Federated Identity in Practice - PowerPoint PPT Presentation

Loading...

PPT – Federated Identity in Practice PowerPoint presentation | free to view - id: 1d8ce9-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Federated Identity in Practice

Description:

Southwest Airlines. A major domestic airline that provides primarily shorthaul, high-frequency, ... Southwest operates over 350 Boeing 737 aircraft in 58 cities. ... – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 21
Provided by: mikeb107
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Federated Identity in Practice


1
Federated Identity in Practice
  • Mike Beach
  • The Boeing Company

2
Federated Identity
  • Federated Identity allows customers, partners and
    end-users to use Web services without having to
    constantly authenticate or identify themselves to
    the services within their federation.
  • This applies both within the corporation and
    across the Internet.

3
The Boeing Environment
  • Three user communities
  • 150,000 employees, contractors
  • 80,000 partners, suppliers, customers
  • 1,000,000 ex-employees, beneficiaries
  • Three enterprise directories
  • Comprehensive Sun ONE directory (all people of
    interest)
  • Microsoft Active Directory (most employees)
  • RACF (most employees but not same employees as
    MS AD)
  • Many Boeing web servers
  • Apache, IPlanet, IIS, ColdFusion, Shadow, Oracle
  • Over 350 web server platform/version variations
  • Multiple versions of both Netscape and IE
    browsers

4
WSSO Objectives
  • Simple, consistent user experience
  • Improved security through centralized access
    management
  • Reduction in user accounts and passwords, thus
    reductions in account administration costs
  • Applications isolated from authentication
    mechanisms and authentication technology
    insertions
  • Applications agnostic to origin of users access
    (internal or external)
  • Single sign on across Boeing business domain,
    including partners, suppliers, customers

5
WSSO Key Solution Differentiators
  • Web Single Sign-on (WSSO) across Boeing and
    external web sites
  • Common infrastructure supporting internal and
    external access, for internal and external users
  • No control over desktop configuration and no
    ability to deploy components to the desktop
  • Leverage existing Boeing infrastructure

6
The Deployment
  • Oblix Netpoint infrastructure with 12 Access
    Servers deployed across 3 geographic regions
    (plus sand box, development, test, and
    integration environments about 50 machines
    total)
  • Primarily authentication today, limited
    authorization
  • No Identity Management or delegated
    administration
  • Custom integration with 5 authentication
    mechanisms
  • MS Active Directory
  • RACF
  • X.509 personal certificates
  • Proximity badge
  • Customer/supplier reverse web proxy user ID and
    password

7
Major WSSO Components
Identity And Policy Stores
WebGate
Login Hub
Boeing Reverse Proxy
Web Browser
Logon W2K RACF Certificate
AD
Remote Access Service
RACF
WebGate
Web Server Content
Web Browser
X.509
SAML Services
Corporate Sun ONE Directory
Access Server
Boeing Plugin
3rd Party Web Server Content
WSSO Proxy Services
Login Hub
All People
Boeing Plugin
Logon PIN
Oblix Policy
Groups
Customers, Suppliers
Customer Authenticator Service
PIN Authentication
DMZ
8
WSSO Authentication Sources
Identity And Policy Stores
WebGate
Login Hub
Boeing Reverse Proxy
Web Browser
Logon W2K RACF Certificate
AD
Remote Access Service
RACF
WebGate
Web Server Content
Web Browser
X.509
SAML Services
Corporate Sun ONE Directory
Access Server
Boeing Plugin
WSSO Proxy Services
3rd Party Web Server Content
Login Hub
All People
Boeing Plugin
Logon PIN
Oblix Policy
Groups
Customers, Suppliers
Customer Authenticator Service
PIN Authentication
DMZ
9
WSSO Authorization Sources
Identity And Policy Stores
WebGate
Login Hub
Boeing Reverse Proxy
Web Browser
Logon W2K RACF Certificate
AD
Remote Access Service
RACF
WebGate
Web Server Content
Web Browser
X.509
SAML Services
Corporate Sun ONE Directory
Access Server
Boeing Plugin
WSSO Proxy Services
3rd Party Web Server Content
Login Hub
All People
Boeing Plugin
Logon PIN
Oblix Policy
Groups
Customers, Suppliers
Customer Authenticator Service
PIN Authentication
DMZ
10
WSSO Perimeter Access Components
Identity And Policy Stores
WebGate
Login Hub
Boeing Reverse Proxy
Web Browser
Logon W2K RACF Certificate
AD
Remote Access Service
RACF
WebGate
Web Server Content
Web Browser
X.509
SAML Services
Corporate Sun ONE Directory
Access Server
Boeing Plugin
3rd Party Web Server Content
WSSO Proxy Services
Login Hub
Login Hub
All People
Boeing Plugin
Logon PIN
Logon PIN
Oblix Policy
Groups
Customers, Suppliers
Customer Authenticator Service
PIN Authentication
DMZ
11
WSSO-protected Components
Identity And Policy Stores
WebGate
Login Hub
Boeing Reverse Proxy
Web Browser
Logon W2K MyInfo Certificate
AD
Remote Access Service
RACF
WebGate
Web Server Content
Web Server Content
Web Browser
X.509
SAML Services
Corporate Sun ONE Directory
Access Server
Boeing Plugin
WSSO Proxy Services
3rd Party Web Server Content
Login Hub
All People
Boeing Plugin
Logon PIN
Oblix Policy
Groups
Customers, Suppliers
Customer Authenticator Service
PIN Authentication
DMZ
12
WSSO Users
Identity And Policy Stores
WebGate
Login Hub
Boeing Reverse Proxy
Web Browser
Logon W2K MyInfo Certificate
AD
Remote Access Service
RACF
WebGate
Web Server Content
Web Browser
Web Browser
X.509
SAML Services
Corporate Sun ONE Directory
Access Server
Boeing Plugin
WSSO Proxy Services
3rd Party Web Server Content
Login Hub
All People
Boeing Plugin
Logon PIN
Oblix Policy
Groups
Customers, Suppliers
Customer Authenticator Service
PIN Authentication
DMZ
13
Milestones
  • Started RFP 3/2001
  • Vendor selection 8/2001
  • Production 12/2001
  • 100,000 logins per day 2/2003
  • 100 applications in production 4/2003
  • 3rd party web site integration 5/2003
  • External user integration 5/2003
  • SAML production 6/2003
  • Role-based access control Q3/2003
  • Complete deployment (1000 applications) End
    2004-2005

14
SAML Participants
  • The Boeing Company
  • A leading manufacturer of commercial airplanes,
    space technology, defense aircraft and systems,
    and communication systems.
  • Southwest Airlines
  • A major domestic airline that provides primarily
    shorthaul, high-frequency, point-to-point,
    low-fare service. Southwest operates over 350
    Boeing 737 aircraft in 58 cities.
  • Oblix Inc.
  • A leading developer of identity-based security
    solutions for e-Business networks. The company's
    flagship product, Oblix NetPoint, is an
    enterprise identity management and Web access
    solution that provides an identity infrastructure
    for dynamic e-Business environments.

15
SAML Deployment Objectives
  • Significantly increase the user base of
    MyBoeingFleet, the secure web portal that
    provides Boeing customers access to all of the
    information required to operate and maintain
    their fleets
  • Embed MyBoeingFleet more deeply in Airlines
    business process. Facilitate the deployment of
    MyBoeingFleet content directly to the customer
    maintenance hanger
  • User will authenticate to their local intranet,
    click on a link to MyBoeingFleet, and seamlessly
    access the data and services without a secondary
    Boeing authentication request
  • Role-based access control targeted for next year

16
The SAML Flow
DOMAIN A swacorp.com
2.0
1
2.1
2.1
2.2
SAML Services
SWA User
SWA Portal
2.3
3
DOMAIN B Boeing.com
DMZ
DMZ
SAML Server
Reverse Proxy
4
2.5
INTERNAL
INTERNAL
Target Resource MyBoeingFleet.com
Access Server
17
Web Access Management General Challenges
  • Managing
  • Executive expectation
  • User experience
  • Hundreds of applications with even more policies
  • Complexity and reliability
  • Browsers, web servers, networks, directories,
    libraries, versions, custom code
  • Session management
  • Existing applications typically have imbedded
    session management
  • Anomalies arise from inconsistent session state
  • Global logout is problematic (hurray for SAML
    2.0!)
  • Security
  • Vulnerability assessment and risk mitigation
    where possible is appropriate

18
SAML Deployment Considerations
  • Assertions may need to be constrained to a domain
  • Boeing defined the authentication mechanism to
    include both user identity and SAML issuer ID
  • Support for direct bookmarks
  • For each web session, prior to a SAML transfer,
    bookmarks and URL references may not work
  • Oblix-provided solution creates a persistent
    SAML Provider cookie and implements redirection
    through SAML services for unauthenticated users
  • Not a part of SAML standard.
  • SAML only provides the introduction
  • Boeing content resides inside the Boeing security
    perimeter.
  • Had to integrate ObssoCookie intelligence into
    perimeter before users could actually get to
    content.
  • Security considerations of interactions across
    the Internet AFTER the SAML exchange were
    significant

19
Recommendations
  • Focus on communication and marketing
  • Manage expectations
  • Educate users
  • Thoroughly understand and plan user experience
    (within product capabilities)
  • Consider limiting scope
  • Integration of legacy technologies can be costly
  • Each component integrated adds to complexity and
    impacts overall reliability
  • Consider adjusting infrastructure to support IAM
  • Integration to existing infrastructure required
    significant custom code
  • Use of a virtual directory could simplify
    deployment, but probably with an impact to
    performance

20
Standards Wish List
  • Support for direct bookmarks
  • Bookmarks and URL references (deep links)
    should work, even prior to the initial SAML
    transfer.
  • Global logout
  • Provide the user with an intuitive logout
    facility that would ensure complete termination
    of all application sessions and authentication
    credentials.
  • Domains of federated security
  • Users have need for multiple, disconnected
    federated security domains. For example,
    separation of business and personal. (Selective
    logout?)
  • Security strength of public Internet technologies
  • Industry needs to deliver technology that
    prevents cookie vulnerabilities (hijack and
    replay).
  • Support for individual application session
    timeout settings
  • Several of our application environments consider
    a session timeout setting (idle time) mandatory.
  • Authentication State Visibility
  • It is important for the user to always be aware
    of their authentication state. Are they
    authenticated, and to what?
About PowerShow.com