Trend of Federated Identity Management for Web Services

Transcription

1 30 Trend of Federated Identity Management for Web Services Chulung Kim, Sangyong Han Abstract While Web service providers offer different approaches to implementing security, users of Web services demand simple access as if the services were provided from a single system as well as enhanced security levels. Moreover, as corporate mergers, acquisitions and alliances become increasingly prevalent, companies must respond actively to the changing environment by providing easy access and high levels of security to its employees and external associates at low costs. In order to do so, companies are deploying federated identity management technologies such as SML, OpenID and CardSpace. This paper takes a look at these technologies, examines the issues regarding the current status and developments from the perspectives of standardization, technology and market and provides an outlook for the future. Index Terms Web Services, security, federated identity management I. INTRODUCTION s corporate organizations become larger and more A complex, the numbers of people and web services related to organizations naturally increase. From the user perspective, as the numbers of ids and web services they access increase, there are demands for efficient id management and easy access to web services. At the same time, companies need to improve management efficiency for their web services, increase security levels and save costs by enhancing work efficiency for their employees as well as outside associates. One of the solutions widely used for these purposes has been single sign-on(sso), which involves central management of various web services within a company to increase id management efficiency for internal and external users and facilitate access to the services. In addition, as corporations become globalized and mergers, acquisitions and strategic alliances become increasingly frequent, system integration must be implemented at low costs to facilitate management and access to Web services for Manuscript received June 4, (Write the date on which you submitted your paper for review.) This research is supported in parts by (a) a grant(cr070019) from Seoul R&BD Program funded by the Seoul Development Institute of Korean government, (b) by the Ministry of Knowledge Economy, Korea, under the HNRC(Home Network Research Center) ITRC(Information Technology Research Center) support program supervised by the Institute of Information Technology Assessment. Chulung Kim is with INITEH co.,ltd, Seoul, Korea ( chulung.kim@ initech.com). Sangyong Han is with the Computer Science and Engineering Department, ChungAng University, Seoul, Korea, ( hansy@cau.ac.kr) employees, external associates and Web service customers. As an application provided by a particular solution vendor, SSO features proprietary functions and management mechanisms that call for prohibitive costs to implement integration, and in some cases make integration difficult in practice due to different characteristics of existing systems at various organizations. A technology currently being offered to resolve such problems is federated identity management (FIM). This paper aims to examine FIM technologies that are currently available, their mechanisms, standardization, technological status, market trends, and provide an outlook for FIM's future. The remainder of this paper is constructed as follows. Chapter 2 discusses current FIM technologies including SAML, OpenID and CardSpace. Chapter 3 examines standardization of the technologies as well as their technological and market trends. FIM's future outlook is presented in Chapter 4 and Chapter 5 provides the conclusion of the study. II. TECHNOLOGIES OF FIM FIM refers to a system that allows users to access multiple corporate networks with a single set of ID and password. Generally speaking, a company in an FIM system must trust its partners to guarantee their users. Each system participating in FIM creates a message stating that "this user has been authenticated and should be allowed to access the Web service," and a standardized algorithm is required to transmit the message [4]. This chapter introduces SAML, a standard proposed by OASIS(Organization for the Advancement of Structured Information Standards), OpenID from the Open Source group and CardSpace by Microsoft. A. SAML(Security Assertion Markup Language) SAML is an XML standard designed for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider. Starting with its initial v1.0, v2.0 was finalized in The basic concept of SAML is displayed in Figure 1.

2 31 Figure 1 Basic SAML Concept [5] A SAML assertion is a declaration of facts regarding a subject such as a user and contains three types including security-related authentication, attribute and authorization decision. A SAML protocol describes how SAML elements including SAML assertions are packaged in SAML requests and responses and defines the procedures SAML entities follow. A SAML binding defines mapping between SAML protocol messages and communication protocols. Figure 2 displays a use case, and specific procedures are as follows. 1) The user agent makes a request for a target resource to the SP(service provider). (SAML 2.0 only) 2) The SP responds to the user agent with an XHTML form. (SAML 2.0 only) 3) The user agent makes a request for an SSO service to the IdP(identity provider). (SAML 2.0 only) 4) The IdP responds to the user agent with an XHTML form. 5) The user agent makes a request for an assertion consumer service to the SP. 6) The SP redirects the user agent to the target resource. 7) The user agent makes another request for the target resource to the SP. [4] Figure 2 Example of SAML [4] B. OpenID OpenID is an open, distributed and free framework for user-oriented digital identity that takes advantages of existing Internet technologies (URI, HTTP, SSL, Diffie-Hellman). One of the IDs for existing URIs can be converted to an ID that can be used to log into the sites that support OpenID. The general OpenID protocol is as follows. 1) The end user initiates authentication (Initiation) by presenting a User-Supplied Identifier to the Relying Party via their User-Agent. 2) After normalizing (Normalization) the User-Supplied Identifier, the Relying Party performs discovery (Discovery) on it and establishes the OP(OpenID Provider) Endpoint URL that the end user uses for authentication. 3) (optional) The Relying Party and the OP establish an association (Establishing Associations) -- a shared secret established using Diffie-Hellman Key Exchange. 4) The Relying Party redirects the end user's User-Agent to the OP with an OpenID Authentication request (Requesting Authentication). 5) The OP establishes whether the end user is authorized to perform OpenID Authentication and wishes to do so. 6) The OP redirects the end user's User-Agent back to the Relying Party with either an assertion that authentication is approved (Positive Assertions) or a message that authentication failed (Negative Assertions). 7) The Relying Party verifies (Verifying Assertions) the information received from the OP [9] C. Cardspace CardSpace is an application included in Microsoft's Windows Vista OS as a default program. It provides users with a set of personal digital identities in the form of a visual "Information Card". The card can be easier to use than passwords and employ strong cryptography, offering more

3 32 security than traditional web-based password solutions. Participants of a CardSpace system include identity providers that issue digital identities, relaying parties that provide services and users who obtain IDs from identity providers and use them to access services provided by relaying parties. Figure 3 illustrates an intuitive user screen of CardSpace containing an information card. Figure 4 CardSpace Process Flow [12] Figure 3 Example of CardSpace User Screen [12] Figure 4 depicts CardSpace's processing flow, which consists of the following three stages. 1) First, the application gets the security token requirements of the relying party that the user wishes to access. This information is contained in the relying party's policy, and it includes things such as what security token formats the relying party will accept, and exactly what claims those tokens must contain. 2) Once it has the details of the security token this relying party requires, the application passes this information to CardSpace, asking it to request a token from an appropriate identity provider. 3) Once this security token has been received, CardSpace gives it to the application, which passes it on to the relying party. The relying party can then use this token to authenticate the user or for some other purpose. [12] III. TREND OF FIM This chapter examines FIM trends in terms of technology, standardization and market. A. Trend of Technology FIM technology can be categorized into company-controlled FIM, user-controlled FIM and a moderate FIM between the two types. In addition, more appropriate technologies are being used according to the layers shown in Figure 5. It is believed that SAML technology is the optimal solution for the company-controlled environment such as enterprise's internal systems(layer 0) and close business partners(layer 1), OpenID for the user-controlled environment designed to provide easy access to open Web services such as customers(layer 3) and potential customer(layer 4), and CardSpace for the moderate type of FIM. Figure 5 Identity Landscape 2008 [13]

4 33 Figure 6 Identity Mashup [14] Figure 8 Hype Cycle for Information Security B. Trend of Standardization OASIS accepted WS-Security proposed by WS-I, led by Microsoft and IBM, and established it as WSS. OASIS also released SAML v1 in 2002, accepted Liberty Alliance's suggestions regarding extensions and declared SAML v2 a standard in Figure 7 SAML Standardization Trend [15] C. Trends of Market Figure 8 illustrates the "hype cycle for information security" released by the global market survey organization Gartner Group. The graphic indicates that FIM has passed the peak of expectations, is actually needed in the market and there are solutions and services that use the technology. In reality, major Web service providers such as Google and Yahoo are in the process of implementing OpenID for their customers, an increasing number of services are dedicated to OpenID, and existing and new small and medium Web services are allowing their customers to use OpenID to access their sites. IV. OUTLOOK FOR FIM This chapter looks into the changing Web service and corporate environments to provide an outlook for the future of FIM. A. Response to User-Oriented Demands Currently being discussed with "participation" as the keyword, Web v2 is expected to meet an increasing demand for personalization through easy access to various services. OpenID is capable of satisfying such demand, and there will be more services that offer OpenID as the default means of access. Moreover, continued supply and expansion of Windows Vista will naturally increase use requirements and services for CardSpace, prompting a transition to the FIM-based Web service environment. B. Advent of Identity Risk Management Solution Increasing usage and interest in Web services bring about enhanced awareness about information protection. FIM is an identity-related information protection technology developed based on the considerations of key security issues such as 3A(authentication, authorization, availability) and secrecy. However, as FIM's scope of application expands and more users access the technology, the demand for identity risk management solution is expected to increase as legal and policy regulations regarding personal information protection are intensified. C. FIM with PKI for secure E-Commerce Since the goal of OpenID is to provide convenient user-oriented services, users can create and use IDs without providing any form of identification. However, since this approach is not appropriate for safe e-commerce services, OpenID is expected to be linked with PKI.

5 34 V. CONCLUSIONS This paper examined FIM technologies such as SAML, OpenID and CardSpace that provide convenient and safe access to various Web services. The study also surveyed the current status and trends in terms of technology, international standard and market. Finally, based on the findings, an outlook for FIM was presented regarding the response to user-oriented demands, increasing demands for identity risk management solutions and stronger links with PKI for safe e-commerce transactions. and the Ph.D. degree in From 1984 to 1995, he worked at Poughkeepsie Lab. And Watson Research Center in IBM, USA. His research interests include Web Technologies, Web Services, Semantic Web, Information Retrieval and Multimedia. ACKNOWLEDGMENT This research is supported in parts by (a) a grant(cr070019) from Seoul R&BD Program funded by the Seoul Development Institute of Korean government, (b) by the Ministry of Knowledge Economy, Korea, under the HNRC(Home Network Research Center) ITRC(Information Technology Research Center) support program supervised by the Institute of Information Technology Assessment. REFERENCES [1] "Federated identity", [2] "What is Federated Identity Management", ement/, E-Week Company. [3] "Federated Identity Management and Web Service", Zdnet Company. [4] "Security Assertion Markup Language", [5] "Security Assertion Markup Language (SAML) V2.0 Technical Overview", ech-overview-2%200-draft-13.pdf, OASIS. [6] "WS-Federation", [7] "Understanding WS-Federation", WS-FederationSpec pdf?S_TACT=105AGX04&S_CMP=LP, IBM. [8] "WS-Federation 1.1 Specification", WS-Federation-V1-1B.pdf?S_TACT=105AGX04&S_CMP=LP, IBM [9] What is OpenID, OpenID Org. [10] "OpenID", [11] "CardSpace", [12] "Windows CardSpace", Microsoft [13] "The Identity Landscape of 2008", The Perfect Stome Identity Mashup, [14] Andredurand Company [15] Liberty Technology Tutorials, Liberty Alliance [16] Hype Curve for Information Security, Gartner Group [17] "Identity 2.0 tops 2008 trends in identity management", e= Chulung Kim is a Security R&D Team Leader at INITECH co, Ltd in Korea. He received Master degree of Computer Science and Engineering in College of Engineering from ChungAng University in His research interests include Identity Management, Data Loss Prevention, Network Access Control, Data base Security and Web Security. Sangyong Han is a professor of the school of computer science and engineering, ChungAng University, Seoul, Korea. He received Bachelor of Engineering in College of Engineering from Seoul National University in 1975,