from usecases to specifications
play

From UseCases to Specifications Fulup Ar Foll Liberty Technical - PowerPoint PPT Presentation

From UseCases to Specifications Fulup Ar Foll Liberty Technical Expert Group Master Architect, Global Software Practice Sun Microsystems Why Identity Related Services ? Identity-enabling: Exposes identity details to other services


  1. From UseCases to Specifications Fulup Ar Foll Liberty Technical Expert Group Master Architect, Global Software Practice Sun Microsystems

  2. Why Identity Related Services ? • Identity-enabling: Exposes identity details to other services • Identity-enabled: Offers personalization when given access to identity details • Basic: Performed without regard to who’s doing the asking or using the results Liberty Paris Workshop 23:23:20 2

  3. What's About Federation • Federation of providers (CoT) , a group of entities providing services who signed agreement, in order to make life of shared customers/users (Principal) more simple . accept Principal identity authentication to be done once per session (SSO) ✗ and by a shared authority (IDP) Accept to provide service knowing only an “avatar” of principal identity ✗ (Opaque Handle/Federation Key). This non significant pointer on principal identity allowing service provider (SP) to know that “it is him” without knowing “who he is”. • Federation: a weak link that allow to map a principal avatar identity used by a service provider to the effective principal identity know only from the authority of authentication (IDP). • Federated Identity: The data/attributes at the service provider attached to a principal identity avatar. Liberty Paris Workshop 23:23:20 3

  4. OASIS SAML v2 Overview: The Road to Convergence July 2002 January 2003 November 2003 April 2005 Liberty SAML v.2.0 Phase 1 ID-FF v.1.1 ID-FF v.1.2 Alliance use/testing OASIS Contribution OASIS SAML v.1.0 SAML v.1.1 SAML v.2.0 SSTC November 2002 September 2003 March 2005 OASIS Contribution Internet2 Shib v.1.0/1.1 Shib v.1.2 Shibboleth July/August 2003 April 2004 Liberty Paris Workshop 23:23:20 4

  5. Why Choosing Liberty ? ✗ Fit your requirements: Free & Open standard, Privacy, Security, Interoperability ✗ An industrial reality: Certified products, Already proven in production ✗ You're not in a position of choosing: Costumer chooses for you !!! Kravspesifikasjon for PKI i offentlig Requirements Spec. for PKI in Public Sector sektor Versjon 1.02 , Januar 2005 Version 1.02 , January 2005 Requirement 10.5.1 Autentication Krav 10.5.1 Autentisering It shall be offered an ”Identity Provider” Det skal tilbys en ”Identity Provider” i according to Liberty Alliance specifications. henhold til Liberty Alliance The solution shalll be described. It shall be spesifikasjoner. Løsningen skal indicated which versions and which high level beskrives. Det skal angis hvilke versjoner functions are supported. og overordnede funksjoner som støttes. Liberty Paris Workshop 23:23:21 5

  6. OASIS SAML 2.0 Concepts Profiles Combining protocols, bindings, and Authn assertions to support a defined use case Context Detailed data on Bindings types and Mapping SAML protocols onto standard messaging strengths or communication protocols of authentication Protocols Request/response pairs for obtaining assertions and doing ID management Assertions Metadata Authentication, attribute, and entitlement IdP and SP information configuration data Liberty Paris Workshop 23:23:21 6

  7. Global Liberty Architecture Circle Of Trust Identity Provider Service Provider ● Authentification ● Federation ● web content ● Discovery service ● games ● Policies/Authorization ● merchant site ● .... Identity Services ● Geolocation Principal Auth. Pts ● Personnal Profile ● .... ● customer Auth. Pts ● employé ● game user ● .... Legacy/existing Other ● Massaging Infrastructure CoTs ● Ticketting ● .... Liberty ID-FF/SAML-2.0 Liberty ID-WSF Not Specified by Liberty Liberty Paris Workshop 23:23:21 7

  8. Liberty Technical Framework  ID-FF (Identity Federation Framework)  Federation/Defederation  SSO (single & simplified Sign On) / SLO (single logout)  Authentication context & Attributes  Metadata  ID-WSF (Identity Web Service Framework)  Authentication Service  Discovery Service  DST (Data Service Template)  Interaction Service  ID-SIS (Identity Service Interface)  Personal profile, Geoloc, Presence, Contact Book, ... Liberty Paris Workshop 23:23:22 8

  9. Basic CoT (outsourcing of services) CoT Service Provider(s) Authentication Authority C B Identities Outsourced app D IDP E E' DS PP Payment F A G Customers Liberty Paris Workshop 23:23:22 9

  10. CoT/CoT (proxy authentication) CoT 2 CoT 1 SelfContained Proxy Authentication Authentication Business Agreement Wireless FixNet/DSL Services Identities Identities Services ex: Wireless CoT ex: FixNet operator Local Service Request Alien Service Request Customers Liberty Paris Workshop 23:23:22 10

  11. Shared CoT (global shared Services) « XyZ » Global Common Services Global CoT Global Identities Common Services Proxy Autentication Global Service Request Extented to Global CoTs German French French Services Identities Identities German Services German CoT French CoT German Customers French Customers Operator « XyZ » Germany Operator « XyZ » France Liberty Paris Workshop 23:23:23 11

  12. Access Control SP is responsible for securing access. For each SP, identify data needed for access control decisions and where it will come from.  For individual consumers may come from user.  For outsourcing scenario, data needed may be split between SP and IDP.  Attributes can be sent in a bulk feed.  SP application can use SAML  Can use provisioning/sync solution between SP and IDP to better leverage capabilities of an access management type of product . Liberty Paris Workshop 23:23:23 12

  13. Support How to support someone you don't know ? For each SP and IDP, identify potential user issues, and how support will be provided by SP and IDP.  User cannot login, can't access app, data wrong,...  Identify how users will report a problem  Identify first responder, escalation paths  Identify how each responder will  Be able to identify user's account  Be able to contact user later to ask more questions  Gets tricky if user has different ID at SP and IDP  User likely to forget SP ID when accounts federated Liberty Paris Workshop 23:23:24 13

  14. Logout Local and/or Global logout both possible  Bigger issue than it initially seems  Providing just one may cause issues  Users do local logout, leave global session, walk away from browser  Users might avoid use of global logout thinking they have more work to do.  Best to support both, educate users on differences  If you must do just one, choose global logout Liberty Paris Workshop 23:23:24 14

  15. SSO expectations Sign Sign One & Simplified Sign One  Set expectation appropriately  Logins to hardware devices  Logins to networks (VPNs etc)  Logins to applications  Different levels of authentication (i.e. single versus dual factor)  “Simplified Sign On” may be better term Liberty Paris Workshop 23:23:24 15

  16. Monitoring  Obvious  Monitor HW, OS on all component servers (app, authN service, authZ service, storage)  Proactive  Monitor CPU, number of connections, response time and set acceptability threshold values for each.  Possible Glitch  Monitor federated login with synthetic transactions. IDP may be best positioned to do so if access to IDP is restricted. Liberty Paris Workshop 23:23:24 16

  17. Business Agreements  Many other legal documents typically exist  Sales contracts, Purchase Orders, Statements of Work, Service Level Agreements, Contract approvals, Consulting Services agreements etc.  Liberty-related agreements need to relate to other agreements  Add Liberty-specific terms to existing SOW/SLA templates  Liberty compliance, adding/removing COT members, joining other COTs, federation, authN levels, session timeouts, adding/removing users, policy enforcement Liberty Paris Workshop 23:23:24 17

  18. Production Deployment  There is a world of difference between doing this in a lab and the real world. Deploy and test as early as possible in the 'real' environment.  Hardened environments  Firewalls & firewall rules  Network & Load balancers  Router ACLs  Certificates  DNS and mappings Liberty Paris Workshop 23:23:24 18

  19. Liberty Summary ✗ A free standard focusing on: ✗ Privacy ✗ Security ✗ Interoperability ✗ An industrial reality: ✗ Certified to latest spec products available ✗ Already proven in production ✗ Return of experience available ✗ Deployment paper ✗ Consulting services Liberty Paris Workshop 23:23:24 19

  20. The End fulup@sun.com Liberty Paris Workshop 23:23:24 20

Recommend


More recommend