuring Enterprise: Employability and HR
1 Securing Enterprise: Employability and HR Federation and XACML as Security and Access Control Layer Open Standards Forum 2 Employability and HR Vertical Multiple Players - Excellent case for federation
More informationTrusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents
Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents Farrukh Najmi and Eve Maler farrukh.najmi@sun.com, eve.maler@sun.com Sun Microsystems, Inc. Goals for today's
More informationAttribute Aggregation in Federated Identity Management
Attribute Aggregation in Federated Identity Management David W Chadwick and George Inman, University of Kent Abstract We describe how in today s federated identity management (FIM) systems, such as CardSpace
More informationMONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard
MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY ASR 2006/2007 Final Project Supervisers: Maryline Maknavicius-Laurent, Guy Bernard Federated Identity Project topic Superviser: Maryline Maknavicius
More informationOpen Source egovernment Reference Architecture Osera.modeldriven.org. Copyright 2006 Data Access Technologies, Inc. Slide 1
Open Source egovernment Reference Architecture Osera.modeldriven.org Slide 1 Caveat OsEra and the Semantic Core is work in progress, not a ready to use capability Slide 2 OsEra What we will cover OsEra
More informationFTP-Stream Integrating Active Directory Federation Services
FTP-Stream Integrating Active Directory Federation Services 1 Overview Active Directory Federation Services (ADFS) is a standards-based service that allows the secure sharing of identity information between
More informationRun-time Service Oriented Architecture (SOA) V 0.1
Run-time Service Oriented Architecture (SOA) V 0.1 July 2005 Table of Contents 1.0 INTRODUCTION... 1 2.0 PRINCIPLES... 1 3.0 FERA REFERENCE ARCHITECTURE... 2 4.0 SOA RUN-TIME ARCHITECTURE...4 4.1 FEDERATES...
More informationSecure Identity in Cloud Computing
Secure Identity in Cloud Computing Michelle Carter The Aerospace Corporation March 20, 2013 The Aerospace Corporation 2013 All trademarks, service marks, and trade names are the property of their respective
More informationOracle SOA Reference Architecture
http://oraclearchworld.wordpress.com/ Oracle SOA Reference Architecture By Kathiravan Udayakumar Introduction to SOA Service Oriented Architecture is a buzz word in IT industry for few years now. What
More informationNetworkingPS Federated Identity Solution Solutions Overview
NetworkingPS Federated Identity Solution Solutions Overview OVERVIEW As the global marketplace continues to expand, new and innovating ways of conducting business are becoming a necessity in order for
More informationGlossary of Key Terms
and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which
More informationSOA GOVERNANCE MODEL
SOA GOVERNANCE MODEL Matjaz B. Juric University of Ljubljana, Slovenia matjaz.juric@fri.uni-lj.si Eva Zupancic University of Ljubljana, Slovenia Abstract: Service Oriented Architecture (SOA) has become
More information