Federation Fiction FUD and Reality - PowerPoint PPT Presentation

1 / 42

About This Presentation

Title:

Federation Fiction FUD and Reality

Description:

Facilitate account federation and de-federation. Bulk provisioning / de ... Define reference for countdown: a given service-session or the overall-session? ... – PowerPoint PPT presentation

Number of Views:23

Avg rating:3.0/5.0

Slides: 43

Provided by: Ca77

Category:

more less

Transcript and Presenter's Notes

Title: Federation Fiction FUD and Reality

1
Federation Fiction FUD and Reality
CA Blue R0 G132 B201
CA Green R51 G158 B53
CA Gray R106 G105 B100
CA Dark Blue R0 G132 B201
CA Dark Green R51 G158 B53
CA Tint Gray 30 R218 G218 B203
CA Light Blue R0 G132 B201
CA Light Green R51 G158 B53
CA Tint Gray 10 R246 G246 B246

Raoon Kundi
Sr. Principal Consultant
North American TSO
Friday, May 02, 2008

2
Agenda

Introduction
What is Identity Federation
Federation Best Practices
Selecting a Commercial Solution
Discussion / Q A

3
What is Identity Federation?
CA Blue R0 G132 B201
CA Green R51 G158 B53
CA Gray R106 G105 B100
CA Dark Blue R0 G132 B201
CA Dark Green R51 G158 B53
CA Tint Gray 30 R218 G218 B203
CA Light Blue R0 G132 B201
CA Light Green R51 G158 B53
CA Tint Gray 10 R246 G246 B246
4
FederationPortable Identity

Enables portability of identity information
Across autonomous security domains
Without redundant user administration
Across these participating domains, you may
Seamlessly single sign-on
Manage sessions
Provision user accounts
Manage entitlements
Exchange user attributes

5
Key Drivers(1)Cross-domain User Profile Transfer

Reduce proliferation of profile data
Facilitates asserting domains control over
User attributes
User entitlements
Facilitate relying domains access to such data
Provides account mapping
Facilitate account federation and de-federation
Bulk provisioning / de-provisioning
Event-driven processes
Self-service

6
Key Drivers(2)User Experience Management

Facilitate control over the transfer
Inter-site transfer hooks at
Asserting domain
Relying domain
Policy, exception, and/or condition-based routing
Facilitate management of user experience
User experience session management
Enables personalization
Enables session timeouts
Single Sign-On
Single Log-Out

7
Key Drivers(3)Interoperability

Frameworks provided by various standards bodies
Encourage uniform world view of federation
Enable Interoperability b/w partners using same
framework
On-the-wire compatibility
Standardized security tokens
Leverages common and best-of-breed underlying
technologies
Encryption / Signing
Transports
Protocols
Well reviewed (and hence more secure)
Not an exhaustive list

8
Success Criteria Things to do!

Salient features of good implementations
Beyond SSO user-experience
Avoid architecting just for SSO
Correctly implement federation infrastructure
Standards Driven
Technical Standards
SAML
WS-Federation
Liberty Alliance
Other de facto Standards
eAuth
Dont stretch / misinterpret the standards
Scalable and Sustainable

9
Federation Best Practices
CA Blue R0 G132 B201
CA Green R51 G158 B53
CA Gray R106 G105 B100
CA Dark Blue R0 G132 B201
CA Dark Green R51 G158 B53
CA Tint Gray 30 R218 G218 B203
CA Light Blue R0 G132 B201
CA Light Green R51 G158 B53
CA Tint Gray 10 R246 G246 B246
10
Federation Best Practices

Technical
Compliance
Legal
Operational

11
Federation Best PracticesTECHNICAL
CA Blue R0 G132 B201
CA Green R51 G158 B53
CA Gray R106 G105 B100
CA Dark Blue R0 G132 B201
CA Dark Green R51 G158 B53
CA Tint Gray 30 R218 G218 B203
CA Light Blue R0 G132 B201
CA Light Green R51 G158 B53
CA Tint Gray 10 R246 G246 B246
12
Federation Best PracticesTechnical(1)

Stick to the standards
Standards / specifications play a large role in
Federation(comprehensive browser based
federation standards with some interdependency)
SAML (1.0, 1.1 2.0)
Liberty ID-FF (1.1, 1.2)
WS-Federation PRP (1.0, 1.1, 1.2)
Map your needs to these standards
Identify standards used by your partners
Identify the feature set that you require
Be willing to adopt multiple standards

13
Federation Best PracticesTechnical(2)

Stick to the standards (continued)
Key Standards and Specifications
Security Assertion Markup Language (SAML)
Standard managed by OASIS
SAML 1.0, 1.1, 2.0
Liberty Alliance has adopted SAML 2.0 as well
Provides for sharing of security information b/w
domains
Comprises of
Security Tokens (Assertions)
Protocols (Request/Response Pairs)
Bindings (Request/response pairs mapped onto
standard messaging or communication protocols)
Profiles (Use of all of the above for a use-case)

14
Federation Best PracticesTechnical(3)

Stick to the standards (continued)
Key Standards and Specifications (continued)
Liberty ID-FF
Liberty is an alliance of many sponsor companies
Enables browser-based federations
ID-FF is officially merged with SAML 2.0
WS-Federation PRP
Portion of WS- series of standards that covers
browser federation
WS-Federation covers both browser federation and
web-services
Passive Requestor Profile (PRP) is relevant here

15
Federation Best PracticesTechnical(4)

Stick to the standards (continued)

16
Federation Best PracticesTechnical(5)

Logistics around attributes / data maps
Identify applicable attributes
Required attributes
Metadata or Schema/Namespace for attributes
Negotiate attribute security mechanisms
Secure Access Define rules for access to each
attribute
Secure Storage Define storage / protection
requirements
Identify account mapping mechanisms
Identify what attributes you need
Clearly define how you will use them
Identify security implications for roles/rules
mapping
Identify levels of assurance to be mapped against
roles/rules?

17
Federation Best PracticesTechnical(6)

Authentication approach
Negotiate acceptable forms of authentication for
federation (and acceptable policies for
maintenance)
2-Factor or stronger?
Password policy, certificate/key strength and
rotation policy
Negotiate acceptable levels of assurance
Standards have addressed this, map yours needs to
the standard you are adopting
Negotiate duration of validity for
tokens/assertions
Negotiate propagation of authentication to
downstream partners mapping of levels b/w
partners
When/how of up/down-grade a users authentication

18
Federation Best PracticesTechnical(7)

Data Security
Establish PKI key/cert management policies
procedures
Establish your and know your partner
Be proactive federations fail when certificates
expire!
Ensure transport-level infrastructure support
Federation leverages SSL/TLS extensively
Ensure message-level encryption signing support
Leverages XML Encryption and Signing
Require associated keys/certificates etc.
Make sure that data is secure end-to-end
Data transactions connected with but outside
standardized federation profiles need to be
audited for data security.

19
Federation Best PracticesTechnical(8)

Access Policy Management (an optional /
Forward-Looking consideration)
Negotiate policy artifacts
Decide a syntax for policy expression
Agree upon handling of policy exception
Reject a request
Refer to asserting/relying party
Routing into defined responses per the adopted
standard

20
Federation Best PracticesTechnical(9)

Consider Session Policy Management
Have a definite policy around session management
Discuss and develop with each partner
Session timeout criteria
Define reference for countdown a given
service-session or the overall-session?
Define allowed inactivity periods
Define allowed total session length
Whether to digitally sign session termination
requests/responses.
Logout Policy
Is SLO (Single Log-Out) preferred?

21
Federation Best PracticesCOMPLIANCE
CA Blue R0 G132 B201
CA Green R51 G158 B53
CA Gray R106 G105 B100
CA Dark Blue R0 G132 B201
CA Dark Green R51 G158 B53
CA Tint Gray 30 R218 G218 B203
CA Light Blue R0 G132 B201
CA Light Green R51 G158 B53
CA Tint Gray 10 R246 G246 B246
22
Federation Best PracticesCompliance(1)

Regulatory policies may be specified for
federation
Federating partners would want to
Specify processes for compliance checking
Specify remedies in the event of non-compliance

23
Federation Best PracticesCompliance(2)

Enumerate specific conditions to be checked
Conditions regarding specific interactions
Conditions regarding applicable regulations
Identify sources for compliance monitoring
Real-time monitoring facilities
Log files monitoring

24
Federation Best PracticesCompliance(3)

Define a common criteria for compliance checking
Agree on acceptable audits with partners
Which? (if adopting a standardized audit)
What? (if defining own audit)
Enumerate (document / formalize your audit)
Maintain traceability (living document)
When? (how often)
Who? (who will do the compliance checking)

25
Federation Best PracticesCompliance(4)

Compliance responsibility is shared b/w the
parties
Each party should identify their compliance
people
Who performs compliance checking / audits?
Who evaluates the reports and trigger actions, if
needed?

26
Federation Best PracticesCompliance(5)

Define processes for exception handling
Exception reporting procedures
Exception escalation procedures
Handling for each type of exception
Define criteria to triage multiple exceptions
Know your risks and impacts

27
Federation Best PracticesLEGAL
CA Blue R0 G132 B201
CA Green R51 G158 B53
CA Gray R106 G105 B100
CA Dark Blue R0 G132 B201
CA Dark Green R51 G158 B53
CA Tint Gray 30 R218 G218 B203
CA Light Blue R0 G132 B201
CA Light Green R51 G158 B53
CA Tint Gray 10 R246 G246 B246
28
Federation Best PracticesLegal(1)

Privacy Policy Guidelines
Disclosure and consent
Weave this into the federation provisioning
flow(user sees an I agree page before being
federated)
Ensure ongoing updates and communication to the
user
Document and track technical measure to ensure
enforcement.

29
Federation Best PracticesLegal(2)

Liability between partners
Understand (in the context of federation)
Basic liability
Downstream liability
Pre-determine how liability will be assigned
Document how liability gets assigned for an
incidence
Liability Limits

30
Federation Best PracticesLegal(3)

Standardize Your Agreements
End-user Agreements
Inter-partner Agreements

31
Federation Best PracticesOPERATIONAL
CA Blue R0 G132 B201
CA Green R51 G158 B53
CA Gray R106 G105 B100
CA Dark Blue R0 G132 B201
CA Dark Green R51 G158 B53
CA Tint Gray 30 R218 G218 B203
CA Light Blue R0 G132 B201
CA Light Green R51 G158 B53
CA Tint Gray 10 R246 G246 B246
32
Federation Best PracticesOperational(1)

Standardized set of documents for each partner
Use-cases
Technical details
Assertion / Authentication Token details
Attribute mappings
Etc.

33
Federation Best PracticesOperational(2)

Maintain list of contacts for each partnership(a
roster for each federation partner)
Planning business decision makers
Administrative staff
Troubleshooters
Dispute resolution contacts

34
Federation Best PracticesOperational(3)

Maintain incident handling procedures for each
partner

35
Federation Best PracticesOperational(4)

Maintain disaster recovery procedures for each
partner

36
Selecting a Commercial Solution
CA Blue R0 G132 B201
CA Green R51 G158 B53
CA Gray R106 G105 B100
CA Dark Blue R0 G132 B201
CA Dark Green R51 G158 B53
CA Tint Gray 30 R218 G218 B203
CA Light Blue R0 G132 B201
CA Light Green R51 G158 B53
CA Tint Gray 10 R246 G246 B246
37
Selecting a Commercial Solution (1)

Standards compliance
Breadth (number of standards supported)
Popular standards, again
SAML (1.X, 2.0)
Liberty ID-FF (1.1, 1.2)
WS-Federation (1.0, 1.1, 1.2)
Depth (coverage for each standard)(Some standard
bodies do help with level of depth)
SAML 2.0 defines
IdP Lite SP Lite
IdP Full SP Full
Or evaluate feature-by-feature

38
Selecting a Commercial Solution (2)