Liberty Alliance Project Building an Open Standard for Network Identity Business Possibilities and T - PowerPoint PPT Presentation

Loading...

PPT – Liberty Alliance Project Building an Open Standard for Network Identity Business Possibilities and T PowerPoint presentation | free to view - id: 122ba-MjM3M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Liberty Alliance Project Building an Open Standard for Network Identity Business Possibilities and T

Description:

Excite.com. Authentication. Authority. Pets.com. Relying ... Excite.com. Identity Provider. Joe123. 36 ... SecurityDomain='excite.com' Name='xyrVdS xg0/pzSgx' ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 50
Provided by: robro3
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Liberty Alliance Project Building an Open Standard for Network Identity Business Possibilities and T


1
Liberty Alliance ProjectBuilding an Open
Standard for Network IdentityBusiness
Possibilities and Technical Considerations
2
Your Presenters
Jason RouaultSenior Architect Hewlett-Packard
SGBU CTO Office Vice Chair Liberty
TechnologyLiberty Bindings and Profiles
Specification Editor
John BeattyLead Architect, Liberty Alliance
Technology Sun Microsystems Liberty Protocols
and Schema Specification Editor
3
Brief Intro to Liberty Alliance Business Needs
and Uses Demo Technical Overview QA
4
What is Network Identity?
  • A Network Identity is
  • a users overall global set
  • of attributes constituting
  • their various accounts

4
5
What is the Problem with Network Identity?
Multiple, disconnected
identities scattered across isolated Internet
sites
  • User Name John Smith
  • Email jsmith2_at_freemail.com
  • PIN js_at_abc.com
  • Inconvenient and frustrating
  • for users
  • Credit card number
  • Social security number
  • Drivers license
  • Passport
  • Distributed identity-services are not possible
  • Entertainment preferences
  • Notification preferences
  • Employee authorization
  • Business calendar
  • Dining preferences
  • Education history
  • Medical history
  • Financial assets
  • Continual re-authentication to disparate systems

5
6
Why is the Liberty Alliance the Solution?
  • Increase consumer confidence and usage in
    electronic transactions
  • Easier and more convenient to use
  • Available via any digital device
  • As secure as possible
  • Targeted and more personalized
  • Enable offerings that allow consumers to maintain
    control over their information
  • Simplify B2B e-commerce offerings
  • Simplify the ability for businesses to
    collaborate online
  • Make it easier to offer new services to customers
  • Allow organizations to maintain ownership of
    their customer bases and to maintain operational
    autonomy
  • Simplify and expand employee use of enterprise
    Intranets
  • Enable employees to move seamlessly from one
    application to another
  • Facilitate interoperability
  • With existing systems, standards, and protocols

7
A Business Consortium Solving A Business Problem
Over 130 for-profit, not-for-profit and
government organizations, representing a billion
customers, are currently Alliance members
Only a sample of Liberty members
8
Management Structure
Management Board
  • Consists of 16 founding sponsors
  • Responsible for overall governance and
    maintenance
  • Final voting authority for specifications and
    other output

Public Policy Expert Group
Marketing Expert Group
Technology Expert Group
  • Advise on privacy, security, and other public
    policy issues
  • Liaison to privacy groups and government agencies
  • Develops technical architecture and engineering
    requirements
  • Develops technical specifications
  • Develops marketing requirements and use cases
  • Responsible for membership, press relations, and
    marketing communications

9
Libertys commercial investment in network
identity and the collaboration of its diverse
array of member companies can bring a lot to this
space. The groups combined experience, their
collective ability to drive usage and the fact
that theyre not trying to promote a product but
a solution to a problem will help in their
success. Dan Blum Burton Group
10
Mission of the Liberty Alliance
Establish an open standard for federated network
identity through open technical specifications
that will
  • Support a broad range of identity-based
    productsand services
  • Allow for consumer choice of identity provider(s)
    and the ability to link accounts through account
    federation
  • Provide the convenience of simplified sign-on,
    when using any network of connected services and
    devices
  • Enable organizations to realize new revenue and
    cost saving opportunities
  • Allow organizations to economically leverage
    relationships with customers, business partners,
    and employees
  • Improve ease of use for e-commerce

10
11
Brief Intro to Liberty Alliance Business Needs
and Uses Demo Technical Overview QA
12
Why is Federated Important?
  • Centralized Model
  • Network identity and user information in single
    repository
  • Centralized control
  • Single point of failure
  • Links similar systems
  • Open Federated Model
  • Network identity and user information in various
    locations
  • No centralized control
  • No single point of failure
  • Links similar and disparate systems

13
Solution Analogous to ATM Networks
Separate Cards with Each Bank
Linked Cards within Bank Networks
Seamless Access Across all Networks
14
Examples of Trust Domains
15
Specifications A Phased Approach
Approach Drivers
  • Support rapid acceptance and deployment
  • Phases build on each other
  • Easy incremental adoption

Version 1.0 (Released 07/15/02)
  • Federated network identity
  • Opt-in account linking and simplified sign-on
    within an authentication domain created by
    business agreements
  • Security built across all the features and
    specifications

16
Business Benefits for Version 1.0 Specifications
  • Enhance Affinity Relationships
  • More Easily Offer Value Add Services to Customers
  • Simplify Customer Experience
  • Improve Customer Confidence
  • Enhance Intra-Enterprise Relationships
  • Offers Accelerated Time to Market for
  • Identity Based Services

17
Brief Intro to Liberty Alliance Business Needs
and Uses Demo Technical Overview QA
18
Enterprise Use Case
  • Many enterprises outsource various business
    functions, e.g.
  • Corporate intranet
  • 401(k) management
  • Stock option management
  • Others (expense vouching, payroll statements,
    etc.)
  • Liberty facilitates better integration of the
    outsourced services to decrease administration
    cost and enhance user experience
  • Liberty-enabled enterprise will play a role of a
    Liberty Identity Provider to manage identities
    and authentications of their employees, who will
    access their accounts on the outsourced Liberty
    Services Providers without additional prompts for
    authentication
  • Enterprise-issued identities will cross
    application, division and corporate boundaries

19
Brief Intro to Liberty Alliance Business Needs
and Uses Demo Technical Overview QA
20
Enabling the Federated Identity
  • Liberty Alliance
  • Defines protocol specifications for federated
    identity
  • built on SAML to provide additional privacy
    and security
  • Liberty is not an identity network or
    authentication
  • authority -- it defines specs that can be
    used to create
  • identity networks
  • Security Assertion Markup Language (SAML)
  • An XML-based framework for exchanging
  • security information (e.g. authentication)
  • A committee specification in the OASIS
  • security services technical committee

21
SAML in a Nutshell
  • An XML-based framework for exchanging security
    information
  • XML schema and definition for security assertions
  • XML schema and definition for a request/response
    protocol
  • Rules on using assertions with standard transport
    and messaging frameworks (SOAP, Web Browsers).
    Bindings and Profiles
  • An emerging OASIS standard
  • Vendors and users are both involved
  • Codifies current system outputs rather than
    inventing new technology
  • Excellent traction in the marketplace

22
XML Related Security Standards Work
  • XML Signature
  • SAML uses this for signing assertions
  • XML Encryption
  • Important for flexibly managing security and
    privacy risks, e.g., encrypting just the credit
    card number
  • Other
  • XKMS can be used for key management
  • XACML can be used for an access control policy
    language

23
SAML Assertions
  • An assertion is a declaration of fact, according
    to some authority
  • Assertions are produced by an asserting party
    (aka authority) and consumed by a relying party
  • An assertion contains a set of statements about a
    subject (human or program)
  • Authentication statement
  • Attribute statement
  • Authorization decision statement
  • An assertion can be digitally signed by the
    asserting party
  • You can extend SAML to make your own kinds of
    assertions and statements

24
SAML Assertions and Statements
IssuerID IssueInstant AssertionID vice Signature
Authentication Statement
Authorization Statement
Attribute Statement



25
SAML Producer/Consumer Model
26
SAML is Cafeteria Style
  • SAML can be used ala-carte its a composable
    architecture, making it very flexible.
  • In practice, multiple kinds of authorities may
    reside in a single system
  • The arrows may not reflect information flow in
    real life
  • The order of assertion types is insignificant
  • Information can be pulled or pushed
  • Not all assertions are always produced
  • Not all potential consumers (clients) are shown
  • SAML must be profiled to specify actual usage
    (e.g. browser-based single-sign-on)

27
Browser-based SSO
Excite.com Authentication Authority
Login
Be recognized
Pets.com Relying Party
28
SAML Browser-based SSO
Excite.com Authentication Authority
Pets.com Relying Party
1. Relying Party uses HTTP redirect or Form Post
to Authentication Authority
29
SAML Browser-based SSO
Excite.com Authentication Authority
2. User redirected to Authentication Authority
and logs in
Pets.com Relying Party
1. Relying Party uses HTTP redirect or Form Post
to Authentication Authority
30
SAML Browser-based SSO
Excite.com Authentication Authority
2. User redirected to Authentication Authority
and logs in
3. User is authenticated
Pets.com Relying Party
1. Relying Party uses HTTP redirect or Form Post
to Authentication Authority
31
SAML Browser-based SSO
Excite.com Authentication Authority
4. Redirect back to Relying Party with a nonce
embedded in the URI
Pets.com Relying Party
32
SAML Browser-based SSO
Excite.com Authentication Authority
4. Redirect back to Relying Party with a nonce
embedded in the URI
Pets.com Relying Party
5. Relying Party receives nonce in the redirect
process.
33
SAML Browser-based SSO
Excite.com Authentication Authority
4. Redirect back to Relying Party with a nonce
embedded in the URI
6. Relying Party invokes SAML-based web service
to obtain an Authentication Assertion
Pets.com Relying Party
5. Relying Party receives nonce in the redirect
process.
34
Version 1.0 Specifications
  • Builds on top of SAML to provide additional
    privacy and functionality
  • Opt-in account linking Users can link their
    accounts with different service providers within
    circles of trust
  • Enhanced single sign-on for linked accounts
    Once users accounts are federated, they log-in,
    authenticate at one linked account and navigate
    to another linked account, without having to
    log-in again
  • Authentication context Companies linking
    accounts communicate the type of authentication
    that should be used when the user logs-in
  • Global log-out Users can be automatically
    logged-out of all sites to which they have active
    sessions
  • Liberty Alliance client feature Implemented on
    client solutions in fixed and wireless devices to
    facilitate use of Liberty version 1.0
    specification
  • Multiple Client Support browser, mobile device,
    and proxy

35
Liberty Federation/Account Linking
Pre-existing accounts at various sites can be
linked
Pets.com Service Provider JoeSmith
Excite.com Identity Provider Joe123
Books.com Service Provider Joe
36
Liberty Federation/Account Linking
Upon linking those accounts, the sites need to be
able to have a frame of reference for the user
Pets.com Service Provider JoeSmith
Excite.com Identity Provider Joe123
Books.com Service Provider Joe
37
Liberty Federation/Account Linking
If account names are exchanged, sites can talk to
each other without the users approval
Pets.com Service Provider JoeSmith
Joe123_at_excite.com
Excite.com Identity Provider Joe123
JoeSmith_at_pets.com Joe_at_books.com
Books.com Service Provider Joe
Joe123_at_excite.com
38
Liberty Federation/Account Linking
Instead, unique opaque handles resolvable only by
the issuer should be exchanged
Pets.com Service Provider JoeSmith
Excite.com Identity Provider Joe123
ite.com" Name"mr3tTJ340ImN2ED" /
.com" Name"dTvIiRcMlpCqV6xX"
/ SecurityDomainBooks.com" Name"pfk9uzUN9JcWm
k4RF" /
Books.com Service Provider Joe
ite.com" Name"xyrVdSxg0/pzSgx" /
39
Enhanced SSO
  • Extends an authentication assertion to include
    the context
  • How did the user log in? Password? Smartcard?
    Etc.
  • When should the user be re-authenticated?
  • How did account registration occur? (in person,
    via web page)
  • Extends the authentication request to allow for
    requesting a strength of authentication
  • Necessary for real-world scenarios not all
    services require the same level of
    authentication.

40
Additional Features
  • Simple session management
  • Provides single-logout functionality
  • Identity federation management
  • Ability to terminate the federation
  • Ability to modify the opaque handle shared
    between authentication authority and relying
    party
  • Identity network support
  • Specifies a protocol by which a website can
    discover what Identity Provider a user is using

41
Liberty Enabled-Products Coming Soon!
42
Liberty Version 2.0
  • Permissions-Based Attribute Sharing
  • Enable businesses to share a principal's
    attributes according to their corporate policies,
    business agreements and local regulations, all
    while adhering to the principal's preferences and
    permissions
  • Interoperability Specs for Core Identity Profile
    Service
  • Enables users to obtain secure, personalized
    services that are interoperable across different
    service providers
  • Federation of Authentication Domains
  • Enables users to conveniently navigate and use
    SSO and share attributes with service providers
    who may be in different authentication domains.
  • Version 2.0 specifications expected early 2003

43
Possible Interactions
ActionWatch.com Service Provider
1. User registers to watch an auction
Identity Provider doesnt see message text
2. Service provider requests SMS ticket
Excite.com Identity Provider
3. Service provider sends SMS message to mobile
operator
4. Mobile operator sends SMS message to user
PacBell.com Service Provider
44
Policy Enforcement Concepts
Users data is only released with the users
consent and based on the user-defined policies
Excite.com Identity Provider
3. user accepts or rejects exceptions to existing
policies and preferences
1. service provider requests user attributes from
identity provider
2. attributes released per users policies and
preferences
Pets.com Service Provider
45
Liberty Passport 1.0 Comparison
  • How do Liberty Alliance and
  • Microsoft Passport 1.0 Contrast and Compare?
  • Microsoft Passport is a product/service supported
    by one company
  • Uses a global PUID (Passport User ID) for
    authentication
  • Limited flexibility in authentication methods
    (I.e. user name/password)
  • Microsoft has committed to Kerberos and to
    support SAML
  • Liberty Alliance is providing specifications
    supported by many companies
  • Offers a non-repeating unique identifier for
    authentication
  • Does not dictate authentication method (I.e.
    biometrics, smartcard, etc.)
  • Liberty Alliance has committed to use SAML, and
    can also support Kerberos

46
Passport Liberty Co-existence
Passport
Scenario 1
3. User redirected to Passport.com for log-in
2. User redirected to Liberty IDP Identity.com
1. User attempts to access Service.com
Identity.com
Identity.com sits in both Passport Liberty
communities acts as a bridge
Service.com
47
Passport Liberty Co-existence
Passport
Scenario 1
4. After Passport log-in, User gets redirected to
Identity.com, which issues a Liberty SAML
assertion
5. SAML assertion delivered to Service.com which
grants access to User
Identity.com
Identity.com sits in both Passport Liberty
communities acts as a bridge
Service.com
48
Passport Liberty Co-existence
Passport
Scenario 2
3b. User redirected to Passport.com for log-in
for low-value transactions
3a. User redirected to Identity.com requesting
strong authentication for high-value transaction
2. Service.com determines to which SSO
infrastructure to redirect User based on
transaction
1. User attempts to access Service.com
Service.com
Service.com sits in both Passport Liberty
communities uses them appropriately
Identity.com
49
Brief Intro to Liberty Alliance Business Needs
and Uses Demo Technical Overview QA
About PowerShow.com