Liberty Alliance Project Setting the Standard for Federated Network Identity



Similar documents
Liberty Alliance Project Presented at itapa 2003 Dr. Hellmuth Broda Sun Microsystems CTO EMEA and Liberty Alliance Management Board Delegate

Liberty Specs Tutorial

Network Identity. 1. Introduction. Kai Kang Helsinki University of Technology Networking Laboratory

Identity opens the participation age. Dr. Rainer Eschrich. Program Manager Identity Management Sun Microsystems GmbH

Federated Identity in the Enterprise

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance

A secure and auditable Federated Identity and Access Management Infrastructure. Serge Bertini Director, Security Canada

Federated Identity Management Solutions

Developing a business model for Identity Management. Dr. Hellmuth Broda, VP Business Development, First Ondemand Spokesperson, Liberty Alliance

The Primer: Nuts and Bolts of Federated Identity Management

Authentication Privacy Principles Working Group

SAML, The Liberty Alliance, and Federation* Eve Maler

The Primer: Nuts and Bolts of Federated Identity Management

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

SAML Federated Identity at OASIS

Identity Management im Liberty Alliance Project

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

IDDY. Case Study: Rearden Commerce Delivers SaaS Via Federation WINNER

Software Requirement Specification Web Services Security

SCUR203 Why Do We Need Security Standards?

Les technologies de gestion de l identité

OIO SAML Profile for Identity Tokens

SAML:The Cross-Domain SSO Use Case

Interoperable Provisioning in a Distributed World

Federated Identity Architectures

Dr. rer. nat. Hellmuth Broda

Liberty Alliance. What's After Federation. Fulup Ar Foll Master Architect Sun Microsystems

Executive Overview of the Security Assertions Markup Language (SAML) v2.0

This way, Bluewin will be able to offer single sign-on for service providers within the circle.

Seizing Business Opportunities by Sharing Trusted Electronic Identities

Internet Single Sign-On Systems

Case Study: SSO for All: SSOCircle Makes Single Sign-On Available to Everyone

Managing Trust in e-health with Federated Identity Management

New Generation of Liberty. for Enterprise. Fulup Ar Foll, Sun Microsystems

Software Design Document SAMLv2 IDP Proxying

Secure the Web: OpenSSO

Privacy, Security, and Trust with Federated Identity Management

An Oracle White Paper August Oracle OpenSSO Fedlet

Extending DigiD to the Private Sector (DigiD-2)

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

New Zealand Sets the Pace for SAML 2.0 Deployments

On A-Select and Federated Identity Management Systems

An Oracle White Paper Dec Oracle Access Management Security Token Service

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

RSA Solution Brief. Federated Identity Manager RSA. A Technical Overview. RSA Solution Brief

OIO Web SSO Profile V2.0.5

Liberty ID-WSF 2.0 Marketing Requirements Document

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Flexible Identity Federation

The Top 5 Federated Single Sign-On Scenarios

Biometric Single Sign-on using SAML

SAML SSO Configuration

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

Interoperable, Federated Identity Management Frameworks Across Enterprise Architectures. We can do this.

FEDERATED IDENTITY MANAGEMENT:

The Emerging Infrastructure for Identity and Access Management

Securing Web Services With SAML

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

COPYRIGHTED MATERIAL. Chapter 1: Introduction

Federation Proxy for Cross Domain Identity Federation

Case Study: EIfEL Makes E-Learning and Resume Sharing Secure with Liberty Standards

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Interoperate in Cloud with Federation

IBM WebSphere Application Server

The OMA Perspective On SOA in Telecoms

Liberty ID-WSF Security and Privacy Overview

Connected Data. Connected Data requirements for SSO

Identity Management. Critical Systems Laboratory

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

Biometric Single Sign-on using SAML Architecture & Design Strategies

Implementing Identity Provider on Mobile Phone

EduTech Deploys Federated Identity for Maximum Impact

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Privacy and Security Best Practices

DIGIPASS as a Service. Google Apps Integration

LIBERTY ALLIANCE. Case Study: Aetna Enhances Secure Provider Portal with SSO and SAML 2.0. The Company. Key Objectives

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

SAML Authentication Quick Start Guide

Open Source Identity Integration with OpenSSO

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

Enabling SAML for Dynamic Identity Federation Management

NIST s Guide to Secure Web Services

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

User-centric Mobile Identity Management Services 1

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

SAML basics A technical introduction to the Security Assertion Markup Language

Configuring Salesforce

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

Web Services Security with SOAP Security Proxies

The Role of Federation in Identity Management

Network Identity and the Liberty Alliance Project

Identity Management for Converged Networks

Leveraging SAML for Federated Single Sign-on:

Transcription:

Liberty Alliance Project Setting the Standard for Network Identity Privacy, Identity Management and Services using Liberty technologies in Mobile Environment. Identity Management Rise of electronic networks: Need stronger or relevant (business related) use of identity verification and authorization Company extranets Online trading Identity fraud (#1 consumer complaint): Worldwide monetary losses from identity theft were approximately $8.75 billion in 2002, and are expected to triple to roughly $24 billion in 2003* Timo Skyttä Nokia Mobile Software Strategic Architecture 1 Importance of Identity Management crosses industries and sections: It is required in any B2C, B2B or B2E transaction whether the entities are private businesses or governmental organizations * Aberdeen research 2 Identity & Identity Management Federation reflects how relationships are kept in the real-world Not all identity information is held in one place No centralized single point of failure Opportunity for any trusted business to become a trusted identity provider More than single sign-on What is the Liberty Alliance? A business alliance, formed in Sept 2001 with the goal of establishing an open standard for federated identity management Global membership consists of consumer-facing companies and technology vendors as well as policy and government organizations The only open organization working to address the technology and business issues of federated identity management It s how personal information is authenticated, shared and managed 3 4 1

Some current challenges for Mobile Industry (related to Identity Management) Tightening privacy legislation in EU use of MSISDN (phone number) as an identifier automatically attached to outgoing HTPP-requests becomes questionable Number portability makes it difficult to associate a phone number to a certain provider of services needs to invent a new reference mechanism Many of the mechanisms used in Fixed internet, based on HTTP redirect, cause too many round trips and delays in mobile environment Consumer awareness and concern over generic privacy and misuse use of personal information is growing, need for a trusted environment A mass market phone doesn t have full keyboard, and is not likel y to have one in the foreseeable future -> data entry difficulties -> service adoption problems User s want personalized services to get quicker access to the content they want, mobile phone screen is small, can present only a limited amount of information personalization is key, do not compromise user s privacy unnecessarily when doing this To solve Identity Management, including personalized service access, do not create a mobile specific, but a mobile aware solution. This drives adoption both in Mobile and Fixed internet 5 Make the life of user and service provider easy, but trusted and secure Nokia architecture - Identity Manager as the outermost Personal Security & Privacy tool towards services Service User Interface (browsing/messaging/java app s) Services without All other services any need to invoke Identity know anything Manager at login, about the user, when using a form, i.e. NO login, installing/using an NO on-line forms, ID mechanism or NO hidden ID when initiating a mechanisms transaction NOR transactions Services Identity Manager User Interface (invoked if needed) Secure user authentication Identity Manager User Profile Authentication & Authorizations Privacy & Identity Secure storage 6 Before Liberty Use Case After Liberty Use Case Timo must log-in to portal with an ID and password After selecting a TV site he must log-in again Log-in s like above can require 80+ clicks and more than 30 seconds of time on a typical mobile phone keypad Users often give up in frustration, limiting use of mobile data services 7 Timo has chosen to link his three favorite sites When Timo logs into the portal, the mobile operator automatically authenticates him Timo clicks on the TV and is automatically signed-on Timo goes to his bookmarks and instantly logs-on to his email 8 2

Thank You Additional material Questions? 9 10 Liberty Alliance Vision Mission: To serve as the premier open Alliance for federated network identity management & services by ensuring interoperability, supporting privacy and promoting adoption of its specifications, guidelines and best practices. Goals: Provide open standard and business guidelines for federated identity management spanning all network devices Provide open and secure standard for SSO with decentralized authentication and open authorization Allow consumers/businesses to maintain personal information more securely, and on their terms 11 Liberty Alliance IS IS a member community delivering technical specifications, business and privacy best practices IS providing a venue for testing interoperability and identifying business requirements IS developing an open, federated identity standard that can be built into other companies branded products and services IS driving convergence of open standards Defining Liberty Liberty Alliance IS NOT IS NOT a consumer-facing product or service IS NOT developed and supported by one company IS NOT based on a centralized model 12 3

Privacy, Liaison Privacy 16 Responsible Final How does Liberty work? Management Board Business Marketing Expert Group Requirements and use cases Responsible for evangelism and public relations Business templates and guidelines Accelerates market creation founding sponsors for overall governance, legal, finances, and operations voting authority for specifications Public Policy Expert Group security, and global public policy issues to privacy groups and government agencies guidelines and best practices for publication Technology Expert Group Technical architecture & specifications Services Expert Group Service marketing requirements Technical specifications Defines service interoperability & conformance programs Conformance Expert Group Technical req. Licensing req. Monitor Logo usage Manage Conformance testing program for Core specifications The Business Case The Role of Identity in Web Services All members provide feedback on early drafts 13 14 The Problem Today Identity Management is a strategic capability that will solve real business problems Burton Group, July 2003 Companies need solutions How to leverage new trends to generate revenue How to lower lower costs And still address customer worries about privacy & security Companies are spending billions of dollars on Web Service projects (figures vary by analyst) Very few enterprises have completed projects 15 Current barriers to wide-scale adoption Lack of technical standards for managing identity Lack of interoperability between products and services Lack of a federated model Lack of privacy and security best practices Lack of business best practices 16 4

Identity problems exploding: No common method to approach identity Fragmentation of customers identities across different many different sources Growing privacy / regulatory pressures Increasing potential and risk of identity theft Convergence of internet and mobile world Desire to provide higher value-add services to customers Industries Ready for Identity Wireless Number Portability Act enabling customers to retain their mobile phone number when changing carriers Emerging privacy legislation makes use of phone number as an identifier towards services quite difficult Limited data entry capabilities (small screens, small keypads) Users want immediate access to personalized services Exploitation of data services and m-commerce Finance - State and national legislation driving need to protect privacy and identity - Increasing opportunity to drive new partnerships and initiatives dependent upon identity initiatives Healthcare HIPAA legislation organizations are responsible for ensuring identifiable information is protected while stored or in transit 17 Government Increasing incentives for e-filing and online tax returns Bush administration s eauthentication mandate (led by GSA) 18 Recent Accomplishments January 2002 Liberty begins specification development July 2002 Liberty releases Phase 1 specifications Liberty Progress & Momentum April 2003 Liberty releases Phase 2 specification drafts; demonstrates interoperability among 20 products; donates Phase 1 specifications to OASIS (SAML) June 2003 Liberty releases first business guidelines; releases Phase 1 Japanese specifications 19 20 5

Increasingly Diverse Involvement Growth in government, non-profit and education sector involvement GSA, DoD, Canada Post, Hong Kong Post, Royal Mail, TRUSTe, Universitat-Hamburg, U. of Chicago, ISTPA More than 150 member organizations globally Liberty Alliance Members Driven by end-users, government orgs and vendors Led by Technology, Business and Public Policy Expert Groups Close relationships with other standards groups OMA, OASIS, The Open Group, Internet2 Increasing global involvement 25% of members are headquartered in Europe/APAC 21 22 Liberty-enabled products & services Sample Download Statistics Communicator (available) Computer Associates (Q4*) DataKey (available) DigiGan (Q3*) Ericsson (Q4) Entrust (Q1 2004) France Telecom (Q4 2003) Fujitsu Invia (available) Gemplus (TBD) HP (available) July Systems (available) Netegrity (2004) NeuStar (available) Nokia (2004) Novell (available) NTT (TBD) NTT Software (available) Oblix (2004) PeopleSoft (available) Phaos Technology (available) Ping Identity (available) PostX (available) RSA (Q4) Salesforce.com (TBD) Sigaba (available) Sun Microsystems (available) Trustgenix (available) Ubisecure (available) Verisign (Q4*) Vodafone (2004) WaveSet (available) SourceID enables Liberty federation and SSO and is a good indicator of Liberty interest. Download statistics below* More than 1,000 downloads in 100 days Majority of downloads are by global 1000 corporations 72.85% are from companies *not* members of the Alliance 22.8% of the downloads are from governmental or academic institutions Telecommunications/wireless, financial services and manufacturing sectors have highest number of downloads Immediate interest in Liberty s Phase 2 specifications Approximately 5,000 downloads of specification-related documents from Liberty s website three weeks following launch 800 downloads of Liberty s Privacy Best Practices document from Liberty s website three weeks following launch *Delivery dates being confirmed 23 *SourceID sponsored by Liberty member Ping Identity Corporation 24 6

Circle of Trust Concepts & Liberty Architecture 25 Identity Management Concepts What is (digital) identity? App, Site, or Profiles Consumer Profiles Common Profile Info Credentials Unique Identifier Credentials Address, etc. Employer Profiles App, Site, or Profiles Represents principals (users, apps, etc.) Name, number, other identifier, Unique in some scope Persistent, long-lived or one-time May be anonymous, pseudonym or true name May have multiple credentials Different strengths, different apps Can change w/more frequency Attributes, entitlements, policies More transient, fluid information Often specific to apps or sites 26 Circle of Trust Concept Circle of Trust Model H G F A Network Identity Network Identity Network Hub Provider Identity Hub Provider Hub Provider E B C D 27 H G F A Network Identity Network Identity Network Hub Provider Identity Hub Provider Hub Provider E B C D Identity Service Provider (s) (IdP) (e.g. Financial Institution, HR) Trusted entity Authentication infrastructure Maintains Core Identity attributes Offers value-added services (optional) Affiliated Service Providers Maintain additional user attributes Offers complimentary service Don't (necessarily) invest in authentication infrastructure 28 7

Liberty Identity Federation Framework (ID-FF) Enables identity federation and management through features such as identity/account linkage, simplified sign on, and simple session management The Complete Liberty Architecture Liberty Identity Services Interface Specifications (ID-SIS) Enables interoperable identity services such as personal identity profile service, alert service, calendar service, wallet service, contacts service, geo-location service, presence service and so on. Liberty Identity Web Services Framework (ID-WSF) Provides the framework for building interoperable identity services, permission based attribute sharing, identity service description and discovery, and the associated security profiles ID-FF ID-FF Architectural Overview 1.2 ID-FF Implementation Guidelines 1.2 ID-FF Static Conformance Req. 1.2 ID-FF Protocols and Schemas 1.2 ID-FF Bindings and Profiles 1.2 Liberty Specification Map Liberty Glossary Liberty Trust Model Guidelines Identity Services Templates Core Identity Services Protocols Web Services Bindings & Profiles ID-Personal Profile Imp.. Guidelines 1.0 ID-Personal Profile 1.0 ID-Personal Profile SCR. 1.0 ID-WSF Architectural Overview 1.0 ID-WSF Static Conformance Req. 1.0 ID-WSF Data Services Template 1.0 ID-WSF Discovery Service 1.0 ID-WSF Security Mechanisms 1.0 IDĒmployee Profile l Imp Guidelines 1.0 ID-Employee Profile 1.0 ID-Employee Profile SCR 1.0 ID -WSF Security & Privacy Overview 1.0 ID-WSF Interaction Service 1.0 ID-WSF SOAP Binding 1.0 ID -WSF Impl. Guidelines 1.0 ID-SIS ID-WSF ID-WSF Client Profiles 1.0 Liberty Authentication Privacy & Security Liberty SASL -based Liberty Reverse HTTP Liberty specifications build on existing standards Context 1.2 Best Practises SOAP AuthN 1.0 Binding 1.0 (SAML, SOAP, WSS, XML, etc.) 29 Liberty Meta Data 1.2 Normative Non-Normative 30 Where does Liberty Fit? OASIS SAML Liberty Alliance Spin-offs (e.g., Meta Data spec) Other enabling standards OASIS WS security SOAP, XML, WSDL, HTTP, HTML Liberty Alliance: a diverse industry consortium that is developing specifications for federated network identity, simplified sign-on, and authorization among diverse network and applications domains Other enabling standards: SPML (Service Provisioning Markup Language) XML Access Control Markup Language (XACML) XML Key Management Specification (XKMS) XML Digital Signature WS-security: mechanisms implemented in SOAP headers designed to enhance SOAP messaging providing a quality of protection through message integrity, message confidentiality, and single message authentication SAML 1.1 (Security Assertion MarkUp Language): a set of XML and SOAP-based services, protocols, and formats for exchanging authentication and authorization information ** See archived Liberty Webinar for more SAML information 31 What Should You Do Now? 32 8

Liberty Alliance solves the identity crisis The only global body working to define and drive open technology standards and guidelines for federated identity Addresses business, policy and technical issues associated with federated identity Alliance of global organizations working together to enable the deployment of identity-based web services Consider joining the Alliance Additional Information Learn more about the technical aspects of Liberty Alliance Free webinar from HP Identity www.presentationselect.com/hpinvent/archives.asp See the specifications and white papers at http://www.projectliberty.org 33 34 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information